Remove logout path condition for Symfony versions < 7

Author: scheb

src/bundle/Resources/config/security.php

@@ -51,8 +51,6 @@
             ->args([
                 service('security.access_map'),
                 service('security.access.decision_manager'),
-                service('security.http_utils'),
-                service('security.logout_url_generator'),
             ])
 
         ->set('scheb_two_factor.security.listener.token_created', AuthenticationTokenListener::class)

src/bundle/Security/Authorization/TwoFactorAccessDecider.php

@@ -23,8 +23,6 @@ class TwoFactorAccessDecider
     public function __construct(
         private readonly AccessMapInterface $accessMap,
         private readonly AccessDecisionManagerInterface $accessDecisionManager,
-        private readonly HttpUtils $httpUtils,
-        private readonly LogoutUrlGenerator $logoutUrlGenerator,
     ) {
     }
 
@@ -48,16 +46,7 @@ public function isAccessible(Request $request, TokenInterface $token): bool
             return true;
         }
 
-        // Compatibility for Symfony < 7.0
-        // This block of code ensures requests to the logout route can pass.
-        // The bundle's TwoFactorAccessListener prioritized after the LogoutListener. Though the Firewall class is still
-        // sorting the LogoutListener in programmatically. When a lazy firewall is used, the LogoutListener is executed
-        // last, because all other listeners are encapsulated into LazyFirewallContext, which is invoked first.
-        $logoutPath = $this->removeQueryParameters(
-            $this->makeRelativeToBaseUrl($this->logoutUrlGenerator->getLogoutPath(), $request),
-        );
-
-        return $this->httpUtils->checkRequestPath($request, $logoutPath); // Let the logout route pass
+        return false;
     }
 
     private function isPubliclyAccessAttribute(array|null $attributes): bool
@@ -69,29 +58,4 @@ private function isPubliclyAccessAttribute(array|null $attributes): bool
 
         return [AuthenticatedVoter::PUBLIC_ACCESS] === $attributes;
     }
-
-    private function makeRelativeToBaseUrl(string $logoutPath, Request $request): string
-    {
-        $baseUrl = $request->getBaseUrl();
-        if (0 === strlen($baseUrl)) {
-            return $logoutPath;
-        }
-
-        $pathInfo = substr($logoutPath, strlen($baseUrl));
-        if ('' === $pathInfo) {
-            return '/';
-        }
-
-        return $pathInfo;
-    }
-
-    private function removeQueryParameters(string $path): string
-    {
-        $queryPos = strpos($path, '?');
-        if (false !== $queryPos) {
-            $path = substr($path, 0, $queryPos);
-        }
-
-        return $path;
-    }
 }

tests/Security/Authorization/TwoFactorAccessDeciderTest.php

@@ -15,23 +15,16 @@
 use Symfony\Component\Security\Core\Authorization\AccessDecisionManagerInterface;
 use Symfony\Component\Security\Core\Authorization\Voter\AuthenticatedVoter;
 use Symfony\Component\Security\Http\AccessMapInterface;
-use Symfony\Component\Security\Http\HttpUtils;
-use Symfony\Component\Security\Http\Logout\LogoutUrlGenerator;
 use function defined;
 
 class TwoFactorAccessDeciderTest extends TestCase
 {
-    private const BASE_URL = '/app_dev.php';
-    private const LOGOUT_PATH = '/logout';
-    private const LOGOUT_PATH_WITH_BASE_URL = self::BASE_URL.self::LOGOUT_PATH;
     private const ACCESS_MAP_ATTRIBUTES = [TwoFactorInProgressVoter::IS_AUTHENTICATED_2FA_IN_PROGRESS];
 
     private MockObject|Request $request;
     private MockObject|TokenInterface $token;
     private MockObject|AccessMapInterface $accessMap;
     private MockObject|AccessDecisionManagerInterface $accessDecisionManager;
-    private MockObject|HttpUtils $httpUtils;
-    private MockObject|LogoutUrlGenerator $logoutUrlGenerator;
     private TwoFactorAccessDecider $accessDecider;
 
     /** @var string[]|null */
@@ -43,9 +36,7 @@ protected function setUp(): void
         $this->token = $this->createMock(TokenInterface::class);
         $this->accessMap = $this->createMock(AccessMapInterface::class);
         $this->accessDecisionManager = $this->createMock(AccessDecisionManagerInterface::class);
-        $this->httpUtils = $this->createMock(HttpUtils::class);
-        $this->logoutUrlGenerator = $this->createMock(LogoutUrlGenerator::class);
-        $this->accessDecider = new TwoFactorAccessDecider($this->accessMap, $this->accessDecisionManager, $this->httpUtils, $this->logoutUrlGenerator);
+        $this->accessDecider = new TwoFactorAccessDecider($this->accessMap, $this->accessDecisionManager);
     }
 
     private function stubAccessMapReturnsAttributes(array|null $attributes): void
@@ -58,14 +49,6 @@ private function stubAccessMapReturnsAttributes(array|null $attributes): void
             ->willReturn([$attributes, 'https']);
     }
 
-    private function whenGeneratedLogoutPath(string $generatedLogoutPath): void
-    {
-        $this->logoutUrlGenerator
-            ->expects($this->any())
-            ->method('getLogoutPath')
-            ->willReturn($generatedLogoutPath);
-    }
-
     private function whenRequestBaseUrl(string $baseUrl): void
     {
         $this->request
@@ -83,15 +66,6 @@ private function whenPathAccess(bool $accessGranted): void
             ->willReturn($accessGranted);
     }
 
-    private function whenIsLogoutPath(bool $accessGranted): void
-    {
-        $this->httpUtils
-            ->expects($this->any())
-            ->method('checkRequestPath')
-            ->with($this->request, self::LOGOUT_PATH)
-            ->willReturn($accessGranted);
-    }
-
     /**
      * @return iterable<string>
      */
@@ -134,7 +108,6 @@ public function isAccessible_pathAccessGranted_returnTrue(): void
     {
         $this->stubAccessMapReturnsAttributes(self::ACCESS_MAP_ATTRIBUTES);
         $this->whenPathAccess(true);
-        $this->whenIsLogoutPath(false);
 
         $returnValue = $this->accessDecider->isAccessible($this->request, $this->token);
         $this->assertTrue($returnValue);
@@ -146,35 +119,7 @@ public function isAccessible_isPubliclyAccessible_returnTrue(string $publicAcces
     {
         $this->stubAccessMapReturnsAttributes([$publicAccessAttribute]);
         $this->whenRequestBaseUrl('');
-        $this->whenGeneratedLogoutPath(self::LOGOUT_PATH);
-        $this->whenPathAccess(false);
-        $this->whenIsLogoutPath(false);
-
-        $returnValue = $this->accessDecider->isAccessible($this->request, $this->token);
-        $this->assertTrue($returnValue);
-    }
-
-    #[Test]
-    public function isAccessible_isLogoutPathNoBasePath_returnTrue(): void
-    {
-        $this->stubAccessMapReturnsAttributes(self::ACCESS_MAP_ATTRIBUTES);
-        $this->whenRequestBaseUrl('');
-        $this->whenGeneratedLogoutPath(self::LOGOUT_PATH);
-        $this->whenPathAccess(false);
-        $this->whenIsLogoutPath(true);
-
-        $returnValue = $this->accessDecider->isAccessible($this->request, $this->token);
-        $this->assertTrue($returnValue);
-    }
-
-    #[Test]
-    public function isAccessible_isLogoutPathWithBasePath_returnTrue(): void
-    {
-        $this->stubAccessMapReturnsAttributes(self::ACCESS_MAP_ATTRIBUTES);
-        $this->whenRequestBaseUrl(self::BASE_URL);
-        $this->whenGeneratedLogoutPath(self::LOGOUT_PATH_WITH_BASE_URL);
         $this->whenPathAccess(false);
-        $this->whenIsLogoutPath(true);
 
         $returnValue = $this->accessDecider->isAccessible($this->request, $this->token);
         $this->assertTrue($returnValue);
@@ -185,9 +130,7 @@ public function isAccessible_isNotAccessible_returnFalse(): void
     {
         $this->stubAccessMapReturnsAttributes(self::ACCESS_MAP_ATTRIBUTES);
         $this->whenRequestBaseUrl('');
-        $this->whenGeneratedLogoutPath(self::LOGOUT_PATH);
         $this->whenPathAccess(false);
-        $this->whenIsLogoutPath(false);
 
         $returnValue = $this->accessDecider->isAccessible($this->request, $this->token);
         $this->assertFalse($returnValue);