harden(logout): enforce POST+CSRF and remove GET logout triggers

This commit is contained in:
2026-04-25 23:35:03 +02:00
parent a24dc0c235
commit 3207d71244
6 changed files with 82 additions and 9 deletions

View File

@@ -13,6 +13,6 @@ $first_name = $user['first_name'] ?? '';
Buffer::set('title', t('Admin'));
$breadcrumbs = [
['label' => t('Login'), 'path' => 'logout'],
['label' => t('Login'), 'path' => 'login'],
['label' => t('Home')],
];

View File

@@ -1,4 +1,11 @@
<?php
if (!actionRequirePost('login')) {
return;
}
if (!actionRequireCsrf('login', 'login', 'logout_csrf')) {
return;
}
app(\MintyPHP\Service\Auth\AuthService::class)->logoutAndRedirect('login');