harden(logout): enforce POST+CSRF and remove GET logout triggers
This commit is contained in:
@@ -13,6 +13,6 @@ $first_name = $user['first_name'] ?? '';
|
||||
Buffer::set('title', t('Admin'));
|
||||
|
||||
$breadcrumbs = [
|
||||
['label' => t('Login'), 'path' => 'logout'],
|
||||
['label' => t('Login'), 'path' => 'login'],
|
||||
['label' => t('Home')],
|
||||
];
|
||||
|
||||
@@ -1,4 +1,11 @@
|
||||
<?php
|
||||
|
||||
if (!actionRequirePost('login')) {
|
||||
return;
|
||||
}
|
||||
|
||||
if (!actionRequireCsrf('login', 'login', 'logout_csrf')) {
|
||||
return;
|
||||
}
|
||||
|
||||
app(\MintyPHP\Service\Auth\AuthService::class)->logoutAndRedirect('login');
|
||||
|
||||
Reference in New Issue
Block a user