Use Security::logout() instead of redirecting to the logout url

Author: GromNaN

config/services.yaml

@@ -29,6 +29,3 @@ services:
             - '../src/DependencyInjection/'
             - '../src/Entity/'
             - '../src/Kernel.php'
-
-    # this is needed because Symfony doesn't make the 'security.logout_url_generator' service autowirable
-    Symfony\Component\Security\Http\Logout\LogoutUrlGenerator: '@security.logout_url_generator'

src/Controller/UserController.php

@@ -16,12 +16,12 @@
 use App\Form\UserType;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+use Symfony\Bundle\SecurityBundle\Security;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\Routing\Annotation\Route;
 use Symfony\Component\Security\Http\Attribute\CurrentUser;
 use Symfony\Component\Security\Http\Attribute\IsGranted;
-use Symfony\Component\Security\Http\Logout\LogoutUrlGenerator;
 
 /**
  * Controller used to manage current user. The #[CurrentUser] attribute
@@ -62,15 +62,17 @@ public function changePassword(
         #[CurrentUser] User $user,
         Request $request,
         EntityManagerInterface $entityManager,
-        LogoutUrlGenerator $logoutUrlGenerator,
+        Security $security,
     ): Response {
         $form = $this->createForm(ChangePasswordType::class, $user);
         $form->handleRequest($request);
 
         if ($form->isSubmitted() && $form->isValid()) {
             $entityManager->flush();
 
-            return $this->redirect($logoutUrlGenerator->getLogoutPath());
+            // The logout method has a protection against CSRF attacks, it's disabled here
+            // because the form already has a CSRF token validated.
+            return $security->logout(false);
         }
 
         return $this->render('user/change_password.html.twig', [

tests/Controller/UserControllerTest.php

@@ -103,9 +103,9 @@ public function testChangePassword(): void
         ]);
 
         $this->assertResponseRedirects();
-        $this->assertStringStartsWith(
-            '/logout',
-            $client->getResponse()->headers->get('Location') ?? '',
+        $this->assertResponseRedirects(
+            '/',
+            Response::HTTP_FOUND,
             'Changing password logout the user.'
         );
     }