feature #49306 [Security] Add logout configuration for Clear-Site-Data header (maxbeckers)

fabpot · fabpot · commit 296d05cd07cd · 2023-03-10T15:00:33.000+01:00
This PR was merged into the 6.3 branch. Discussion ---------- [Security] Add logout configuration for Clear-Site-Data header | Q | A | ------------- | --- | Branch? | 6.3 | Bug fix? | no | New feature? | yes | Deprecations? | no | Tickets | Fix #49266 | License | MIT | Doc PR | symfony/symfony-docs#17900 Enhance security by issuing a Clear-Site-Data header on logout. * [Clear-Site-Data](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Clear-Site-Data#sign_out_of_a_web_site) Documentation * Example: https://www.w3.org/TR/clear-site-data/#example-signout Default config is off. Config example for all: ```yaml security: # ... firewalls: main: # ... logout: path: app_logout clear_site_data: - "*" ``` Instead of all with the ``*`` it's also possible to add a set of ``cache``, ``cookies``, ``storage``, ``executionContexts``. For example without cookies it will look like this: ```yaml security: # ... firewalls: main: # ... logout: path: app_logout clear_site_data: - cache - storage - executionContexts ``` **TODO** - [x] Doc PR symfony/symfony-docs#17900 Commits ------- f9e76c1e47 [Security] Add logout configuration for Clear-Site-Data header
diff --git a/EventListener/ClearSiteDataLogoutListener.php b/EventListener/ClearSiteDataLogoutListener.php
@@ -0,0 +1,49 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Http\EventListener;
+
+use Symfony\Component\EventDispatcher\EventSubscriberInterface;
+use Symfony\Component\Security\Http\Event\LogoutEvent;
+
+/**
+ * Handler for Clear-Site-Data header during logout.
+ *
+ * @author Max Beckers <beckers.maximilian@gmail.com>
+ *
+ * @final
+ */
+class ClearSiteDataLogoutListener implements EventSubscriberInterface
+{
+    private const HEADER_NAME = 'Clear-Site-Data';
+
+    /**
+     * @param string[] $cookieValue The value for the Clear-Site-Data header.
+     *                              Can be '*' or a subset of 'cache', 'cookies', 'storage', 'executionContexts'.
+     */
+    public function __construct(private readonly array $cookieValue)
+    {
+    }
+
+    public function onLogout(LogoutEvent $event): void
+    {
+        if (!$event->getResponse()?->headers->has(static::HEADER_NAME)) {
+            $event->getResponse()->headers->set(static::HEADER_NAME, implode(', ', array_map(fn ($v) => '"'.$v.'"', $this->cookieValue)));
+        }
+    }
+
+    public static function getSubscribedEvents(): array
+    {
+        return [
+            LogoutEvent::class => 'onLogout',
+        ];
+    }
+}
diff --git a/Tests/EventListener/ClearSiteDataLogoutListenerTest.php b/Tests/EventListener/ClearSiteDataLogoutListenerTest.php
@@ -0,0 +1,48 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Http\Tests\EventListener;
+
+use PHPUnit\Framework\TestCase;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\Security\Http\Event\LogoutEvent;
+use Symfony\Component\Security\Http\EventListener\ClearSiteDataLogoutListener;
+
+class ClearSiteDataLogoutListenerTest extends TestCase
+{
+    /**
+     * @dataProvider provideClearSiteDataConfig
+     */
+    public function testLogout(array $clearSiteDataConfig, string $expectedHeader)
+    {
+        $response = new Response();
+        $event = new LogoutEvent(new Request(), null);
+        $event->setResponse($response);
+
+        $listener = new ClearSiteDataLogoutListener($clearSiteDataConfig);
+
+        $headerCountBefore = $response->headers->count();
+
+        $listener->onLogout($event);
+
+        $this->assertEquals(++$headerCountBefore, $response->headers->count());
+
+        $this->assertNotNull($response->headers->get('Clear-Site-Data'));
+        $this->assertEquals($expectedHeader, $response->headers->get('Clear-Site-Data'));
+    }
+
+    public static function provideClearSiteDataConfig(): iterable
+    {
+        yield [['*'], '"*"'];
+        yield [['cache', 'cookies', 'storage', 'executionContexts'], '"cache", "cookies", "storage", "executionContexts"'];
+    }
+}
