Skip to content

Allow caching of the logout route #13757

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
rullzer merged 1 commit into from
Jan 23, 2019
Merged

Allow caching of the logout route #13757

rullzer merged 1 commit into from
Jan 23, 2019

Conversation

@rullzer
Copy link
Member

@rullzer rullzer commented Jan 23, 2019

It is a bit more general. If the only argument is the requesttoken. So a
get request will work with the CSRF protection. The route will be
generated without the parameters and the request token will be added at
the end.

Before the route could not properly be cached as the request token was
always changing. However now it can be cached saving precious cpu
cycles.

Noticed while looking at #13712. While #13712 is a general improvement for route generation this fixes the non caching of this specific route.

@rullzer rullzer added enhancement 3. to review Waiting for reviews labels Jan 23, 2019
@rullzer rullzer added this to the Nextcloud 16 milestone Jan 23, 2019
@MorrisJobke
Copy link
Member

MorrisJobke commented Jan 23, 2019

I really don't like that this is handled in there. I would handle it directly in the logout URL handling - just request the URL without any parameter and manually add it then. This reduces unnecessary complexity in the reused method generate() and makes it easier to understand, because no magic like this is handled.

@rullzer
Copy link
Member Author

rullzer commented Jan 23, 2019

Then somebody with JS magic skills needs to tackle it

@MorrisJobke
Copy link
Member

MorrisJobke commented Jan 23, 2019

Then somebody with JS magic skills needs to tackle it

Why? It's PHP as well - I would just do it in here:

server/lib/private/legacy/user.php

Lines 266 to 280 in bb86a8c

public static function getLogoutUrl(\OCP\IURLGenerator $urlGenerator) {
$backend = self::findFirstActiveUsedBackend();
if ($backend) {
return $backend->getLogoutUrl();
}
$logoutUrl = $urlGenerator->linkToRouteAbsolute(
'core.login.logout',
[
'requesttoken' => \OCP\Util::callRegister(),
]
);
return $logoutUrl;
}

😉

@rullzer
Copy link
Member Author

rullzer commented Jan 23, 2019

Aaaaah right ok makes sense. Let me do that then...

@rullzer rullzer force-pushed the enh/also_cache_logout_route branch from 10a5d38 to 84fefb3 Compare January 23, 2019 09:22
nickvergessen
nickvergessen approved these changes Jan 23, 2019
View reviewed changes
Copy link
Member

@nickvergessen nickvergessen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🙈

ChristophWurst
ChristophWurst approved these changes Jan 23, 2019
View reviewed changes
Copy link
Member

@ChristophWurst ChristophWurst left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 🐘 🙈

@MorrisJobke
Copy link
Member

MorrisJobke commented Jan 23, 2019

Still failing:

--- Expected
+++ Actual
@@ @@
-        'href' => 'https://example.com/logout'
+        'href' => 'https://example.com/logout?requesttoken=Wq1opm+k0/NnQAydww7painntbJdUuM6gyTGbzqAOUk=:NccK4zbBgdxWcViksE2QK1+OgdksEYBW1XCVNXTZUR4='

@rullzer
Request plain logout url
ebd9f30 
By requesting the plain logout url we allow it to be properly cached by
the caching router. We just add the requesttoken manually.

Signed-off-by: Roeland Jago Douma <[email protected]>
@rullzer rullzer force-pushed the enh/also_cache_logout_route branch from 3e9d93c to ebd9f30 Compare January 23, 2019 13:06
@rullzer rullzer merged commit 68c0fd3 into master Jan 23, 2019
@rullzer rullzer deleted the enh/also_cache_logout_route branch January 23, 2019 14:32
@danxuliu
Copy link
Member

danxuliu commented Jan 23, 2019

The acceptance test failures seem legit; for me, logging out now (sometimes) results in an error page with

Access forbidden
CSRF check failed

@MorrisJobke
Copy link
Member

MorrisJobke commented Jan 23, 2019

😢

@rullzer
Copy link
Member Author

rullzer commented Jan 23, 2019

The acceptance test failures seem legit; for me, logging out now (sometimes) results in an error page with

Access forbidden
CSRF check failed

Aaaah sometimes yes... OK I know what is going on... fix incomming

rullzer added a commit that referenced this pull request Jan 23, 2019
@rullzer
Urlencode the requesttoken
e3de4ed 
Followup of #13757

Signed-off-by: Roeland Jago Douma <[email protected]>
This was referenced Jan 23, 2019
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nickvergessen nickvergessen nickvergessen approved these changes

@MorrisJobke MorrisJobke MorrisJobke approved these changes

@ChristophWurst ChristophWurst ChristophWurst approved these changes

@juliusknorr juliusknorr juliusknorr approved these changes

Assignees

No one assigned

Labels

3. to review Waiting for reviews enhancement

Projects

None yet

Milestone

Nextcloud 16

Development

Successfully merging this pull request may close these issues.

7 participants

@rullzer @MorrisJobke @danxuliu @nickvergessen @ChristophWurst @juliusknorr