In Drupal 10.3 a new confirm logout page was introduced, so any user visiting the /user/logout page without a CSRF token will first get a confirmation page. See https://www.drupal.org/project/drupal/issues/144538.
Therefore DrupalAuthenticationManager::logout no longer works in 10.3+ because the confirmation form needs to be submitted in order for the user to be completely logged out.
I am assuming this bug was not picked up in the backend_login.feature testing because it is using fast logout rather than visiting the logout url and \FeatureContext::assertBackendLoggedOut() is only checking the current user which would pass because of the code $this->userManager->setCurrentUser(false); in DrupalAuthenticationManager::logout.
Steps to Replicate
Add the following step definition to ensure fast logout is not used:
/**
* @Then I log out via the logout url
*/
public function logoutViaUrl()
{
$this->logout(false);
}
Add the following test:
@api
Scenario: Test log out via url with no token
Given I am logged in as a user with the "authenticated" role
When I log out via the logout url
And I am at "user/login"
Then I fill in "name" with "foo"
The final step will fail on a D10.3 site because the user login page is displaying the user's account page and not the login form because the user is not logged out.
Proposed Resolution
Add new Drupal Text name and url for the logout confirmation page.
Refactor \Drupal\DrupalExtension\Manager\DrupalAuthenticationManager::logout to check if a logout confirmation page is present and if it is click submit.
Refactor \FeatureContext::assertBackendLoggedOut to also ensure the login page displays the login form
Add a new testing step definition that logs out via the logout url rather than fast logout.
Add a new test to backend_login.feature to ensure logout via the url is working correctly.
Problem
In Drupal 10.3 a new confirm logout page was introduced, so any user visiting the
/user/logoutpage without a CSRF token will first get a confirmation page. See https://www.drupal.org/project/drupal/issues/144538.Therefore
DrupalAuthenticationManager::logoutno longer works in 10.3+ because the confirmation form needs to be submitted in order for the user to be completely logged out.I am assuming this bug was not picked up in the
backend_login.featuretesting because it is using fast logout rather than visiting the logout url and\FeatureContext::assertBackendLoggedOut()is only checking the current user which would pass because of the code$this->userManager->setCurrentUser(false);inDrupalAuthenticationManager::logout.Steps to Replicate
Add the following step definition to ensure fast logout is not used:
Add the following test:
The final step will fail on a D10.3 site because the user login page is displaying the user's account page and not the login form because the user is not logged out.
Proposed Resolution
\Drupal\DrupalExtension\Manager\DrupalAuthenticationManager::logoutto check if a logout confirmation page is present and if it is click submit.\FeatureContext::assertBackendLoggedOutto also ensure the login page displays the login formbackend_login.featureto ensure logout via the url is working correctly.