Remove internal uses of GET-based logout route

app/controllers/users/sessions_controller.rb

@@ -40,11 +40,15 @@ def create
     end
 
     def destroy
-      analytics.logout_initiated(sp_initiated: false, oidc: false)
-      irs_attempts_api_tracker.logout_initiated(
-        success: true,
-      )
-      super
+      if request.method == 'GET' && IdentityConfig.store.disable_logout_get_request
+        redirect_to root_path
+      else
+        analytics.logout_initiated(sp_initiated: false, oidc: false)
+        irs_attempts_api_tracker.logout_initiated(
+          success: true,
+        )
+        super
+      end
     end
 
     private

app/views/accounts/_nav_auth.html.erb

@@ -16,7 +16,9 @@
       <span class="display-none tablet:display-inline padding-right-1 margin-right-1 border-right border-base-darker">
         <%= t('account.welcome') %> <strong><%= greeting %></strong>
       </span>
-      <%= link_to t('links.sign_out'), destroy_user_session_path %>
+
+      <%= button_to t('links.sign_out'), logout_path, method: :delete, class: 'usa-button usa-button--unstyled' %>
+
       <% if enable_mobile_nav %>
         <button class="usa-menu-btn margin-left-2"><%= t('account.navigation.menu') %></button>
       <% end %>

app/views/session_timeout/_warning.html.erb

@@ -49,7 +49,10 @@
         t('continue', scope: modal_presenter.translation_scope),
       ) %>
   <%= render ButtonComponent.new(
-        action: ->(**tag_options, &block) { link_to(destroy_user_session_path, **tag_options, &block) },
+        action: ->(**tag_options, &block) do
+          button_to(logout_path, **tag_options, &block)
+        end,
+        method: :delete,
         big: true,
         full_width: true,
         outline: true,

app/views/shared/_cancel.html.erb

@@ -2,6 +2,10 @@
   <% if user_signing_up? %>
     <%= link_to cancel_link_text, sign_up_cancel_path, method: :get, class: 'usa-button usa-button--unstyled' %>
   <% else %>
-    <%= link_to cancel_link_text, link || return_to_sp_cancel_path %>
+    <% if defined?(link_method) %>
+      <%= button_to cancel_link_text, link, method: link_method, class: 'usa-button usa-button--unstyled' %>
+    <% else %>
+      <%= link_to cancel_link_text, link %>
+    <% end %>
   <% end %>
 <% end %>

app/views/sign_up/passwords/new.html.erb

@@ -25,6 +25,6 @@
 
 <%= render 'shared/password_accordion' %>
 
-<%= render 'shared/cancel', link: destroy_user_session_path %>
+<%= render 'shared/cancel' %>
 
 <%= javascript_packs_tag_once 'pw-strength' %>

app/views/users/piv_cac_setup_from_sign_in/success.html.erb

@@ -7,4 +7,4 @@
 <%= button_to t('forms.buttons.continue'), login_add_piv_cac_success_path,
               class: 'usa-button usa-button--big usa-button--wide', method: :post %>
 
-<%= render 'shared/cancel', link: destroy_user_session_path %>
+<%= render 'shared/cancel', link: logout_path, link_method: :delete %>

app/views/users/two_factor_authentication_setup/index.html.erb

@@ -36,4 +36,4 @@
   <%= f.submit t('forms.buttons.continue'), class: 'margin-bottom-1' %>
 <% end %>
 
-<%= render 'shared/cancel', link: destroy_user_session_path %>
+<%= render 'shared/cancel', link: logout_path, link_method: :delete %>

config/application.yml.default

@@ -78,6 +78,7 @@ deleted_user_accounts_report_configs: '[]'
 development_mailer_deliver_method: letter_opener
 disable_csp_unsafe_inline: true
 disable_email_sending: true
+disable_logout_get_request: true
 disallow_all_web_crawlers: true
 disposable_email_services: '[]'
 doc_auth_attempt_window_in_minutes: 360
@@ -438,6 +439,7 @@ production:
   database_worker_jobs_host: ''
   database_worker_jobs_password: ''
   disable_email_sending: false
+  disable_logout_get_request: false
   disallow_all_web_crawlers: false
   doc_auth_vendor: 'acuant'
   doc_auth_vendor_randomize: false

lib/identity_config.rb

@@ -178,6 +178,7 @@ def self.build_store(config_map)
     config.add(:development_mailer_deliver_method, type: :symbol, enum: [:file, :letter_opener])
     config.add(:disable_csp_unsafe_inline, type: :boolean)
     config.add(:disable_email_sending, type: :boolean)
+    config.add(:disable_logout_get_request, type: :boolean)
     config.add(:disallow_all_web_crawlers, type: :boolean)
     config.add(:disposable_email_services, type: :json)
     config.add(:doc_auth_attempt_window_in_minutes, type: :integer)

spec/controllers/users/sessions_controller_spec.rb

@@ -5,25 +5,11 @@
   let(:mock_valid_site) { 'http://example.com' }
 
   describe 'GET /logout' do
-    it 'tracks a logout event' do
-      stub_analytics
-      stub_attempts_tracker
-      expect(@analytics).to receive(:track_event).with(
-        'Logout Initiated',
-        hash_including(
-          sp_initiated: false,
-          oidc: false,
-        ),
-      )
-
+    it 'does not log user out and redirects to root' do
       sign_in_as_user
-
-      expect(@irs_attempts_api_tracker).to receive(:logout_initiated).with(
-        success: true,
-      )
-
       get :destroy
-      expect(controller.current_user).to be nil
+      expect(controller.current_user).to_not be nil
+      expect(response).to redirect_to root_url
     end
   end
 

spec/features/idv/clearing_and_restarting_spec.rb

@@ -22,7 +22,7 @@
     context 'after signing out' do
       before do
         visit account_path
-        first(:link, t('links.sign_out')).click
+        first(:button, t('links.sign_out')).click
         start_idv_from_sp
         sign_in_live_with_2fa(user)
       end

spec/features/idv/steps/gpo_step_spec.rb

@@ -126,7 +126,7 @@ def complete_idv_and_sign_out
       click_continue
       visit root_path
       click_on t('idv.gpo.return_to_profile')
-      first(:link, t('links.sign_out')).click
+      first(:button, t('links.sign_out')).click
     end
 
     def complete_idv_and_return_to_gpo_step

spec/features/multiple_emails/sign_in_spec.rb

@@ -13,7 +13,7 @@
 
     expect(page).to have_current_path(account_path)
 
-    first(:link, t('links.sign_out')).click
+    first(:button, t('links.sign_out')).click
 
     signin(email2, user.password)
     fill_in_code_with_last_phone_otp

spec/features/openid_connect/openid_connect_spec.rb

@@ -797,7 +797,9 @@
       uncheck(t('forms.messages.remember_device'))
       fill_in_code_with_last_phone_otp
       click_submit_default
-      visit destroy_user_session_url
+
+      visit account_path
+      click_button t('links.sign_out')
 
       visit_idp_from_ial1_oidc_sp(prompt: 'select_account')
       fill_in_credentials_and_submit(user.email, user.password)

spec/features/remember_device/phone_spec.rb

@@ -16,7 +16,7 @@ def remember_device_and_sign_out_user
       check t('forms.messages.remember_device')
       fill_in_code_with_last_phone_otp
       click_submit_default
-      first(:link, t('links.sign_out')).click
+      first(:button, t('links.sign_out')).click
       user
     end
 
@@ -36,7 +36,7 @@ def remember_device_and_sign_out_user
       click_submit_default
       skip_second_mfa_prompt
 
-      first(:link, t('links.sign_out')).click
+      first(:button, t('links.sign_out')).click
       user
     end
 

spec/features/remember_device/revocation_spec.rb

@@ -17,7 +17,7 @@
       find_sidenav_forget_browsers_link.click
       click_on(t('forms.buttons.confirm'))
 
-      first(:link, t('links.sign_out')).click
+      first(:button, t('links.sign_out')).click
 
       expect_mfa_to_be_required_for_user(user)
     end
@@ -34,7 +34,7 @@
         find_sidenav_forget_browsers_link.click
         click_on(t('forms.buttons.confirm'))
 
-        first(:link, t('links.sign_out')).click
+        first(:button, t('links.sign_out')).click
 
         expect_mfa_to_be_required_for_user(user)
       end
@@ -51,7 +51,7 @@ def sign_in_with_remember_device_and_sign_out
     check t('forms.messages.remember_device')
     fill_in_code_with_last_phone_otp
     click_submit_default
-    first(:link, t('links.sign_out')).click
+    first(:button, t('links.sign_out')).click
   end
 
   def expect_mfa_to_be_required_for_user(user)

spec/features/remember_device/session_expiration_spec.rb

@@ -15,7 +15,7 @@
     check t('forms.messages.remember_device')
     fill_in_code_with_last_phone_otp
     click_submit_default
-    first(:link, t('links.sign_out')).click
+    first(:button, t('links.sign_out')).click
 
     IdentityLinker.new(
       user, build(:service_provider, issuer: OidcAuthHelper::OIDC_IAL1_ISSUER)

spec/features/remember_device/sp_expiration_spec.rb

@@ -102,7 +102,7 @@ def visit_sp(protocol, aal)
     click_submit_default
     skip_second_mfa_prompt
 
-    first(:link, t('links.sign_out')).click
+    first(:button, t('links.sign_out')).click
     user_record
   end
 

spec/features/remember_device/totp_spec.rb

@@ -13,7 +13,7 @@ def remember_device_and_sign_out_user
       fill_in :code, with: generate_totp_code(user.auth_app_configurations.first.otp_secret_key)
       check t('forms.messages.remember_device')
       click_submit_default
-      first(:link, t('links.sign_out')).click
+      first(:button, t('links.sign_out')).click
       user
     end
 
@@ -32,7 +32,7 @@ def remember_device_and_sign_out_user
       click_submit_default
       skip_second_mfa_prompt
 
-      first(:link, t('links.sign_out')).click
+      first(:button, t('links.sign_out')).click
       user
     end
 
@@ -52,7 +52,7 @@ def remember_device_and_sign_out_user
       check t('forms.messages.remember_device')
       click_submit_default
       expect(page).to have_current_path(account_two_factor_authentication_path)
-      first(:link, t('links.sign_out')).click
+      first(:button, t('links.sign_out')).click
       user
     end
 

spec/features/remember_device/user_opted_preference_spec.rb

@@ -17,7 +17,7 @@
         click_button 'Submit'
         skip_second_mfa_prompt
 
-        first(:link, t('links.sign_out')).click
+        first(:button, t('links.sign_out')).click
         sign_in_user(user)
       end
 
@@ -44,7 +44,7 @@
         click_continue
         skip_second_mfa_prompt
 
-        first(:link, t('links.sign_out')).click
+        first(:button, t('links.sign_out')).click
         sign_in_user(user)
       end
 
@@ -72,7 +72,7 @@
         click_submit_default
         skip_second_mfa_prompt
 
-        first(:link, t('links.sign_out')).click
+        first(:button, t('links.sign_out')).click
         sign_in_user(user)
       end
 
@@ -92,7 +92,7 @@
         fill_in :code, with: generate_totp_code(user.auth_app_configurations.first.otp_secret_key)
         uncheck t('forms.messages.remember_device')
         click_submit_default
-        first(:link, t('links.sign_out')).click
+        first(:button, t('links.sign_out')).click
         sign_in_user(user)
       end
 
@@ -119,7 +119,7 @@
         sign_in_user(user)
         uncheck(:remember_device)
         mock_successful_webauthn_authentication { click_webauthn_authenticate_button }
-        first(:link, t('links.sign_out')).click
+        first(:button, t('links.sign_out')).click
 
         sign_in_user(user)
       end
@@ -138,7 +138,7 @@
         uncheck t('forms.messages.remember_device')
         fill_in_code_with_last_phone_otp
         click_submit_default
-        first(:link, t('links.sign_out')).click
+        first(:button, t('links.sign_out')).click
 
         sign_in_user(user)
       end

spec/features/remember_device/webauthn_spec.rb

@@ -26,7 +26,7 @@ def remember_device_and_sign_out_user
         sign_in_user(user)
         check t('forms.messages.remember_device')
         mock_successful_webauthn_authentication { click_webauthn_authenticate_button }
-        first(:link, t('links.sign_out')).click
+        first(:button, t('links.sign_out')).click
         user
       end
 
@@ -46,7 +46,7 @@ def remember_device_and_sign_out_user
         mock_press_button_on_hardware_key_on_setup
         skip_second_mfa_prompt
 
-        first(:link, t('links.sign_out')).click
+        first(:button, t('links.sign_out')).click
         user
       end
 
@@ -64,7 +64,7 @@ def remember_device_and_sign_out_user
         check t('forms.messages.remember_device')
         mock_press_button_on_hardware_key_on_setup
         expect(page).to have_current_path(account_two_factor_authentication_path)
-        first(:link, t('links.sign_out')).click
+        first(:button, t('links.sign_out')).click
         user
       end
 
@@ -89,7 +89,7 @@ def remember_device_and_sign_out_user
         sign_in_user(user)
         check t('forms.messages.remember_device')
         mock_successful_webauthn_authentication { click_webauthn_authenticate_button }
-        first(:link, t('links.sign_out')).click
+        first(:button, t('links.sign_out')).click
         user
       end
 
@@ -140,7 +140,7 @@ def remember_device_and_sign_out_user
         fill_in_code_with_last_phone_otp
         click_submit_default
 
-        first(:link, t('links.sign_out')).click
+        first(:button, t('links.sign_out')).click
         user
       end
 
@@ -157,7 +157,7 @@ def remember_device_and_sign_out_user
         check t('forms.messages.remember_device')
         mock_press_button_on_hardware_key_on_setup
         expect(page).to have_current_path(account_two_factor_authentication_path)
-        first(:link, t('links.sign_out')).click
+        first(:button, t('links.sign_out')).click
         user
       end
 

spec/features/saml/ial2_sso_spec.rb

@@ -47,7 +47,7 @@ def update_mailing_address
   end
 
   def sign_out_user
-    first(:link, t('links.sign_out')).click
+    first(:button, t('links.sign_out')).click
   end
 
   context 'First time registration' do

spec/features/saml/saml_logout_spec.rb

@@ -18,7 +18,7 @@
 
         # Sign out of the IDP
         visit account_path
-        first(:link, t('links.sign_out')).click
+        first(:button, t('links.sign_out')).click
         expect(current_path).to eq root_path
 
         # SAML logout request

spec/features/two_factor_authentication/backup_code_sign_up_spec.rb

@@ -88,6 +88,6 @@
   end
 
   def sign_out_user
-    first(:link, t('links.sign_out')).click
+    first(:button, t('links.sign_out')).click
   end
 end