From 4401dab8d6e4c1ac6955a1515e02a3e5d047eda9 Mon Sep 17 00:00:00 2001
From: Johnson Yi <jyi.dev@outlook.com>
Date: Sat, 14 May 2022 11:59:34 +0000
Subject: [PATCH] fix saml slo for logout

---
 app/Http/Controllers/Auth/LoginController.php | 7 +++++++
 app/Http/Controllers/Auth/SamlController.php  | 2 +-
 routes/web.php                                | 6 ++++++
 3 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/app/Http/Controllers/Auth/LoginController.php b/app/Http/Controllers/Auth/LoginController.php
index d6d4eb24b..f53aa0299 100644
--- a/app/Http/Controllers/Auth/LoginController.php
+++ b/app/Http/Controllers/Auth/LoginController.php
@@ -449,10 +449,17 @@ class LoginController extends Controller
      */
     public function logout(Request $request)
     {
+        // Logout is only allowed with a http POST but we need to allow GET for SAML SLO
         $settings = Setting::getSettings();
         $saml = $this->saml;
+        $samlLogout = $request->session()->get('saml_logout');
         $sloRedirectUrl = null;
         $sloRequestUrl = null;
+    
+        // Only allow GET if we are doing SAML SLO otherwise abort with 405
+        if ($request->isMethod('GET') && !$samlLogout) {
+            abort(405);
+        }
 
         if ($saml->isEnabled()) {
             $auth = $saml->getAuth();
diff --git a/app/Http/Controllers/Auth/SamlController.php b/app/Http/Controllers/Auth/SamlController.php
index d84ae2601..3d5cf75ec 100644
--- a/app/Http/Controllers/Auth/SamlController.php
+++ b/app/Http/Controllers/Auth/SamlController.php
@@ -142,6 +142,6 @@ class SamlController extends Controller
             return view('errors.403');
         }
 
-        return redirect()->route('logout')->with('saml_slo_redirect_url', $sloUrl);
+        return redirect()->route('logout')->with(['saml_logout' => true,'saml_slo_redirect_url' => $sloUrl]);
     }
 }
diff --git a/routes/web.php b/routes/web.php
index 9141b2bf0..c6b53d915 100644
--- a/routes/web.php
+++ b/routes/web.php
@@ -434,6 +434,12 @@ Route::group(['middleware' => 'web'], function () {
             'uses' => 'DashboardController@getIndex' ]
     );
 
+    // need to keep GET /logout for SAML SLO
+    Route::get(
+        'logout',
+        [LoginController::class, 'logout']
+    )->name('logout');
+
     Route::post(
         'logout',
         [LoginController::class, 'logout']