From d50a6bd238d256f0b8a8f6b713a9599cc705761b Mon Sep 17 00:00:00 2001
From: mathis <m.buchet@sudalys.fr>
Date: Thu, 26 Feb 2026 17:03:51 +0100
Subject: [PATCH] implement logout functionality and improve SSO logout process

---
 config/packages/security.yaml         |  7 +++---
 src/Controller/SecurityController.php | 31 ++++++++++++++++++---------
 2 files changed, 25 insertions(+), 13 deletions(-)

diff --git a/config/packages/security.yaml b/config/packages/security.yaml
index 5fe11ff..c0ddc95 100644
--- a/config/packages/security.yaml
+++ b/config/packages/security.yaml
@@ -59,9 +59,10 @@ security:
                 enable_csrf: true
                 default_target_path: app_index
                 use_referer: true
-#            logout:
-#                path: app_logout
-#                target: app_login
+            logout:
+                path: app_logout
+                enable_csrf: false
+                target: app_login
 
             # activate different ways to authenticate
             # https://symfony.com/doc/current/security.html#the-firewall
diff --git a/src/Controller/SecurityController.php b/src/Controller/SecurityController.php
index e155d2a..4cc1dbb 100644
--- a/src/Controller/SecurityController.php
+++ b/src/Controller/SecurityController.php
@@ -48,22 +48,33 @@ class SecurityController extends AbstractController
         ]);
     }
 
-    #[Route(path: '/sso_logout', name: 'sso_logout')]
-    public function ssoLogout(RequestStack $stack, LoggerInterface $logger, AccessTokenService $accessTokenService, Security $security): Response
+    #[Route(path: '/logout', name: 'app_logout')]
+    public function logout(): void
     {
+        throw new \Exception('This should never be reached!');
+    }
+
+    #[Route(path: '/sso_logout', name: 'sso_logout')]
+    public function ssoLogout(AccessTokenService $accessTokenService): Response
+    {
+        $this->logger->info('SSO Logout called from EasyCheck');
+        
         try {
-            $user = $this->userService->getUserByIdentifier($this->security->getUser()->getUserIdentifier());
-            $id = $user->getId();
-            if ($stack->getSession()->invalidate()) {
-                $accessTokenService->revokeUserTokens($security->getUser()->getUserIdentifier());
-                $security->logout(false);
+            $user = $this->getUser();
+            if ($user) {
+                $id = $user->getId();
+                $this->logger->info('Revoking tokens for user', ['user_id' => $id]);
+                $accessTokenService->revokeUserTokens($user->getUserIdentifier());
                 $this->loggerService->logUserConnection('User logged out', ['user_id' => $id]);
-                return $this->redirect('/');
+            } else {
+                $this->logger->warning('No user found during SSO logout');
             }
         } catch (\Exception $e) {
-            $logger->log(LogLevel::ERROR, 'Error invalidating session: ' . $e->getMessage());
+            $this->logger->log(LogLevel::ERROR, 'Error during SSO logout: ' . $e->getMessage());
         }
-        return $this->redirectToRoute('app_index');
+        
+        $this->logger->info('Redirecting to app_logout');
+        return $this->redirectToRoute('app_logout');
     }
 
     #[Route(path: '/consent', name: 'app_consent')]