This might not be what you were looking for but here's something.
This code extends the logout view of Flarum. This is the equivalent of editing the content
section inside vendor/flarum/core/views/log-out.blade.php
. Except this version is safe against composer reverting the files.
The first two <p>
is the original content of the view repeated (without blade templating because it doesn't work in this context). Then I added a script call that immediately loads the href of the button, causing a redirect without any action from the user when they land on the page.
So redirecting users to /logout
will this script will not require an additional click from them.
<?php
use Flarum\Extend;
use Flarum\Foundation\Application;
use Flarum\Settings\SettingsRepositoryInterface;
use Illuminate\Contracts\Config\Repository as ConfigRepository;
use Illuminate\Contracts\View\Factory as ViewFactory;
use Illuminate\Contracts\View\View;
use Illuminate\Support\ServiceProvider;
use Symfony\Component\Translation\TranslatorInterface;
class FlarumExtendProvider extends ServiceProvider {
public function register() {
app(ViewFactory::class)->composer('flarum.forum::log-out', function (View $view) {
$view->getFactory()->startSection('content');
?>
<p><?= e(app(TranslatorInterface::class)->trans('core.views.log_out.log_out_confirmation', ['{forum}' => app(SettingsRepositoryInterface::class)->get('forum_title')])) ?></p>
<p>
<a href="<?= e($view->getData()['url']) ?>" class="button">
<?= e(app(TranslatorInterface::class)->trans('core.views.log_out.log_out_button')) ?>
</a>
</p>
<script>
document.location = document.querySelector('a').href;
</script>
<?php
$view->getFactory()->appendSection();
});
}
}
return [
// Register extenders here to customize your forum!
new Extend\Compat(function(Application $app) {
$app->register(FlarumExtendProvider::class);
}),
];
There are other solutions, and it also depends whether you want the request to be GET, POST, a hidden image from another domain, and whether you need a specific redirect after the logout.
While it will not matter the same for everyone, there are CSRF concerns with all of these methods. The risks involving the logout endpoint are probably limited, as all an attacker could do is force the logout of users from another app.
The benefit of the javascript solution above is that, if used in conjunction with blocking framing inside other websites, it's not possible for a malicious party to trigger the logout without redirecting you to the page.