From 715899b52a8bbf08c22a8fe1d8366f96bf3634ad Mon Sep 17 00:00:00 2001
From: Mathieu Lechat <math.lechat@gmail.com>
Date: Sat, 9 Dec 2023 11:32:23 +0100
Subject: [PATCH] [Security] Document the `LogoutRouteLoader`

---
 security.rst | 81 +++++++++++++++++++++++++++++++++++-----------------
 1 file changed, 55 insertions(+), 26 deletions(-)

diff --git a/security.rst b/security.rst
index d38c9cf731d..0029cbfd69d 100644
--- a/security.rst
+++ b/security.rst
@@ -1796,7 +1796,7 @@ To enable logging out, activate the  ``logout`` config parameter under your fire
                 main:
                     # ...
                     logout:
-                        path: app_logout
+                        path: /logout
 
                         # where to redirect after logout
                         # target: app_any_route
@@ -1817,8 +1817,7 @@ To enable logging out, activate the  ``logout`` config parameter under your fire
                 <!-- ... -->
 
                 <firewall name="main">
-                    <!-- ... -->
-                    <logout path="app_logout"/>
+                    <logout path="/logout"/>
 
                     <!-- use "target" to configure where to redirect after logout
                     <logout path="app_logout" target="app_any_route"/>
@@ -1838,41 +1837,68 @@ To enable logging out, activate the  ``logout`` config parameter under your fire
             $mainFirewall = $security->firewall('main');
             // ...
             $mainFirewall->logout()
-                // the argument can be either a route name or a path
-                ->path('app_logout')
+                ->path('/logout')
 
                 // where to redirect after logout
                 // ->target('app_any_route')
             ;
         };
 
-Next, you need to create a route for this URL (but not a controller):
+Symfony will then un-authenticate users navigating to the configured ``path``,
+and redirect them to the configured ``target``. You can generate URLs to this
+path using the ``_security_<firewallname>`` route name (e.g. ``_security_main``).
+
+If your project does not use :ref:`Symfony Flex <symfony-flex>`, make sure
+you have imported the logout route loader in your routes:
 
 .. configuration-block::
 
-    .. code-block:: php-attributes
+    .. code-block:: yaml
 
-        // src/Controller/SecurityController.php
-        namespace App\Controller;
+        # config/routes/security.yaml
+        _symfony_logout:
+            resource: security.route_loader.logout
+            type: service
 
-        use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
-        use Symfony\Component\Routing\Annotation\Route;
+    .. code-block:: xml
 
-        class SecurityController extends AbstractController
-        {
-            #[Route('/logout', name: 'app_logout', methods: ['GET'])]
-            public function logout(): never
-            {
-                // controller can be blank: it will never be called!
-                throw new \Exception('Don\'t forget to activate logout in security.yaml');
-            }
-        }
+        <!-- config/routes/security.xml -->
+        <?xml version="1.0" encoding="UTF-8" ?>
+        <routes xmlns="http://symfony.com/schema/routing"
+            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+            xsi:schemaLocation="http://symfony.com/schema/routing
+                https://symfony.com/schema/routing/routing-1.0.xsd">
+
+            <import resource="security.route_loader.logout" type="service"/>
+        </routes>
+
+    .. code-block:: php
+
+        // config/routes/security.php
+        use Symfony\Component\Routing\Loader\Configurator\RoutingConfigurator;
+
+        return static function (RoutingConfigurator $routes): void {
+            $routes->import('security.route_loader.logout', 'service');
+        };
+
+.. versionadded:: 6.4
+
+    The :class:`Symfony\\Bundle\\SecurityBundle\\Routing\\LogoutRouteLoader` was
+    introduced in Symfony 6.4.
+
+Another option is to configure ``path`` as a route name, which can be useful if
+you want logout URIs to be translated according to the current locale e.g.
+In that case, you have to create this route yourself:
+
+.. configuration-block::
 
     .. code-block:: yaml
 
         # config/routes.yaml
         app_logout:
-            path: /logout
+            path:
+                en: /logout
+                fr: /deconnexion
             methods: GET
 
     .. code-block:: xml
@@ -1884,7 +1910,10 @@ Next, you need to create a route for this URL (but not a controller):
             xsi:schemaLocation="http://symfony.com/schema/routing
                 https://symfony.com/schema/routing/routing-1.0.xsd">
 
-            <route id="app_logout" path="/logout" methods="GET"/>
+            <route id="app_logout" path="/logout" methods="GET">
+                <path locale="en">/logout</path>
+                <path locale="fr">/deconnexion</path>
+            </route>
         </routes>
 
     .. code-block:: php
@@ -1893,14 +1922,14 @@ Next, you need to create a route for this URL (but not a controller):
         use Symfony\Component\Routing\Loader\Configurator\RoutingConfigurator;
 
         return function (RoutingConfigurator $routes): void {
-            $routes->add('app_logout', '/logout')
+            $routes->add('app_logout', [
+                'en' => '/logout',
+                'fr' => '/deconnexion',
+            ])
                 ->methods(['GET'])
             ;
         };
 
-That's it! By sending a user to the ``app_logout`` route (i.e. to ``/logout``)
-Symfony will un-authenticate the current user and redirect them.
-
 Logout programmatically
 ~~~~~~~~~~~~~~~~~~~~~~~