Bug in DrupalAuthenticationManager::logout due to logout confirmation form in 10.3

[tame4tex]

Problem

In Drupal 10.3 a new confirm logout page was introduced, so any user visiting the /user/logout page without a CSRF token will first get a confirmation page. See https://www.drupal.org/project/drupal/issues/144538.

Therefore DrupalAuthenticationManager::logout no longer works in 10.3+ because the confirmation form needs to be submitted in order for the user to be completely logged out.

I am assuming this bug was not picked up in the backend_login.feature testing because it is using fast logout rather than visiting the logout url and \FeatureContext::assertBackendLoggedOut() is only checking the current user which would pass because of the code $this->userManager->setCurrentUser(false); in DrupalAuthenticationManager::logout.

Steps to Replicate

Add the following step definition to ensure fast logout is not used:

  /**
   * @Then I log out via the logout url
   */
  public function logoutViaUrl()
  {
    $this->logout(false);
  }

Add the following test:

  @api
  Scenario: Test log out via url with no token

    Given I am logged in as a user with the "authenticated" role
    When I log out via the logout url
    And I am at "user/login"
    Then I fill in "name" with "foo"

The final step will fail on a D10.3 site because the user login page is displaying the user's account page and not the login form because the user is not logged out.

Proposed Resolution

• Add new Drupal Text name and url for the logout confirmation page.
• Refactor \Drupal\DrupalExtension\Manager\DrupalAuthenticationManager::logout to check if a logout confirmation page is present and if it is click submit.
• Refactor \FeatureContext::assertBackendLoggedOut to also ensure the login page displays the login form
• Add a new testing step definition that logs out via the logout url rather than fast logout.
• Add a new test to backend_login.feature to ensure logout via the url is working correctly.