Allow logout on GET

2025-11-04 09:37:35 +03:00 · 2016-01-09 01:11:35 -02:00 · 2016-01-09 01:11:35 -02:00 · 70a4dc9a13
commit 70a4dc9a13
parent c087899311
3 changed files with 47 additions and 1 deletions
--- a/docs/api_endpoints.rst
+++ b/docs/api_endpoints.rst
@ -11,7 +11,9 @@ Basic
    - password (string)


- /rest-auth/logout/ (POST)
+- /rest-auth/logout/ (POST, GET)
+
+    .. note:: ``ACCOUNT_LOGOUT_ON_GET = True`` to allow logout using GET (this is the exact same conf from allauth)

 - /rest-auth/password/reset/ (POST)

--- a/rest_auth/tests/test_api.py
+++ b/rest_auth/tests/test_api.py
@ -372,3 +372,29 @@ class APITestCase1(TestCase, BaseAPITestCase):
        # try to login again
        self._login()
        self._logout()
+
+    @override_settings(ACCOUNT_LOGOUT_ON_GET=True)
+    def test_logout_on_get(self):
+        payload = {
+            "username": self.USERNAME,
+            "password": self.PASS
+        }
+
+        # create user
+        user = get_user_model().objects.create_user(self.USERNAME, '', self.PASS)
+
+        self.post(self.login_url, data=payload, status_code=200)
+        self.get(self.logout_url, status=status.HTTP_200_OK)
+
+    @override_settings(ACCOUNT_LOGOUT_ON_GET=False)
+    def test_logout_on_post_only(self):
+        payload = {
+            "username": self.USERNAME,
+            "password": self.PASS
+        }
+
+        # create user
+        user = get_user_model().objects.create_user(self.USERNAME, '', self.PASS)
+
+        self.post(self.login_url, data=payload, status_code=status.HTTP_200_OK)
+        self.get(self.logout_url, status_code=status.HTTP_405_METHOD_NOT_ALLOWED)
--- a/rest_auth/views.py
+++ b/rest_auth/views.py
@ -9,6 +9,8 @@ from rest_framework.generics import GenericAPIView
 from rest_framework.permissions import IsAuthenticated, AllowAny
 from rest_framework.generics import RetrieveUpdateAPIView

+from allauth.account import app_settings as allauth_settings
+
 from .app_settings import (
    TokenSerializer, UserDetailsSerializer, LoginSerializer,
    PasswordResetSerializer, PasswordResetConfirmSerializer,
@ -61,7 +63,23 @@ class LogoutView(APIView):
    """
    permission_classes = (AllowAny,)

+    def get(self, request, *args, **kwargs):
+        try:
+            if allauth_settings.LOGOUT_ON_GET:
+                response = self.logout(request)
+            else:
+                response = self.http_method_not_allowed(request, *args, **kwargs)
+        except Exception as exc:
+            response = self.handle_exception(exc)
+
+        return self.finalize_response(request, response, *args, **kwargs)
+        self.response = self.finalize_response(request, response, *args, **kwargs)
+        return self.response
+
    def post(self, request):
+        return self.logout(request)
+
+    def logout(self, request):
        try:
            request.user.auth_token.delete()
        except (AttributeError, ObjectDoesNotExist):