Change Sign out route from DELETE to GET
Description
I have seen several issues (and I have some of my own) caused by the fact that the sign-out link requires a DELETE request as opposed to a simple GET request, which means it has to be handled by javascript (which means, among other things, you have to deal with CORS issues if you want to initiate sign out from another domain)
Proposal
Change the sign-out route to GET /users/sign_out
.
Links / references
It may be as easy as updating this line? https://gitlab.com/gitlab-org/gitlab-ce/blob/master/config/initializers/devise.rb#L198
A couple issues that may be caused or complicated by the fact that it currently requires a javascript DELETE request:
- https://gitlab.com/gitlab-org/gitlab-ce/issues/28223
- https://github.com/gitlabhq/gitlabhq/issues/9387
Use cases
- Initiating Sign-out as part of a single-sign-out process by redirecting a browser to
/users/sign_out
(without worrying about javascript/CORS) - Provide a "Sign out of Gitlab" link from another domain (using a redirect or iframe)
- Using the Sign Out button to sign out when there are javascript errors on the page for some reason (which currently can prevent sign-out)
Feature checklist
Make sure these are completed before closing the issue, with a link to the relevant commit.
-
Feature assurance -
Documentation -
Added to features.yml
Edited by Joe Marty