[1.x] Ensure logout route is authenticated (#536)

* Ensure logout route is authenticated

* Formatting

* Remove unused user

Author: timacdonald

routes/routes.php

@@ -42,6 +42,7 @@
         ]));
 
     Route::post(RoutePath::for('logout', '/logout'), [AuthenticatedSessionController::class, 'destroy'])
+        ->middleware([config('fortify.auth_middleware', 'auth').':'.config('fortify.guard')])
         ->name('logout');
 
     // Password Reset...

tests/AuthenticatedSessionControllerTest.php

@@ -2,6 +2,7 @@
 
 namespace Laravel\Fortify\Tests;
 
+use Illuminate\Auth\Events\Logout;
 use Illuminate\Cache\RateLimiter;
 use Illuminate\Contracts\Auth\Authenticatable;
 use Illuminate\Foundation\Auth\User;
@@ -404,6 +405,33 @@ public function test_case_insensitive_usernames_can_be_used()
         $response->assertRedirect('/home');
     }
 
+    public function test_users_can_logout(): void
+    {
+        $user = TestAuthenticationSessionUser::forceCreate([
+            'name' => 'Taylor Otwell',
+            'email' => '[email protected]',
+            'password' => bcrypt('secret'),
+        ]);
+        Event::fake([Logout::class]);
+
+        $response = $this->actingAs($user)->post('/logout');
+
+        $response->assertRedirect();
+        $this->assertGuest();
+        Event::assertDispatched(fn (Logout $logout) => $logout->user->is($user));
+    }
+
+    public function test_must_be_authenticated_to_logout(): void
+    {
+        Event::fake([Logout::class]);
+
+        $response = $this->post('/logout');
+
+        $response->assertRedirect();
+        $this->assertGuest();
+        Event::assertNotDispatched(Logout::class);
+    }
+
     protected function defineEnvironment($app)
     {
         parent::defineEnvironment($app);