From a64c871f48042d88a31f709cfd9a0d700c55afae Mon Sep 17 00:00:00 2001
From: Tim MacDonald <hello@timacdonald.me>
Date: Wed, 8 May 2024 14:32:50 +1000
Subject: [PATCH 1/3] Ensure logout route is authenticated

---
 routes/routes.php                            |  1 +
 tests/AuthenticatedSessionControllerTest.php | 41 ++++++++++++++++++++
 2 files changed, 42 insertions(+)

diff --git a/routes/routes.php b/routes/routes.php
index 141be97b..6bc8e187 100644
--- a/routes/routes.php
+++ b/routes/routes.php
@@ -42,6 +42,7 @@
         ]));
 
     Route::post(RoutePath::for('logout', '/logout'), [AuthenticatedSessionController::class, 'destroy'])
+        ->middleware([config('fortify.auth_middleware', 'auth').':'.config('fortify.guard')])
         ->name('logout');
 
     // Password Reset...
diff --git a/tests/AuthenticatedSessionControllerTest.php b/tests/AuthenticatedSessionControllerTest.php
index 9df58110..fa07c0a1 100644
--- a/tests/AuthenticatedSessionControllerTest.php
+++ b/tests/AuthenticatedSessionControllerTest.php
@@ -2,6 +2,7 @@
 
 namespace Laravel\Fortify\Tests;
 
+use Illuminate\Auth\Events\Logout;
 use Illuminate\Cache\RateLimiter;
 use Illuminate\Contracts\Auth\Authenticatable;
 use Illuminate\Foundation\Auth\User;
@@ -404,6 +405,46 @@ public function test_case_insensitive_usernames_can_be_used()
         $response->assertRedirect('/home');
     }
 
+    public function test_users_can_logout(): void
+    {
+        $user = TestAuthenticationSessionUser::forceCreate([
+            'name' => 'Taylor Otwell',
+            'email' => 'taylor@laravel.com',
+            'password' => bcrypt('secret'),
+        ]);
+
+        $loggedOutUser = null;
+        Event::listen(function (Logout $event) use (&$loggedOutUser) {
+            $loggedOutUser = $event->user;
+        });
+
+        $response = $this->actingAs($user)->post('/logout');
+
+        $this->assertNotNull($loggedOutUser);
+        $this->assertTrue($loggedOutUser->is($user));
+        $response->assertRedirect();
+        $this->assertGuest();
+    }
+
+    public function test_must_be_authenticated_to_logout(): void
+    {
+        $user = TestAuthenticationSessionUser::forceCreate([
+            'name' => 'Taylor Otwell',
+            'email' => 'taylor@laravel.com',
+            'password' => bcrypt('secret'),
+        ]);
+        $loggedOut = false;
+        Event::listen(function (Logout $event) use (&$loggedOut) {
+            $loggedOut = true;
+        });
+
+        $response = $this->post('/logout');
+
+        $this->assertFalse($loggedOut);
+        $response->assertRedirect();
+        $this->assertGuest();
+    }
+
     protected function defineEnvironment($app)
     {
         parent::defineEnvironment($app);

From 4dd9210884445e4875b455a77c78c478be1225f7 Mon Sep 17 00:00:00 2001
From: Tim MacDonald <hello@timacdonald.me>
Date: Wed, 8 May 2024 14:43:43 +1000
Subject: [PATCH 2/3] Formatting

---
 tests/AuthenticatedSessionControllerTest.php | 16 ++++------------
 1 file changed, 4 insertions(+), 12 deletions(-)

diff --git a/tests/AuthenticatedSessionControllerTest.php b/tests/AuthenticatedSessionControllerTest.php
index fa07c0a1..8f217624 100644
--- a/tests/AuthenticatedSessionControllerTest.php
+++ b/tests/AuthenticatedSessionControllerTest.php
@@ -412,18 +412,13 @@ public function test_users_can_logout(): void
             'email' => 'taylor@laravel.com',
             'password' => bcrypt('secret'),
         ]);
-
-        $loggedOutUser = null;
-        Event::listen(function (Logout $event) use (&$loggedOutUser) {
-            $loggedOutUser = $event->user;
-        });
+        Event::fake([Logout::class]);
 
         $response = $this->actingAs($user)->post('/logout');
 
-        $this->assertNotNull($loggedOutUser);
-        $this->assertTrue($loggedOutUser->is($user));
         $response->assertRedirect();
         $this->assertGuest();
+        Event::assertDispatched(fn (Logout $logout) => $logout->user->is($user));
     }
 
     public function test_must_be_authenticated_to_logout(): void
@@ -433,16 +428,13 @@ public function test_must_be_authenticated_to_logout(): void
             'email' => 'taylor@laravel.com',
             'password' => bcrypt('secret'),
         ]);
-        $loggedOut = false;
-        Event::listen(function (Logout $event) use (&$loggedOut) {
-            $loggedOut = true;
-        });
+        Event::fake([Logout::class]);
 
         $response = $this->post('/logout');
 
-        $this->assertFalse($loggedOut);
         $response->assertRedirect();
         $this->assertGuest();
+        Event::assertNotDispatched(Logout::class);
     }
 
     protected function defineEnvironment($app)

From 8d15d6ed432c821b2c0208594a96a44932981378 Mon Sep 17 00:00:00 2001
From: Tim MacDonald <hello@timacdonald.me>
Date: Wed, 8 May 2024 14:44:15 +1000
Subject: [PATCH 3/3] Remove unused user

---
 tests/AuthenticatedSessionControllerTest.php | 5 -----
 1 file changed, 5 deletions(-)

diff --git a/tests/AuthenticatedSessionControllerTest.php b/tests/AuthenticatedSessionControllerTest.php
index 8f217624..512bd8ba 100644
--- a/tests/AuthenticatedSessionControllerTest.php
+++ b/tests/AuthenticatedSessionControllerTest.php
@@ -423,11 +423,6 @@ public function test_users_can_logout(): void
 
     public function test_must_be_authenticated_to_logout(): void
     {
-        $user = TestAuthenticationSessionUser::forceCreate([
-            'name' => 'Taylor Otwell',
-            'email' => 'taylor@laravel.com',
-            'password' => bcrypt('secret'),
-        ]);
         Event::fake([Logout::class]);
 
         $response = $this->post('/logout');