From 4f4868a46c716fb6441f29d479548423aa347077 Mon Sep 17 00:00:00 2001
From: firest <enlanubo@gmail.com>
Date: Mon, 25 Sep 2023 10:31:38 +0800
Subject: [PATCH] fix(sso): Disable access to `logout` endpoint by the `API
 key`

---
 apps/emqx_management/src/emqx_mgmt_auth.erl | 2 ++
 rel/i18n/emqx_dashboard_api.hocon           | 4 +++-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/apps/emqx_management/src/emqx_mgmt_auth.erl b/apps/emqx_management/src/emqx_mgmt_auth.erl
index ace4c155a..3d32afc19 100644
--- a/apps/emqx_management/src/emqx_mgmt_auth.erl
+++ b/apps/emqx_management/src/emqx_mgmt_auth.erl
@@ -156,6 +156,8 @@ authorize(<<"/api/v5/users", _/binary>>, _ApiKey, _ApiSecret) ->
     {error, <<"not_allowed">>};
 authorize(<<"/api/v5/api_key", _/binary>>, _ApiKey, _ApiSecret) ->
     {error, <<"not_allowed">>};
+authorize(<<"/api/v5/logout", _/binary>>, _ApiKey, _ApiSecret) ->
+    {error, <<"not_allowed">>};
 authorize(_Path, ApiKey, ApiSecret) ->
     Now = erlang:system_time(second),
     case find_by_api_key(ApiKey) of
diff --git a/rel/i18n/emqx_dashboard_api.hocon b/rel/i18n/emqx_dashboard_api.hocon
index 5f6bd3cde..f3d47801a 100644
--- a/rel/i18n/emqx_dashboard_api.hocon
+++ b/rel/i18n/emqx_dashboard_api.hocon
@@ -43,7 +43,9 @@ login_success.desc:
 """Dashboard Auth Success"""
 
 logout_api.desc:
-"""Dashboard user logout"""
+"""Dashboard user logout.
+This endpoint is only for the Dashboard, not the `API Key`.
+The token from the `/login` endpoint must be a bearer authorization in the headers."""
 logout_api.label:
 """Dashboard user logout"""