Merge pull request #11667 from lafirest/fix/logout

fix(sso): Disable access to `logout` endpoint by the `API key`

apps/emqx_management/src/emqx_mgmt_auth.erl

@@ -156,6 +156,8 @@ authorize(<<"/api/v5/users", _/binary>>, _ApiKey, _ApiSecret) ->
     {error, <<"not_allowed">>};
 authorize(<<"/api/v5/api_key", _/binary>>, _ApiKey, _ApiSecret) ->
     {error, <<"not_allowed">>};
+authorize(<<"/api/v5/logout", _/binary>>, _ApiKey, _ApiSecret) ->
+    {error, <<"not_allowed">>};
 authorize(_Path, ApiKey, ApiSecret) ->
     Now = erlang:system_time(second),
     case find_by_api_key(ApiKey) of

rel/i18n/emqx_dashboard_api.hocon

@@ -43,7 +43,9 @@ login_success.desc:
 """Dashboard Auth Success"""
 
 logout_api.desc:
-"""Dashboard user logout"""
+"""Dashboard user logout.
+This endpoint is only for the Dashboard, not the `API Key`.
+The token from the `/login` endpoint must be a bearer authorization in the headers."""
 logout_api.label:
 """Dashboard user logout"""