auth: Avoid deprecated django.contrib.auth.views.logout_then_login.

It’s removed in Django 5.0.

Signed-off-by: Anders Kaseorg <anders@zulip.com>

zerver/views/auth.py

@@ -8,10 +8,9 @@ import jwt
 import orjson
 from cryptography.hazmat.primitives.ciphers.aead import AESGCM
 from django.conf import settings
-from django.contrib.auth import authenticate
+from django.contrib.auth import authenticate, logout
 from django.contrib.auth.views import LoginView as DjangoLoginView
 from django.contrib.auth.views import PasswordResetView as DjangoPasswordResetView
-from django.contrib.auth.views import logout_then_login as django_logout_then_login
 from django.core.exceptions import ValidationError
 from django.core.validators import validate_email
 from django.forms import Form
@@ -1149,9 +1148,6 @@ def json_fetch_api_key(
     return json_success(request, data={"api_key": api_key, "email": user_profile.delivery_email})
 
 
-logout_then_login = require_post(django_logout_then_login)
-
-
 def should_do_saml_sp_initiated_logout(request: HttpRequest) -> bool:
     realm = RequestNotes.get_notes(request).realm
     assert realm is not None
@@ -1173,9 +1169,10 @@ def should_do_saml_sp_initiated_logout(request: HttpRequest) -> bool:
 
 
 @require_post
-def logout_view(request: HttpRequest, /, **kwargs: Any) -> HttpResponse:
+def logout_view(request: HttpRequest) -> HttpResponse:
     if not should_do_saml_sp_initiated_logout(request):
-        return logout_then_login(request, **kwargs)
+        logout(request)
+        return HttpResponseRedirect(settings.LOGIN_URL)
 
     # This will first redirect to the IdP with a LogoutRequest and if successful on the IdP side,
     # the user will be redirected to our SAMLResponse-handling endpoint with a success LogoutResponse,

zproject/backends.py

@@ -37,7 +37,7 @@ import magic
 import orjson
 from decorator import decorator
 from django.conf import settings
-from django.contrib.auth import authenticate, get_backends
+from django.contrib.auth import authenticate, get_backends, logout
 from django.contrib.auth.backends import RemoteUserBackend
 from django.contrib.staticfiles.storage import staticfiles_storage
 from django.core.exceptions import ValidationError
@@ -3160,8 +3160,6 @@ class SAMLSPInitiatedLogout:
         Validates the LogoutResponse and logs out the user if successful,
         finishing the SP-initiated logout flow.
         """
-        from django.contrib.auth.views import logout_then_login as django_logout_then_login
-
         idp = logout_response.backend.get_idp(idp_name)
         auth = logout_response.backend._create_saml_auth(idp)
         auth.process_slo(keep_local_session=True)
@@ -3172,8 +3170,8 @@ class SAMLSPInitiatedLogout:
             # They're informative but generic enough to not leak any sensitive information.
             raise JsonableError(f"LogoutResponse error: {errors}")
 
-        # We call Django's version of logout_then_login so that POST isn't required.
-        return django_logout_then_login(logout_response.backend.strategy.request)
+        logout(logout_response.backend.strategy.request)
+        return HttpResponseRedirect(settings.LOGIN_URL)
 
 
 def get_external_method_dicts(realm: Optional[Realm] = None) -> List[ExternalAuthMethodDictT]: