From 69eb17cb0d659d7de7a51715d2113e806663eb44 Mon Sep 17 00:00:00 2001
From: Kevin Morris <kevr@0cost.org>
Date: Mon, 29 Nov 2021 16:51:16 -0800
Subject: [PATCH] change(fastapi): remove the GET /logout route; replaced with
 POST

Had to add some additional CSS in to style a form button the same
as <a> links are styled.

Closes #188

Signed-off-by: Kevin Morris <kevr@0cost.org>
---
 aurweb/routers/auth.py                 | 15 ++-------------
 templates/partials/archdev-navbar.html |  9 ++++++---
 test/test_auth_routes.py               |  3 ++-
 web/html/css/aurweb.css                | 15 +++++++++++++++
 4 files changed, 25 insertions(+), 17 deletions(-)

diff --git a/aurweb/routers/auth.py b/aurweb/routers/auth.py
index c5a99419..fdc421f5 100644
--- a/aurweb/routers/auth.py
+++ b/aurweb/routers/auth.py
@@ -77,14 +77,9 @@ async def login_post(request: Request,
     return response
 
 
-@router.get("/logout")
+@router.post("/logout")
 @auth_required()
-async def logout(request: Request, next: str = "/"):
-    """ A GET and POST route for logging out.
-
-    @param request FastAPI request
-    @param next Route to redirect to
-    """
+async def logout(request: Request, next: str = Form(default="/")):
     if request.user.is_authenticated():
         request.user.logout(request)
 
@@ -95,9 +90,3 @@ async def logout(request: Request, next: str = "/"):
     response.delete_cookie("AURSID")
     response.delete_cookie("AURTZ")
     return response
-
-
-@router.post("/logout")
-@auth_required()
-async def logout_post(request: Request, next: str = "/"):
-    return await logout(request=request, next=next)
diff --git a/templates/partials/archdev-navbar.html b/templates/partials/archdev-navbar.html
index 81695951..2e01eeab 100644
--- a/templates/partials/archdev-navbar.html
+++ b/templates/partials/archdev-navbar.html
@@ -45,9 +45,12 @@
 
             {# All logged in users see Logout #}
             <li>
-                <a href="/logout?next={{ next }}">
-                    {% trans %}Logout{% endtrans %}
-                </a>
+                <form action="/logout" method="post" class="link">
+                    <input type="hidden" name="next" value="{{ next }}" />
+                    <button type="submit">
+                        {% trans %}Logout{% endtrans %}
+                    </button>
+                </form>
             </li>
         {% else %}
             {# All guest users see Register #}
diff --git a/test/test_auth_routes.py b/test/test_auth_routes.py
index a0bb8a7c..dffd1b94 100644
--- a/test/test_auth_routes.py
+++ b/test/test_auth_routes.py
@@ -154,8 +154,9 @@ def test_unauthenticated_logout_unauthorized():
     with client as request:
         # Alright, let's verify that attempting to /logout when not
         # authenticated returns 401 Unauthorized.
-        response = request.get("/logout", allow_redirects=False)
+        response = request.post("/logout", allow_redirects=False)
         assert response.status_code == int(HTTPStatus.SEE_OTHER)
+        assert response.headers.get("location").startswith("/login")
 
 
 def test_login_missing_username():
diff --git a/web/html/css/aurweb.css b/web/html/css/aurweb.css
index 62179769..cd81160d 100644
--- a/web/html/css/aurweb.css
+++ b/web/html/css/aurweb.css
@@ -229,3 +229,18 @@ input#search-action-submit {
 .success {
     color: green;
 }
+
+/* Styling used to clone <a> styles for a form.link button. */
+form.link, form.link > button {
+    display: inline-block;
+}
+form.link > button {
+    padding: 0 0.5em;
+    color: #07b;
+    background: none;
+    border: none;
+}
+form.link > button:hover {
+    cursor: pointer;
+    text-decoration: underline;
+}