change(fastapi): remove the GET /logout route; replaced with POST

Had to add some additional CSS in to style a form button the same as <a> links are styled. Closes #188 Signed-off-by: Kevin Morris <kevr@0cost.org>
2025-02-03 10:43:03 +01:00 · 2021-11-29 16:51:16 -08:00 · 2021-11-29 16:51:16 -08:00 · 69eb17cb0d
commit 69eb17cb0d
parent 44f2366675
4 changed files with 25 additions and 17 deletions
--- a/aurweb/routers/auth.py
+++ b/aurweb/routers/auth.py
@ -77,14 +77,9 @@ async def login_post(request: Request,
    return response


-@router.get("/logout")
+@router.post("/logout")
@auth_required()
-async def logout(request: Request, next: str = "/"):
-    """ A GET and POST route for logging out.
-
-    @param request FastAPI request
-    @param next Route to redirect to
-    """
+async def logout(request: Request, next: str = Form(default="/")):
    if request.user.is_authenticated():
        request.user.logout(request)

@ -95,9 +90,3 @@ async def logout(request: Request, next: str = "/"):
    response.delete_cookie("AURSID")
    response.delete_cookie("AURTZ")
    return response
-
-
-@router.post("/logout")
-@auth_required()
-async def logout_post(request: Request, next: str = "/"):
-    return await logout(request=request, next=next)
--- a/templates/partials/archdev-navbar.html
+++ b/templates/partials/archdev-navbar.html
@ -45,9 +45,12 @@

            {# All logged in users see Logout #}
            <li>
-                <a href="/logout?next={{ next }}">
+                <form action="/logout" method="post" class="link">
+                    <input type="hidden" name="next" value="{{ next }}" />
+                    <button type="submit">
                        {% trans %}Logout{% endtrans %}
-                </a>
+                    </button>
+                </form>
            </li>
        {% else %}
            {# All guest users see Register #}
--- a/test/test_auth_routes.py
+++ b/test/test_auth_routes.py
@ -154,8 +154,9 @@ def test_unauthenticated_logout_unauthorized():
    with client as request:
        # Alright, let's verify that attempting to /logout when not
        # authenticated returns 401 Unauthorized.
-        response = request.get("/logout", allow_redirects=False)
+        response = request.post("/logout", allow_redirects=False)
        assert response.status_code == int(HTTPStatus.SEE_OTHER)
+        assert response.headers.get("location").startswith("/login")


 def test_login_missing_username():
--- a/web/html/css/aurweb.css
+++ b/web/html/css/aurweb.css
@ -229,3 +229,18 @@ input#search-action-submit {
 .success {
    color: green;
 }
+
+/* Styling used to clone <a> styles for a form.link button. */
+form.link, form.link > button {
+    display: inline-block;
+}
+form.link > button {
+    padding: 0 0.5em;
+    color: #07b;
+    background: none;
+    border: none;
+}
+form.link > button:hover {
+    cursor: pointer;
+    text-decoration: underline;
+}