From 26e8660af45149404e99584f9c3c7d2365afa4bc Mon Sep 17 00:00:00 2001
From: calzoneman <calzoneman@gmail.com>
Date: Mon, 26 Oct 2015 23:21:09 -0700
Subject: [PATCH] Change /logout from GET to POST (#515)

---
 src/web/auth.js    |  4 ++--
 templates/nav.jade |  6 ++++--
 www/css/cytube.css | 10 ++++++++++
 3 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/src/web/auth.js b/src/web/auth.js
index 09c7384e..e7c8578b 100644
--- a/src/web/auth.js
+++ b/src/web/auth.js
@@ -127,7 +127,7 @@ function handleLogout(req, res) {
     res.clearCookie("auth");
     req.user = res.user = null;
     // Try to find an appropriate redirect
-    var dest = req.query.dest || req.header("referer");
+    var dest = req.params.dest || req.header("referer");
     dest = dest && dest.match(/login|logout|account/) ? null : dest;
 
     var host = req.hostname;
@@ -234,7 +234,7 @@ module.exports = {
     init: function (app) {
         app.get("/login", handleLoginPage);
         app.post("/login", handleLogin);
-        app.get("/logout", handleLogout);
+        app.post("/logout", handleLogout);
         app.get("/register", handleRegisterPage);
         app.post("/register", handleRegister);
     }
diff --git a/templates/nav.jade b/templates/nav.jade
index 8068c9b3..3645e99d 100644
--- a/templates/nav.jade
+++ b/templates/nav.jade
@@ -67,8 +67,10 @@ mixin navloginform(redirect)
 
 
 mixin navlogoutform(redirect)
-  p#logoutform.navbar-text.pull-right
+  form#logoutform.navbar-text.pull-right(action="/logout", method="post")
+    input(type="hidden", name="dest", value=baseUrl + redirect)
+    input(type="hidden", name="_csrf", value=csrfToken)
     span#welcome Welcome, #{loginName}
     span &nbsp;&middot;&nbsp;
-    a#logout.navbar-link(href="/logout?dest=#{encodeURIComponent(baseUrl + redirect)}&_csrf=#{csrfToken}") Logout
+    input#logout.navbar-link(type="submit", value="Logout")
 
diff --git a/www/css/cytube.css b/www/css/cytube.css
index 840f6f4a..0f9b4f24 100644
--- a/www/css/cytube.css
+++ b/www/css/cytube.css
@@ -639,3 +639,13 @@ li.vjs-menu-item.vjs-selected {
 .video-js video::-webkit-media-text-track-container {
     bottom: 50px;
 }
+
+input#logout[type="submit"] {
+    background: none;
+    border: none;
+    padding: 0;
+}
+
+input#logout[type="submit"]:hover {
+    text-decoration: underline;
+}