Change /logout from GET to POST (#515)

src/web/auth.js

@@ -127,7 +127,7 @@ function handleLogout(req, res) {
     res.clearCookie("auth");
     req.user = res.user = null;
     // Try to find an appropriate redirect
-    var dest = req.query.dest || req.header("referer");
+    var dest = req.params.dest || req.header("referer");
     dest = dest && dest.match(/login|logout|account/) ? null : dest;
 
     var host = req.hostname;
@@ -234,7 +234,7 @@ module.exports = {
     init: function (app) {
         app.get("/login", handleLoginPage);
         app.post("/login", handleLogin);
-        app.get("/logout", handleLogout);
+        app.post("/logout", handleLogout);
         app.get("/register", handleRegisterPage);
         app.post("/register", handleRegister);
     }

templates/nav.jade

@@ -67,8 +67,10 @@ mixin navloginform(redirect)
 
 
 mixin navlogoutform(redirect)
-  p#logoutform.navbar-text.pull-right
+  form#logoutform.navbar-text.pull-right(action="/logout", method="post")
+    input(type="hidden", name="dest", value=baseUrl + redirect)
+    input(type="hidden", name="_csrf", value=csrfToken)
     span#welcome Welcome, #{loginName}
     span  · 
-    a#logout.navbar-link(href="/logout?dest=#{encodeURIComponent(baseUrl + redirect)}&_csrf=#{csrfToken}") Logout
+    input#logout.navbar-link(type="submit", value="Logout")
 

www/css/cytube.css

@@ -639,3 +639,13 @@ li.vjs-menu-item.vjs-selected {
 .video-js video::-webkit-media-text-track-container {
     bottom: 50px;
 }
+
+input#logout[type="submit"] {
+    background: none;
+    border: none;
+    padding: 0;
+}
+
+input#logout[type="submit"]:hover {
+    text-decoration: underline;
+}