Use post method for logout

[ar5had]

I think using post request for logout is better practice than using get request. Any image or link having src try clicking me will logout the user.

[jankeromnes]

I agree that our current logout isn't great from a security stand point. Here are some details about this issue:

We currently log users out with a link to janitor.technology/logout (caution, this will actually log you out). The code for the logout link is in templates/header.html, line 31, and the code for the request handler is in app.js, lines 141-150.

We would like to limit this handler to a specific HTTP method, e.g. DELETE (Arshad suggested POST, which could also work, but I believe that DELETE makes more sense and is more secure).

To do this, we could replace the app.route handler with a method-specific handler (I'll add an example code soon), and then replace the logout link (<a>) with an asynchronous <form> element (I'll also add an example for this).

[jankeromnes]

To fix this issue, we could replace the current app.route() logout handler with a more specific app.delete() handler, like so:

app.delete(/^\/logout\/?/, (request, response) => {
  users.logout(request, error => {
    // ...
  });
});

And then, we could replace the current logout link with an asynchronous form, like so:

<form action="/logout/" class="ajax-form has-feedback is-submit" method="delete" refresh-after-success="true">
  <button class="btn btn-link" type="submit">Sign out</button>
</form>