Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.Sign up
Logout endpoint should use POST not GET #1830
We should not use GET for logout. This changes the endpoints, uses forms, and changes the redirect from a 307 to a 303.
In this PR I modify the middleware to only create one public CSRF Token in the middleware. The reason for this is that we only need it to change on session updates (like user login/logout) and for debugging you can't track multiple public tokens (even though they ought to all unmask as the same value). It's a little less logic to have to parse when looking into CSRF issues.
Similarly, I no longer call
Login and then logout!
Code Review Verification Steps
A number of past PRs that I looked at while prepping this PR:
@@ Coverage Diff @@ ## master #1830 +/- ## ========================================== + Coverage 49.38% 49.52% +0.14% ========================================== Files 427 428 +1 Lines 18341 18466 +125 Branches 1636 1636 ========================================== + Hits 9058 9146 +88 - Misses 8493 8518 +25 - Partials 790 802 +12
I can debug go in goland if you want to look at the guts of the request. Happy to pair on it or stand in as