From ad22cc519f6d1d513dc69ced39967d2890c55ddf Mon Sep 17 00:00:00 2001
From: Kyle Drake <kyle@kyledrake.net>
Date: Thu, 2 Feb 2017 10:27:30 -0800
Subject: [PATCH] Use form POST for signout link to prevent CSRF

---
 app/signin.rb     | 2 +-
 views/_header.erb | 5 ++++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/app/signin.rb b/app/signin.rb
index a2da5d98..7a531272 100644
--- a/app/signin.rb
+++ b/app/signin.rb
@@ -40,7 +40,7 @@ get '/signin/:username' do
   redirect request.referrer
 end
 
-get '/signout' do
+post '/signout' do
   require_login
   signout
   redirect '/'
diff --git a/views/_header.erb b/views/_header.erb
index 189adc6e..1e424a84 100644
--- a/views/_header.erb
+++ b/views/_header.erb
@@ -63,7 +63,10 @@
               <li><a href="/admin">Admin</a></li>
             <% end %>
 
-            <li><a href="/signout">Sign Out</a></li>
+            <li><a href="#" onclick="$('#signoutForm').submit()">Sign Out</a></li>
+            <form id="signoutForm" method="POST" action="/signout" style="display: none">
+              <%== csrf_token_input_html %>
+            </form>
           </ul>
         </li>