sso: Use POST method for logout

- This prevents CSRF attacks that allow adversarial websites from logging out
users from FreedomBox. Django itself has made this change in 4.x releases.

Tests:

- Logout works with the menu item in drop-down when Javascript is enabled. The
menu item appears similar to other drop-down menu items.

- Logout works with the menu item when JavaScript is disabled on the page. The
menu item appears similar to other menu items.

Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>

plinth/modules/sso/views.py

@@ -14,6 +14,7 @@ from django.contrib.auth import logout as auth_logout
 from django.contrib.auth.views import LoginView
 from django.http import HttpResponseRedirect
 from django.utils.translation import gettext as _
+from django.views.decorators.http import require_POST
 
 from plinth import translation, utils, web_framework
 
@@ -92,6 +93,7 @@ class CaptchaLoginView(LoginView):
         return set_ticket_cookie(request.user, response)
 
 
+@require_POST
 def logout(request):
     """Logout an authenticated user, remove SSO cookie and redirect to home."""
     auth_logout(request)

plinth/templates/base.html

@@ -184,10 +184,12 @@
                       <li class="dropdown-divider d-none d-md-block"></li>
                     {% endif %}
                     <li>
-                      <a class="dropdown-item" href="{% url 'users:logout' %}"
+                      <form class="form form-logout" method="post"
-                         title="{% trans "Log out" %}">
+                            action="{% url 'users:logout' %}">
-                        {% trans "Log out" %}
+                        {% csrf_token %}
-                      </a>
+                        <input type="submit" class="dropdown-item no-running-status" 
+                               value="{% trans "Log out" %}"/>
+                      </form>
                     </li>
                   </ul>
                 </li>
@@ -211,12 +213,12 @@
               {% endif %}
 
               {% if user.is_authenticated %}
-                <li id="logout-nojs" class="nav-item">
+                <form id="logout-nojs" class="form form-inline form-logout"
-                  <a class="nav-link" href="{% url 'users:logout' %}"
+                      method="post" action="{% url 'users:logout' %}">
-                     title="{% trans "Log out" %}">
+                  {% csrf_token %}
-                    <i class="fa fa-times-circle nav-icon"></i>
+                  <input type="submit" class="nav-link no-running-status btn btn-link"
-                    {% trans "Log out" %}</a>
+                         value="{% trans "Log out" %}"/>
-                </li>
+                </form>
               {% endif %}
             {% endblock %}
           </ul>

plinth/tests/functional/__init__.py

@@ -277,7 +277,7 @@ def login_with_account(browser, url, username, password=None):
         if user_menu.text == username:
             return
 
-        visit(browser, '/plinth/accounts/logout/')
+        logout(browser)
 
     login_button = browser.links.find_by_href('/plinth/accounts/login/')
     if login_button:
@@ -306,7 +306,14 @@ def login_with_account(browser, url, username, password=None):
 
 def logout(browser):
     """Log out of the FreedomBox interface."""
-    visit(browser, '/plinth/accounts/logout/')
+    # Navigate to the home page if logout form is not found
+    if not browser.find_by_css('.form-logout'):
+        visit(browser, '/plinth/')
+
+    # We are not logged in if the home page does not contain logout form
+    if browser.find_by_css('.form-logout'):
+        browser.find_by_id('id_user_menu').click()
+        submit(browser, form_class='form-logout')
 
 
 #################

static/themes/default/css/main.css

@@ -457,6 +457,11 @@ footer {
     height: 3.25rem;
 }
 
+.main-header .nav-link,
+.main-header .nav-link:hover {
+    color: white;
+}
+
 .main-header .navbar-toggler {
     border: 1px solid #ddd;
 }