Use HTTP POST for logout

[Alkarex]

To avoid potential CSRF risks

[Alkarex]

The font size for Logout in that menu is smaller than the rest. I am not sure why. Help welcome

[Alkarex]

In this PR, the logout is now a POST instead of GET to address a security issue, but I have only tested with Web form and not OpenID Connect.

@aaronschif if you are around, help welcome to test with ODIC the logout function you did in #5351

Ping a few others for test, as you may have different setups: @Hani-K, @UncleArya, @jasonajack, @mpalatsi, @ShaddyDC, @pando85 ... Thanks

P.S. To test this branch, if using Docker, you can modify your Docker Compose like so:

  freshrss:
    image: freshrss/freshrss:7489
    build:
      context: https://github.com/Alkarex/FreshRSS.git#post-logout
      dockerfile: Docker/Dockerfile
    ...

• https://github.com/FreshRSS/FreshRSS/blob/edge/Docker/freshrss/docker-compose.yml
• https://github.com/FreshRSS/FreshRSS/blob/edge/Docker/README.md#build-custom-docker-image

[UncleArya]

In this PR, the logout is now a POST instead of GET to address a security issue, but I have only tested with Web form and not OpenID Connect.

@aaronschif if you are around, help welcome to test with ODIC the logout function you did in #5351

Ping a few others for test, as you may have different setups: @Hani-K, @UncleArya, @jasonajack, @mpalatsi, @ShaddyDC, @pando85 ... Thanks

P.S. To test this branch, if using Docker, you can modify your Docker Compose like so:

  freshrss:
    image: freshrss/freshrss:7489
    build:
      context: https://github.com/Alkarex/FreshRSS.git#post-logout
      dockerfile: Docker/Dockerfile
    ...

• https://github.com/FreshRSS/FreshRSS/blob/edge/Docker/freshrss/docker-compose.yml
• https://github.com/FreshRSS/FreshRSS/blob/edge/Docker/README.md#build-custom-docker-image

Just tested with the branch you mentioned. Logout worked as expected with my OIDC setup, no issues to report. Hope that helps.

[Alkarex]

Just tested with the branch you mentioned. Logout worked as expected with my OIDC setup, no issues to report. Hope that helps.

Thanks for the test @UncleArya . Do you know whether your logout endpoint has any protection against XSRF, for instance through a secret? This would be to avoid for instance an image coming from a feed, which address is the same than your OIDC logout

[Alkarex]

mod_auth_openidclogout documentation https://github.com/OpenIDC/mod_auth_openidc/wiki#9-how-do-i-logout-users

[Alkarex]

@UncleArya What happens when you click logout in your case? Are you immediately logged out, or do you have one more action to do?

[Inverle]

@Alkarex

The font size for Logout in that menu is smaller than the rest. I am not sure why. Help welcome

try adding:

button {
	font-family: OpenSans, Cantarell, Helvetica, Arial, sans-serif;
}

the hover animation isn't present anymore either so this is needed too:

button:hover .icon {
	filter: brightness(1.5);
	transition: 0.1s linear;
}

(changing a:hover .icon to button:hover .icon)

[Frenzie]

Don't forget about :focus with buttons. You generally want to get that in there the same as :hover.

[Alkarex]

Edits to the PR welcome 😉

[math-GH]

The font size for Logout in that menu is smaller than the rest. I am not sure why. Help welcome

I cannot reproduce it

[Alkarex]

I cannot reproduce it

In the menu on the left-hand side, not the one on the right-hand side

[Inverle]

Is the logout link supposed to be like this?
Only the text is clickable and it's not like the other links

[Alkarex]

@Inverle Could you please try again making sure to clear the browser cache? I cannot seem to reproduce the issue

[Inverle]

@Alkarex

Yes, it's still happening.
There is also this on the Swage theme (black text in logout button):

[Alkarex]

@Inverle Thanks. I was looking at another menu. Should be fixed by #7526
Tests welcome