"Instant" logout when using Rodauth as middleware with Sinatra

[lukestuts]

I have been working on a minimal rodauth+sinatra demo and I have had trouble making an "instant" logout button.

By default, rodauth is handling the '/logout' route and displaying a simple page with a "Logout" button. I want to skip this.

I have done this by assigning the rodauth "interface" to a global as follows:

RODAUTH = []
class RodauthApp < Roda
  route do |r|
    r.rodauth

    # Force all users to login before accessing Ginatra
    rodauth.require_authentication
    RODAUTH[0] = rodauth
  end
end

def rodauth_logout
  RODAUTH[0].logout
end

Then I define this route in Sinatra:

get '/logout_instant' do
  rodauth_logout
  redirect '/'
end

This "works" but I wonder if there is a more elegant way to do it? I couldn't spot it easily from the docs?

[jeremyevans]

This is not supported by design as GET requests should not change state like this. Have your logout button submit a POST request to Rodauth's logout endpoint.

[lukestuts]

Thanks Jeremy! I've found it was not quite as simple as adding a button that submits a POST request.

After I changed this to a POST, I started getting a "Roda::RodaPlugins::RouteCsrf::InvalidToken at /logout" error. I initially worked around this as follows:

  plugin :rodauth do
    check_csrf? do
      if ["/login", "/logout"].include?(request.path)
        return false
      else
        super()
      end
    end
  end

However, I didn't want to leave it at that so I used my earlier RODAUTH[0] workaround to bring csrf_tag into scope in the view. My "working" single-click logout link now looks like this:

<form action="/logout" method="post">
  <%= RODAUTH[0].csrf_tag("/logout") %>
  <a onclick="this.closest('form').submit();return false;">Log Out</a>
</form>

Again, I'm not sure if there is a better way to accomplish this from a Sinatra app but it does work for me?

[jeremyevans]

That should work fine. I would change the link to a button (you can style the button as needed). No reason to purposely screw over users who have JavaScript disabled, and using onclick prevents use of a strong Content-Security-Policy.