From 59ecc614c227628bbb33003e303c6d2f44a68ba3 Mon Sep 17 00:00:00 2001
From: Panagiotis Papadopoulos <pano_90@gmx.net>
Date: Sun, 12 Jan 2025 11:43:41 +0100
Subject: [PATCH] refactor: call logout route via JS

required for csrf-csrf to correctly protect against
CSRF, as it required the _csrf cookie AND the
x-csrf-token HTTP header, the latter cannot be set
via simple Form POST action

using "../login" here, because "server" method is automatically prepending all paths with "/api",
which we don't want here, as we want "/login"
---
 src/public/app/components/entrypoints.ts | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/src/public/app/components/entrypoints.ts b/src/public/app/components/entrypoints.ts
index b62cfdeb3..f75198cb7 100644
--- a/src/public/app/components/entrypoints.ts
+++ b/src/public/app/components/entrypoints.ts
@@ -114,11 +114,9 @@ export default class Entrypoints extends Component {
         utils.reloadFrontendApp();
     }
 
-    logoutCommand() {
-        const $logoutForm = $('<form action="logout" method="POST">').append($(`<input type='_hidden' name="_csrf" value="${glob.csrfToken}"/>`));
-
-        $("body").append($logoutForm);
-        $logoutForm.trigger("submit");
+    async logoutCommand() {
+        await server.post("../logout");
+        window.location.replace(`/login`);
     }
 
     backInNoteHistoryCommand() {