Stefan Sperling <stsp@stsp.name> wrote:
> Make gotwebd display the name of the logged in user, and add a link which
> can be clicked to log out (asking the browser to delete the auth cookie).

a nitpick is that GET should be idempotent, and so they can be cached,
so it'd be better for the logout to be a form that POST somewhere.

We don't actually have anything at the moment to deal with non-GET
requests so it's probably fine.

> ok?

just one nit regarding how cookies are deleted, otherwise yes, ok op@

> [...]
> --- gotwebd/auth.c
> +++ gotwebd/auth.c
> @@ -420,6 +420,69 @@ err:
>  	}
>  }
>  
> +static void
> +do_logout(struct request *c)
> +{

> [...]

> +	/* Ask the browser to delete the authentication cookie.  */
> +	r = tp_writef(c->tp, "Clear-Site-Data: \"cookies\"\r\n");

this is a bit of a too big hammer for the job we're trying to do.
gotwebd might be running on the same domain as other software, and
deleting all the cookies seems a bit rude.

what we could do instead is setting the cookie to an invalid value and
with an expired date, like:

Set-Cookie: gtdauth=invalid; Path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT

(actually, re-reading this i noticed that the fact that we're setting
Path=/ is even slightly wrong, should be the prefix where gotwebd is
actually running.)

> +	if (r == -1) {
> +		error = got_error_from_errno("tp_writef");
> +		goto err;
> +	}
> +
> +	memset(&url, 0, sizeof(url));
> +	url.action = INDEX;
> +	gotweb_reply(c, 307, "text/html", &url);
> +	return;
> +
> +err:
> +	free(hostname);
> +	hostname = NULL;
> +
> +	log_warnx("%s: %s", __func__, error->msg);
> +	c->t->error = error;
> +	if (gotweb_reply(c, 400, "text/html", NULL) == -1)
> +		return;
> +	gotweb_render_page(c->tp, gotweb_render_error);
> +}
> +