From bcff4d006a0600ecf86f18ecdaa74e0df31766f0 Mon Sep 17 00:00:00 2001
From: Daniel Hader <dhader96@gmail.com>
Date: Sat, 30 May 2026 12:59:21 -0500
Subject: hardened login / logout flow

---
 src/main.rs          |  3 ++-
 src/routes/auth.rs   |  6 ++++++
 static/index.html    |  8 ++++++--
 static/login.html    |  1 +
 static/login.js      |  4 ++--
 static/main.js       | 12 +++++++-----
 static/register.html |  1 +
 static/register.js   |  2 +-
 8 files changed, 26 insertions(+), 11 deletions(-)

diff --git a/src/main.rs b/src/main.rs
index 0fdd2fb..36ef319 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -10,7 +10,7 @@ use axum::{
 
 use routes::problem::{get_problems, create_problem};
 use routes::user::{create_user, me};
-use routes::auth::login;
+use routes::auth::{login, logout};
 use tower_http::services::ServeDir;
 
 use crate::database::Database;
@@ -41,6 +41,7 @@ async fn main() {
     
     let app = Router::new()
         .route("/login", post(login))
+        .route("/logout", post(logout))
         .route("/problem", get(get_problems))
         .route("/problem", post(create_problem))
         .route("/user", post(create_user))
diff --git a/src/routes/auth.rs b/src/routes/auth.rs
index 979e617..ab7a393 100644
--- a/src/routes/auth.rs
+++ b/src/routes/auth.rs
@@ -111,6 +111,12 @@ pub async fn login(
     Ok(jar.add(cookie))
 }
 
+pub async fn logout(
+    jar: CookieJar,
+) -> Result<impl IntoResponse, RouteError> {
+    Ok(jar.remove(Cookie::from("token")))
+}
+
 #[cfg(test)]
 mod tests {
     use super::*;
diff --git a/static/index.html b/static/index.html
index 0cc6ec9..67a18aa 100644
--- a/static/index.html
+++ b/static/index.html
@@ -15,12 +15,16 @@
                     <div id="login-links" hidden>
                         <a href="login.html">Login</a> / <a href="register.html">Register</a>
                     </div>
-                    <span id="logged-in" hidden></span>
+                    <div id="logout-links" hidden>
+                        <span id="logged-in"></span><br>
+                        <a href="javascript:logout()">Logout</a>
+                    </div>
+                        
                     
                     <h1>C&amp;! Code Golf Leaderboard</h1>
                     
                     <p>In normal golf, the goal is to get a ball into a hole in as few swings as possible. Code golf is similar, but instead of swings your success is measured in bytes of source code. The following page contains a list of programming challenges. Your task is, first and foremost, to try to solve them, but secondly you should try to do so with as short a program as possible.</p>
-                    <p>There are no strict rules, choose whatever language you'd like and have fun with it. The goal is to get you coding and thinking. Some of the problems are challenging, especially the last few. Good luck!o</p>
+                    <p>There are no strict rules, choose whatever language you'd like and have fun with it. The goal is to get you coding and thinking. Some of the problems are challenging, especially the last few. Good luck!</p>
 
                     <h2>Problems</h2>
                     
diff --git a/static/login.html b/static/login.html
index ba7e127..fc10aef 100644
--- a/static/login.html
+++ b/static/login.html
@@ -12,6 +12,7 @@
         <div id="layout">
             <div id="container">
                 <div id="content">
+                    <a href="index.html">Home</a>
                     <h1>C&amp;! Code Golf Leaderboard</h1>
                     <h2>Login</h2>
                     <form id="login-form">
diff --git a/static/login.js b/static/login.js
index ee135f8..42b3242 100644
--- a/static/login.js
+++ b/static/login.js
@@ -27,8 +27,8 @@ function init() {
                 display_error(error.error);
                 return;
             }
-            
-            //const result = await res.json();
+
+            window.location.href = "index.html";
             
         } catch (err) {
             console.log(err);
diff --git a/static/main.js b/static/main.js
index da3a9d3..4af948a 100644
--- a/static/main.js
+++ b/static/main.js
@@ -2,18 +2,20 @@ async function me() {
     const response = await fetch("/me");
     if (response.ok) {
         const result = await response.json();
-        const span = document.getElementById("logged-in");
         // this is technically a XSS risk (TODO: deal with it)
         // in principle it only affects the person who chose their username, but...
-        span.innerHTML = `Logged in as ${result.username}`;
-        span.hidden = false;
+        document.getElementById("logged-in").innerHTML = `Logged in as ${result.username}`;
+        document.getElementById("logout-links").hidden = false;
     } else {
         document.getElementById("login-links").hidden = false;
-        console.log("not logged in? No cookie");
-        console.log(response);
     }
 }
 
+async function logout() {
+    const response = await fetch("/logout", {method: "post"});
+    window.location.reload();
+}
+
 async function fetch_problems() {
     const response = await fetch("/problem");
     if (!response.ok) {
diff --git a/static/register.html b/static/register.html
index 5d769a2..6483e6b 100644
--- a/static/register.html
+++ b/static/register.html
@@ -12,6 +12,7 @@
         <div id="layout">
             <div id="container">
                 <div id="content">
+                    <a href="index.html">Home</a>
                     <h1>C&amp;! Code Golf Leaderboard</h1>
                     <h2>Register</h2>
                     <form id="register-form">
diff --git a/static/register.js b/static/register.js
index 09175d6..48f787f 100644
--- a/static/register.js
+++ b/static/register.js
@@ -40,7 +40,7 @@ function init() {
                 return;
             }
 
-            window.location.href = "index.html"
+            window.location.href = "index.html";
             
         } catch (err) {
             console.log(err);
-- 
cgit v1.2.3