From bcff4d006a0600ecf86f18ecdaa74e0df31766f0 Mon Sep 17 00:00:00 2001
From: Daniel Hader <dhader96@gmail.com>
Date: Sat, 30 May 2026 12:59:21 -0500
Subject: hardened login / logout flow

---
 static/main.js | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

(limited to 'static/main.js')

diff --git a/static/main.js b/static/main.js
index da3a9d3..4af948a 100644
--- a/static/main.js
+++ b/static/main.js
@@ -2,18 +2,20 @@ async function me() {
     const response = await fetch("/me");
     if (response.ok) {
         const result = await response.json();
-        const span = document.getElementById("logged-in");
         // this is technically a XSS risk (TODO: deal with it)
         // in principle it only affects the person who chose their username, but...
-        span.innerHTML = `Logged in as ${result.username}`;
-        span.hidden = false;
+        document.getElementById("logged-in").innerHTML = `Logged in as ${result.username}`;
+        document.getElementById("logout-links").hidden = false;
     } else {
         document.getElementById("login-links").hidden = false;
-        console.log("not logged in? No cookie");
-        console.log(response);
     }
 }
 
+async function logout() {
+    const response = await fetch("/logout", {method: "post"});
+    window.location.reload();
+}
+
 async function fetch_problems() {
     const response = await fetch("/problem");
     if (!response.ok) {
-- 
cgit v1.2.3