From 31ea48365f8ea92bf86e18a20cb7b8d9305d9adf Mon Sep 17 00:00:00 2001
From: Anders Pitman <tapitman11@gmail.com>
Date: Sun, 11 Oct 2020 15:22:58 -0600
Subject: [PATCH] Use Post/Redirect/Get pattern for login

---
 webui/login.tmpl | 2 +-
 webui_handler.go | 5 ++---
 2 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/webui/login.tmpl b/webui/login.tmpl
index 4c54d42..fc9f00e 100644
--- a/webui/login.tmpl
+++ b/webui/login.tmpl
@@ -19,7 +19,7 @@
   </head>
 
   <body>
-    <form class='dialog' action="/login" method="GET">
+    <form class='dialog' action="/login" method="POST">
        <label for="token">Token:</label>
        <input type="password" id="token" name="token">
        <button class='button green-button' type="submit">Login</button>
diff --git a/webui_handler.go b/webui_handler.go
index 93f9ed0..1e718ee 100644
--- a/webui_handler.go
+++ b/webui_handler.go
@@ -226,8 +226,7 @@ func (h *WebUiHandler) handleTunnels(w http.ResponseWriter, r *http.Request) {
 
 func (h *WebUiHandler) handleLogin(w http.ResponseWriter, r *http.Request) {
 
-	// Using GET requests to avoid form resubmission warnings in browsers
-	if r.Method != "GET" {
+	if r.Method != "POST" {
 		w.WriteHeader(405)
 		w.Write([]byte("Invalid method for login"))
 	}
@@ -247,7 +246,7 @@ func (h *WebUiHandler) handleLogin(w http.ResponseWriter, r *http.Request) {
 	if h.auth.Authorized(token) {
 		cookie := &http.Cookie{Name: "access_token", Value: token, Secure: true, HttpOnly: true}
 		http.SetCookie(w, cookie)
-		http.Redirect(w, r, "/", 307)
+		http.Redirect(w, r, "/", 303)
 	} else {
 		w.WriteHeader(401)
 		w.Write([]byte("Invalid token"))