From da7cb658df91bb573aeeb25601d117fa22179b45 Mon Sep 17 00:00:00 2001
From: Luc Didry <luc@didry.org>
Date: Oct 26 2018 14:03:21 +0000
Subject: Add CSRF token challenge on logout


---

diff --git a/CHANGELOG b/CHANGELOG
index 4be0081..35b9382 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -18,6 +18,7 @@ Revision history for Lufi
 	- MySQL support
 	- Display max size on upload page
 	- Add CSRF token challenge on login
+	- Add CSRF token challenge on logout
 
 0.02.2 2017-09-18
 	- Fix cron tasks bug
diff --git a/lib/Lufi.pm b/lib/Lufi.pm
index 57af3b6..3884830 100644
--- a/lib/Lufi.pm
+++ b/lib/Lufi.pm
@@ -112,7 +112,7 @@ sub startup {
           ->to('Auth#login');
 
         # Logout page
-        $r->get('/logout')
+        $r->post('/logout')
           ->to('Auth#log_out')
           ->name('logout');
     }
diff --git a/lib/Lufi/Controller/Auth.pm b/lib/Lufi/Controller/Auth.pm
index c7bddd1..6168309 100644
--- a/lib/Lufi/Controller/Auth.pm
+++ b/lib/Lufi/Controller/Auth.pm
@@ -35,7 +35,11 @@ sub log_out {
     my $c = shift;
 
     if ($c->is_user_authenticated) {
-        $c->logout;
+        if ($c->validation->csrf_protect->has_error('csrf_token')) {
+            $c->stash(msg => $c->l('Bad CSRF token.'));
+        } else {
+            $c->logout;
+        }
     }
     $c->render(template => 'logout');
 }
diff --git a/t/test.t b/t/test.t
index 10a5cc1..87c9f26 100644
--- a/t/test.t
+++ b/t/test.t
@@ -182,7 +182,15 @@ sub auth_test_suite {
     test_upload_file();
     test_download_file();
 
-    $t->get_ok('/logout')
+    my $token = '';
+
+    $t->post_ok('/logout' => form => { csrf_token => $token })
+      ->status_is(200)
+      ->content_like(qr@Bad CSRF token\.@);
+
+    $token = $t->ua->get('/')->res->dom->find('input[name="csrf_token"]')->first->attr('value');
+
+    $t->post_ok('/logout' => form => { csrf_token => $token })
       ->status_is(200)
       ->content_like(qr@You have been successfully logged out\.@);
 
diff --git a/themes/default/lib/Lufi/I18N/ca.po b/themes/default/lib/Lufi/I18N/ca.po
index 4221de6..3da48d3 100644
--- a/themes/default/lib/Lufi/I18N/ca.po
+++ b/themes/default/lib/Lufi/I18N/ca.po
@@ -48,7 +48,7 @@ msgstr "Un agraïment amb la foto d'un gatet a <a href=\"https://framasphere.org
 msgid "Abort"
 msgstr "Avorta"
 
-#: themes/default/templates/layouts/default.html.ep:48 themes/default/templates/layouts/default.html.ep:71
+#: themes/default/templates/layouts/default.html.ep:48 themes/default/templates/layouts/default.html.ep:76
 msgid "About"
 msgstr "Quant a"
 
@@ -73,6 +73,10 @@ msgstr "Retorna a la pàgina d'inici"
 msgid "Bad CSRF token!"
 msgstr "Mal testimoni CSRF!"
 
+#: lib/Lufi/Controller/Auth.pm:22 lib/Lufi/Controller/Auth.pm:39
+msgid "Bad CSRF token."
+msgstr ""
+
 #: themes/default/templates/partial/render.js.ep:5
 msgid "Click here to refresh the page and restart the download."
 msgstr "Premeu aquí per tal de refrescar la pàgina i reiniciar la descàrrega"
@@ -266,7 +270,7 @@ msgstr "Sembla que la clau a l'URL és incorrecta. Si us plau, verifiqueu l'URL.
 msgid "Javascript is disabled. You won't be able to use Lufi."
 msgstr "Teniu el javascript deactivat. No podreu usar Lufi."
 
-#: themes/default/templates/layouts/default.html.ep:40 themes/default/templates/layouts/default.html.ep:63
+#: themes/default/templates/layouts/default.html.ep:40 themes/default/templates/layouts/default.html.ep:68
 msgid "Language"
 msgstr ""
 
@@ -274,7 +278,7 @@ msgstr ""
 msgid "Login"
 msgstr "Entrada"
 
-#: themes/default/templates/layouts/default.html.ep:50 themes/default/templates/layouts/default.html.ep:73
+#: themes/default/templates/layouts/default.html.ep:53 themes/default/templates/layouts/default.html.ep:78
 msgid "Logout"
 msgstr "Sortida"
 
@@ -286,7 +290,7 @@ msgstr "Lufi és programari lliure d'allotjament de fitxers."
 msgid "Mail"
 msgstr ""
 
-#: themes/default/templates/files.html.ep:3 themes/default/templates/layouts/default.html.ep:34 themes/default/templates/layouts/default.html.ep:57
+#: themes/default/templates/files.html.ep:3 themes/default/templates/layouts/default.html.ep:34 themes/default/templates/layouts/default.html.ep:62
 msgid "My files"
 msgstr "Els meus fitxers"
 
@@ -316,7 +320,7 @@ msgstr "Si us plau contacteu amb l'administrador: %1"
 msgid "Please wait while we are getting your file. We first need to download and decrypt all parts before you can get it."
 msgstr "Si us plau, espereu mentre obtenim el fitxer. Abans que el tingueu disponible primer cal descarregar i desxifrar tots els trossos."
 
-#: lib/Lufi/Controller/Auth.pm:24
+#: lib/Lufi/Controller/Auth.pm:28
 msgid "Please, check your credentials or your right to access this service: unable to authenticate."
 msgstr ""
 
@@ -328,7 +332,7 @@ msgstr "Privacitat"
 msgid "Purge expired files from localStorage"
 msgstr "Netegeu els fitxers expirats de l'emmagatzematge local."
 
-#: themes/default/templates/layouts/default.html.ep:31 themes/default/templates/layouts/default.html.ep:54
+#: themes/default/templates/layouts/default.html.ep:31 themes/default/templates/layouts/default.html.ep:59
 msgid "Report file"
 msgstr ""
 
@@ -357,7 +361,7 @@ msgstr "S'està enviant el tros XX1 de XX2. Si us plau, paciència; la barra de 
 msgid "Share your files in total privacy on %1"
 msgstr "Compartiu fitxers amb total privacitat a %1"
 
-#: themes/default/templates/layouts/default.html.ep:36 themes/default/templates/layouts/default.html.ep:59 themes/default/templates/login.html.ep:26 themes/default/templates/logout.html.ep:8
+#: themes/default/templates/layouts/default.html.ep:36 themes/default/templates/layouts/default.html.ep:64 themes/default/templates/login.html.ep:27 themes/default/templates/logout.html.ep:17
 msgid "Signin"
 msgstr "Autenticació"
 
@@ -443,7 +447,7 @@ msgstr "No he pogut obtenir el comptador de %1. El testimoni no és vàlid."
 msgid "Unable to get counter for %1. You are not authenticated."
 msgstr "No he pogut obtenir el comptador de %1. No esteu autenticat."
 
-#: themes/default/templates/layouts/default.html.ep:33 themes/default/templates/layouts/default.html.ep:56
+#: themes/default/templates/layouts/default.html.ep:33 themes/default/templates/layouts/default.html.ep:61
 msgid "Upload files"
 msgstr "Pujar fitxers"
 
@@ -487,7 +491,7 @@ msgstr "Heu intentat deixar aquesta pàgina. Es canceŀlarà la descàrrega. N'e
 msgid "You have attempted to leave this page. The upload will be canceled. Are you sure?"
 msgstr "Heu intentat deixar aquesta pàgina. Es canceŀlarà la pujada. N'esteu segur?"
 
-#: themes/default/templates/logout.html.ep:5
+#: themes/default/templates/logout.html.ep:14
 msgid "You have been successfully logged out."
 msgstr "Heu sortit correctament."
 
diff --git a/themes/default/lib/Lufi/I18N/en.po b/themes/default/lib/Lufi/I18N/en.po
index 2677387..94c5344 100644
--- a/themes/default/lib/Lufi/I18N/en.po
+++ b/themes/default/lib/Lufi/I18N/en.po
@@ -45,7 +45,7 @@ msgstr ""
 msgid "Abort"
 msgstr ""
 
-#: themes/default/templates/layouts/default.html.ep:48 themes/default/templates/layouts/default.html.ep:71
+#: themes/default/templates/layouts/default.html.ep:48 themes/default/templates/layouts/default.html.ep:76
 msgid "About"
 msgstr ""
 
@@ -70,6 +70,10 @@ msgstr ""
 msgid "Bad CSRF token!"
 msgstr ""
 
+#: lib/Lufi/Controller/Auth.pm:22 lib/Lufi/Controller/Auth.pm:39
+msgid "Bad CSRF token."
+msgstr ""
+
 #: themes/default/templates/partial/render.js.ep:5
 msgid "Click here to refresh the page and restart the download."
 msgstr ""
@@ -262,7 +266,7 @@ msgstr ""
 msgid "Javascript is disabled. You won't be able to use Lufi."
 msgstr ""
 
-#: themes/default/templates/layouts/default.html.ep:40 themes/default/templates/layouts/default.html.ep:63
+#: themes/default/templates/layouts/default.html.ep:40 themes/default/templates/layouts/default.html.ep:68
 msgid "Language"
 msgstr ""
 
@@ -270,7 +274,7 @@ msgstr ""
 msgid "Login"
 msgstr ""
 
-#: themes/default/templates/layouts/default.html.ep:50 themes/default/templates/layouts/default.html.ep:73
+#: themes/default/templates/layouts/default.html.ep:53 themes/default/templates/layouts/default.html.ep:78
 msgid "Logout"
 msgstr ""
 
@@ -282,7 +286,7 @@ msgstr ""
 msgid "Mail"
 msgstr ""
 
-#: themes/default/templates/files.html.ep:3 themes/default/templates/layouts/default.html.ep:34 themes/default/templates/layouts/default.html.ep:57
+#: themes/default/templates/files.html.ep:3 themes/default/templates/layouts/default.html.ep:34 themes/default/templates/layouts/default.html.ep:62
 msgid "My files"
 msgstr ""
 
@@ -312,7 +316,7 @@ msgstr ""
 msgid "Please wait while we are getting your file. We first need to download and decrypt all parts before you can get it."
 msgstr ""
 
-#: lib/Lufi/Controller/Auth.pm:24
+#: lib/Lufi/Controller/Auth.pm:28
 msgid "Please, check your credentials or your right to access this service: unable to authenticate."
 msgstr ""
 
@@ -324,7 +328,7 @@ msgstr ""
 msgid "Purge expired files from localStorage"
 msgstr ""
 
-#: themes/default/templates/layouts/default.html.ep:31 themes/default/templates/layouts/default.html.ep:54
+#: themes/default/templates/layouts/default.html.ep:31 themes/default/templates/layouts/default.html.ep:59
 msgid "Report file"
 msgstr ""
 
@@ -353,7 +357,7 @@ msgstr ""
 msgid "Share your files in total privacy on %1"
 msgstr ""
 
-#: themes/default/templates/layouts/default.html.ep:36 themes/default/templates/layouts/default.html.ep:59 themes/default/templates/login.html.ep:26 themes/default/templates/logout.html.ep:8
+#: themes/default/templates/layouts/default.html.ep:36 themes/default/templates/layouts/default.html.ep:64 themes/default/templates/login.html.ep:27 themes/default/templates/logout.html.ep:17
 msgid "Signin"
 msgstr ""
 
@@ -437,7 +441,7 @@ msgstr ""
 msgid "Unable to get counter for %1. You are not authenticated."
 msgstr ""
 
-#: themes/default/templates/layouts/default.html.ep:33 themes/default/templates/layouts/default.html.ep:56
+#: themes/default/templates/layouts/default.html.ep:33 themes/default/templates/layouts/default.html.ep:61
 msgid "Upload files"
 msgstr ""
 
@@ -481,7 +485,7 @@ msgstr ""
 msgid "You have attempted to leave this page. The upload will be canceled. Are you sure?"
 msgstr ""
 
-#: themes/default/templates/logout.html.ep:5
+#: themes/default/templates/logout.html.ep:14
 msgid "You have been successfully logged out."
 msgstr ""
 
diff --git a/themes/default/lib/Lufi/I18N/fr.po b/themes/default/lib/Lufi/I18N/fr.po
index 2616885..5dd8b0e 100644
--- a/themes/default/lib/Lufi/I18N/fr.po
+++ b/themes/default/lib/Lufi/I18N/fr.po
@@ -47,7 +47,7 @@ msgstr "Un merci avec une photo de chaton sur <a href=\"https://framasphere.org/
 msgid "Abort"
 msgstr "Abandonner"
 
-#: themes/default/templates/layouts/default.html.ep:48 themes/default/templates/layouts/default.html.ep:71
+#: themes/default/templates/layouts/default.html.ep:48 themes/default/templates/layouts/default.html.ep:76
 msgid "About"
 msgstr "À propos"
 
@@ -72,6 +72,10 @@ msgstr "Retour à la page d’accueil"
 msgid "Bad CSRF token!"
 msgstr "Mauvais jeton CSRF !"
 
+#: lib/Lufi/Controller/Auth.pm:22 lib/Lufi/Controller/Auth.pm:39
+msgid "Bad CSRF token."
+msgstr ""
+
 #: themes/default/templates/partial/render.js.ep:5
 msgid "Click here to refresh the page and restart the download."
 msgstr "Cliquez ici pour rafraîchir la page et redémarrer le téléchargement."
@@ -264,7 +268,7 @@ msgstr "Il semble que la clé dans votre URL soit incorrecte. Veuillez vérifier
 msgid "Javascript is disabled. You won't be able to use Lufi."
 msgstr "Javascript est désactivé. Lufi ne fonctionnera pas."
 
-#: themes/default/templates/layouts/default.html.ep:40 themes/default/templates/layouts/default.html.ep:63
+#: themes/default/templates/layouts/default.html.ep:40 themes/default/templates/layouts/default.html.ep:68
 msgid "Language"
 msgstr "Langue"
 
@@ -272,7 +276,7 @@ msgstr "Langue"
 msgid "Login"
 msgstr "Identifiant"
 
-#: themes/default/templates/layouts/default.html.ep:50 themes/default/templates/layouts/default.html.ep:73
+#: themes/default/templates/layouts/default.html.ep:53 themes/default/templates/layouts/default.html.ep:78
 msgid "Logout"
 msgstr "Déconnexion"
 
@@ -284,7 +288,7 @@ msgstr "Lufi est un logiciel libre d’hébergement de fichiers."
 msgid "Mail"
 msgstr "Mail"
 
-#: themes/default/templates/files.html.ep:3 themes/default/templates/layouts/default.html.ep:34 themes/default/templates/layouts/default.html.ep:57
+#: themes/default/templates/files.html.ep:3 themes/default/templates/layouts/default.html.ep:34 themes/default/templates/layouts/default.html.ep:62
 msgid "My files"
 msgstr "Mes fichiers"
 
@@ -314,7 +318,7 @@ msgstr "Veuillez contacter l’administrateur : %1"
 msgid "Please wait while we are getting your file. We first need to download and decrypt all parts before you can get it."
 msgstr "Veuillez patientez pendant la récupération de votre fichier. Nous devons d’abord récupérer et déchiffrer tous les fragments avant que vous puissiez le télécharger."
 
-#: lib/Lufi/Controller/Auth.pm:24
+#: lib/Lufi/Controller/Auth.pm:28
 msgid "Please, check your credentials or your right to access this service: unable to authenticate."
 msgstr "Veuillez vérifier vos identifiants ou votre droit d’accès à ce service : impossible de vous authentifier."
 
@@ -326,7 +330,7 @@ msgstr "Confidentialité"
 msgid "Purge expired files from localStorage"
 msgstr "Supprimer du localStorage les fichiers expirés"
 
-#: themes/default/templates/layouts/default.html.ep:31 themes/default/templates/layouts/default.html.ep:54
+#: themes/default/templates/layouts/default.html.ep:31 themes/default/templates/layouts/default.html.ep:59
 msgid "Report file"
 msgstr "Signaler un fichier"
 
@@ -355,7 +359,7 @@ msgstr "Envoi du fragment XX1 sur XX2. Veuillez patienter, la barre de progressi
 msgid "Share your files in total privacy on %1"
 msgstr "Partagez vos fichiers en toute confidentialité sur %1"
 
-#: themes/default/templates/layouts/default.html.ep:36 themes/default/templates/layouts/default.html.ep:59 themes/default/templates/login.html.ep:26 themes/default/templates/logout.html.ep:8
+#: themes/default/templates/layouts/default.html.ep:36 themes/default/templates/layouts/default.html.ep:64 themes/default/templates/login.html.ep:27 themes/default/templates/logout.html.ep:17
 msgid "Signin"
 msgstr "Connexion"
 
@@ -443,7 +447,7 @@ msgstr "Impossible de récupérer le compteur pour %1. Le jeton est invalide."
 msgid "Unable to get counter for %1. You are not authenticated."
 msgstr "Impossible de récupérer le compteur pour %1. Vous n’êtes pas connecté·e."
 
-#: themes/default/templates/layouts/default.html.ep:33 themes/default/templates/layouts/default.html.ep:56
+#: themes/default/templates/layouts/default.html.ep:33 themes/default/templates/layouts/default.html.ep:61
 msgid "Upload files"
 msgstr "Envoyer des fichiers"
 
@@ -487,7 +491,7 @@ msgstr "Vous essayez de quitter la page. Le téléchargement sera annulé. Êtes
 msgid "You have attempted to leave this page. The upload will be canceled. Are you sure?"
 msgstr "Vous essayez de quitter la page. L’envoi sera annulé. Êtes-vous sûr(e) ?"
 
-#: themes/default/templates/logout.html.ep:5
+#: themes/default/templates/logout.html.ep:14
 msgid "You have been successfully logged out."
 msgstr "Vous avez été déconnecté·e avec succès."
 
diff --git a/themes/default/lib/Lufi/I18N/it.po b/themes/default/lib/Lufi/I18N/it.po
index 1d32a15..36ef7cc 100644
--- a/themes/default/lib/Lufi/I18N/it.po
+++ b/themes/default/lib/Lufi/I18N/it.po
@@ -47,7 +47,7 @@ msgstr "Un grazie con una foto di un gattino sur <a href=\"https://framasphere.o
 msgid "Abort"
 msgstr "Annulla"
 
-#: themes/default/templates/layouts/default.html.ep:48 themes/default/templates/layouts/default.html.ep:71
+#: themes/default/templates/layouts/default.html.ep:48 themes/default/templates/layouts/default.html.ep:76
 msgid "About"
 msgstr "A proposito"
 
@@ -72,6 +72,10 @@ msgstr "Ritorna all'homepage"
 msgid "Bad CSRF token!"
 msgstr "Token CSRF errato!"
 
+#: lib/Lufi/Controller/Auth.pm:22 lib/Lufi/Controller/Auth.pm:39
+msgid "Bad CSRF token."
+msgstr ""
+
 #: themes/default/templates/partial/render.js.ep:5
 msgid "Click here to refresh the page and restart the download."
 msgstr "Click qui per aggiornare la pagina e ricominciare il download."
@@ -264,7 +268,7 @@ msgstr "Sembra che la chiave nel tuo URL sia errata. Controllare il tuo URL."
 msgid "Javascript is disabled. You won't be able to use Lufi."
 msgstr "Javascript è disattivato. Lufi non può funzionare."
 
-#: themes/default/templates/layouts/default.html.ep:40 themes/default/templates/layouts/default.html.ep:63
+#: themes/default/templates/layouts/default.html.ep:40 themes/default/templates/layouts/default.html.ep:68
 msgid "Language"
 msgstr ""
 
@@ -272,7 +276,7 @@ msgstr ""
 msgid "Login"
 msgstr "Login"
 
-#: themes/default/templates/layouts/default.html.ep:50 themes/default/templates/layouts/default.html.ep:73
+#: themes/default/templates/layouts/default.html.ep:53 themes/default/templates/layouts/default.html.ep:78
 msgid "Logout"
 msgstr "Logout"
 
@@ -284,7 +288,7 @@ msgstr "Lufi è un software libero di file hosting."
 msgid "Mail"
 msgstr ""
 
-#: themes/default/templates/files.html.ep:3 themes/default/templates/layouts/default.html.ep:34 themes/default/templates/layouts/default.html.ep:57
+#: themes/default/templates/files.html.ep:3 themes/default/templates/layouts/default.html.ep:34 themes/default/templates/layouts/default.html.ep:62
 msgid "My files"
 msgstr "I miei file"
 
@@ -314,7 +318,7 @@ msgstr "Contattare l'amministratore : %1"
 msgid "Please wait while we are getting your file. We first need to download and decrypt all parts before you can get it."
 msgstr "Attendere mentre otteniamo il vostro file. Dobbiamo prima scaricare e decifrare tutte le parti prima che possiate averlo."
 
-#: lib/Lufi/Controller/Auth.pm:24
+#: lib/Lufi/Controller/Auth.pm:28
 msgid "Please, check your credentials or your right to access this service: unable to authenticate."
 msgstr ""
 
@@ -326,7 +330,7 @@ msgstr "Riservatezza"
 msgid "Purge expired files from localStorage"
 msgstr "Eliminare dal localStorage i file scaduti"
 
-#: themes/default/templates/layouts/default.html.ep:31 themes/default/templates/layouts/default.html.ep:54
+#: themes/default/templates/layouts/default.html.ep:31 themes/default/templates/layouts/default.html.ep:59
 msgid "Report file"
 msgstr ""
 
@@ -359,7 +363,7 @@ msgstr "Invio della parte XX1 su XX2. Prego attendere, la barra di avanzamento p
 msgid "Share your files in total privacy on %1"
 msgstr "Condividi tutti i file in totale riservatezza su %1"
 
-#: themes/default/templates/layouts/default.html.ep:36 themes/default/templates/layouts/default.html.ep:59 themes/default/templates/login.html.ep:26 themes/default/templates/logout.html.ep:8
+#: themes/default/templates/layouts/default.html.ep:36 themes/default/templates/layouts/default.html.ep:64 themes/default/templates/login.html.ep:27 themes/default/templates/logout.html.ep:17
 msgid "Signin"
 msgstr "Autenticazione"
 
@@ -447,7 +451,7 @@ msgstr "Impossibile recuperare il contatore per %1. Il token non è valido."
 msgid "Unable to get counter for %1. You are not authenticated."
 msgstr "Impossibile recuperare il contatore per %1. Non sei autenticato."
 
-#: themes/default/templates/layouts/default.html.ep:33 themes/default/templates/layouts/default.html.ep:56
+#: themes/default/templates/layouts/default.html.ep:33 themes/default/templates/layouts/default.html.ep:61
 msgid "Upload files"
 msgstr "Invio dei file"
 
@@ -491,7 +495,7 @@ msgstr "Hai cercato di uscire da questa pagina. Il download sarà cancellato. Se
 msgid "You have attempted to leave this page. The upload will be canceled. Are you sure?"
 msgstr "Hai cercato di uscire da questa pagina. L'invio sarà cancellato. Sei sicuro?"
 
-#: themes/default/templates/logout.html.ep:5
+#: themes/default/templates/logout.html.ep:14
 msgid "You have been successfully logged out."
 msgstr "Logout avvenuto con successo."
 
diff --git a/themes/default/lib/Lufi/I18N/nl.po b/themes/default/lib/Lufi/I18N/nl.po
index 6809861..61f6c5e 100644
--- a/themes/default/lib/Lufi/I18N/nl.po
+++ b/themes/default/lib/Lufi/I18N/nl.po
@@ -34,7 +34,7 @@ msgstr "Een bedankt foto met een katje op <a href=\"https://framasphere.org/peop
 msgid "Abort"
 msgstr "Annuleren"
 
-#: themes/default/templates/layouts/default.html.ep:48 themes/default/templates/layouts/default.html.ep:71
+#: themes/default/templates/layouts/default.html.ep:48 themes/default/templates/layouts/default.html.ep:76
 msgid "About"
 msgstr "Over"
 
@@ -59,6 +59,10 @@ msgstr "Terug naar home"
 msgid "Bad CSRF token!"
 msgstr "Verkeerde CSRF token!"
 
+#: lib/Lufi/Controller/Auth.pm:22 lib/Lufi/Controller/Auth.pm:39
+msgid "Bad CSRF token."
+msgstr ""
+
 #: themes/default/templates/partial/render.js.ep:5
 msgid "Click here to refresh the page and restart the download."
 msgstr "Klik hier om de pagina te verversen en opnieuw te downloaden."
@@ -251,7 +255,7 @@ msgstr "Het lijkt er op dat de sleutel in je URL niet klopt. Controleer je URL."
 msgid "Javascript is disabled. You won't be able to use Lufi."
 msgstr "Javascript is uitgeschakeld. Je kan geen gebruik maken van Lufi."
 
-#: themes/default/templates/layouts/default.html.ep:40 themes/default/templates/layouts/default.html.ep:63
+#: themes/default/templates/layouts/default.html.ep:40 themes/default/templates/layouts/default.html.ep:68
 msgid "Language"
 msgstr ""
 
@@ -259,7 +263,7 @@ msgstr ""
 msgid "Login"
 msgstr "Login"
 
-#: themes/default/templates/layouts/default.html.ep:50 themes/default/templates/layouts/default.html.ep:73
+#: themes/default/templates/layouts/default.html.ep:53 themes/default/templates/layouts/default.html.ep:78
 msgid "Logout"
 msgstr "Logout"
 
@@ -271,7 +275,7 @@ msgstr "Lufi is een gratis bestand hosting software."
 msgid "Mail"
 msgstr ""
 
-#: themes/default/templates/files.html.ep:3 themes/default/templates/layouts/default.html.ep:34 themes/default/templates/layouts/default.html.ep:57
+#: themes/default/templates/files.html.ep:3 themes/default/templates/layouts/default.html.ep:34 themes/default/templates/layouts/default.html.ep:62
 msgid "My files"
 msgstr "Mijn bestanden"
 
@@ -301,7 +305,7 @@ msgstr "Neem contact op met administrator: %1"
 msgid "Please wait while we are getting your file. We first need to download and decrypt all parts before you can get it."
 msgstr "Een ogenblik geduld, we pakken je bestand er bij. We moeten alle delen downloaden en decrypten voordat je het kan downloaden."
 
-#: lib/Lufi/Controller/Auth.pm:24
+#: lib/Lufi/Controller/Auth.pm:28
 msgid "Please, check your credentials or your right to access this service: unable to authenticate."
 msgstr ""
 
@@ -317,7 +321,7 @@ msgstr "Verwijder verlopen data"
 msgid "Register"
 msgstr "Registreer"
 
-#: themes/default/templates/layouts/default.html.ep:31 themes/default/templates/layouts/default.html.ep:54
+#: themes/default/templates/layouts/default.html.ep:31 themes/default/templates/layouts/default.html.ep:59
 msgid "Report file"
 msgstr ""
 
@@ -346,7 +350,7 @@ msgstr "Versturen deel XX1 van XX2. Een ogenblik geduld..."
 msgid "Share your files in total privacy on %1"
 msgstr "Deel je bestanden met volledige privacy op %1"
 
-#: themes/default/templates/layouts/default.html.ep:36 themes/default/templates/layouts/default.html.ep:59 themes/default/templates/login.html.ep:26 themes/default/templates/logout.html.ep:8
+#: themes/default/templates/layouts/default.html.ep:36 themes/default/templates/layouts/default.html.ep:64 themes/default/templates/login.html.ep:27 themes/default/templates/logout.html.ep:17
 msgid "Signin"
 msgstr "Inloggen"
 
@@ -430,7 +434,7 @@ msgstr "Kan geen teller verkrijgen voor %1. De token is ongeldig."
 msgid "Unable to get counter for %1. You are not authenticated."
 msgstr "Kan geen teller verkrijgen voor %1. Je bent niet geauthenticeerd."
 
-#: themes/default/templates/layouts/default.html.ep:33 themes/default/templates/layouts/default.html.ep:56
+#: themes/default/templates/layouts/default.html.ep:33 themes/default/templates/layouts/default.html.ep:61
 msgid "Upload files"
 msgstr "Upload bestanden"
 
@@ -474,7 +478,7 @@ msgstr "Je verlaat deze pagina. Download zal geannuleerd worden. Weet je het zek
 msgid "You have attempted to leave this page. The upload will be canceled. Are you sure?"
 msgstr "Je verlaat deze pagina. Upload zal geannuleerd worden. Weet je het zeker? "
 
-#: themes/default/templates/logout.html.ep:5
+#: themes/default/templates/logout.html.ep:14
 msgid "You have been successfully logged out."
 msgstr "Je bent succesvol uitgelogd."
 
diff --git a/themes/default/lib/Lufi/I18N/oc.po b/themes/default/lib/Lufi/I18N/oc.po
index df9b688..cba0af8 100644
--- a/themes/default/lib/Lufi/I18N/oc.po
+++ b/themes/default/lib/Lufi/I18N/oc.po
@@ -47,7 +47,7 @@ msgstr "Un mercé amb una fotografia de caton sus <a href=\"https://framasphere.
 msgid "Abort"
 msgstr "Anullar"
 
-#: themes/default/templates/layouts/default.html.ep:48 themes/default/templates/layouts/default.html.ep:71
+#: themes/default/templates/layouts/default.html.ep:48 themes/default/templates/layouts/default.html.ep:76
 msgid "About"
 msgstr "A prepaus"
 
@@ -72,6 +72,10 @@ msgstr "Retorn a la pagina d’acuèlh"
 msgid "Bad CSRF token!"
 msgstr "Marrit geton CSRF !"
 
+#: lib/Lufi/Controller/Auth.pm:22 lib/Lufi/Controller/Auth.pm:39
+msgid "Bad CSRF token."
+msgstr ""
+
 #: themes/default/templates/partial/render.js.ep:5
 msgid "Click here to refresh the page and restart the download."
 msgstr "Clicatz aquí per actualizar la pagina e tornar començar lo telecargament."
@@ -264,7 +268,7 @@ msgstr "Sembla que la clau dins vòstra URL siá incorrècta. Mercés de verific
 msgid "Javascript is disabled. You won't be able to use Lufi."
 msgstr "Javascript es desactivat. Lufi foncionarà pas."
 
-#: themes/default/templates/layouts/default.html.ep:40 themes/default/templates/layouts/default.html.ep:63
+#: themes/default/templates/layouts/default.html.ep:40 themes/default/templates/layouts/default.html.ep:68
 msgid "Language"
 msgstr "Lenga"
 
@@ -272,7 +276,7 @@ msgstr "Lenga"
 msgid "Login"
 msgstr "Identificant"
 
-#: themes/default/templates/layouts/default.html.ep:50 themes/default/templates/layouts/default.html.ep:73
+#: themes/default/templates/layouts/default.html.ep:53 themes/default/templates/layouts/default.html.ep:78
 msgid "Logout"
 msgstr "Desconnexion"
 
@@ -284,7 +288,7 @@ msgstr "Lufi es un logicial liure d’albèrgament de fichièrs."
 msgid "Mail"
 msgstr "Corrièl"
 
-#: themes/default/templates/files.html.ep:3 themes/default/templates/layouts/default.html.ep:34 themes/default/templates/layouts/default.html.ep:57
+#: themes/default/templates/files.html.ep:3 themes/default/templates/layouts/default.html.ep:34 themes/default/templates/layouts/default.html.ep:62
 msgid "My files"
 msgstr "Mos fichièrs"
 
@@ -314,7 +318,7 @@ msgstr "Mercés de contactar l’administrator : %1"
 msgid "Please wait while we are getting your file. We first need to download and decrypt all parts before you can get it."
 msgstr "Mercés d’esperar pendent la recuperacion de vòstre fichièr. Nos cal d’en primièr recuperar e deschifrar totes los fragaments abans que poscatz o telecargar."
 
-#: lib/Lufi/Controller/Auth.pm:24
+#: lib/Lufi/Controller/Auth.pm:28
 msgid "Please, check your credentials or your right to access this service: unable to authenticate."
 msgstr "Mercés de verificar vòstres identificants o vòstres dreches d’accès a aqueste servici : autentificacion impossibla."
 
@@ -330,7 +334,7 @@ msgstr "Confidencialitat"
 msgid "Purge expired files from localStorage"
 msgstr "Suprimir del localStorage los fichièrs expirats"
 
-#: themes/default/templates/layouts/default.html.ep:31 themes/default/templates/layouts/default.html.ep:54
+#: themes/default/templates/layouts/default.html.ep:31 themes/default/templates/layouts/default.html.ep:59
 msgid "Report file"
 msgstr "Senhalar un fichièr"
 
@@ -359,7 +363,7 @@ msgstr "Mandadís del fragment XX1 sus XX2. Pacientatz, la barra de progression 
 msgid "Share your files in total privacy on %1"
 msgstr "Partejatz vòstres fichièrs en tota confidencialitat sus %1"
 
-#: themes/default/templates/layouts/default.html.ep:36 themes/default/templates/layouts/default.html.ep:59 themes/default/templates/login.html.ep:26 themes/default/templates/logout.html.ep:8
+#: themes/default/templates/layouts/default.html.ep:36 themes/default/templates/layouts/default.html.ep:64 themes/default/templates/login.html.ep:27 themes/default/templates/logout.html.ep:17
 msgid "Signin"
 msgstr "Connexion"
 
@@ -447,7 +451,7 @@ msgstr "Impossible de recuperar lo comptador per %1. Lo geton es invalid."
 msgid "Unable to get counter for %1. You are not authenticated."
 msgstr "Impossible de recuperar lo comptador per %1. Sètz pas connectat·ada."
 
-#: themes/default/templates/layouts/default.html.ep:33 themes/default/templates/layouts/default.html.ep:56
+#: themes/default/templates/layouts/default.html.ep:33 themes/default/templates/layouts/default.html.ep:61
 msgid "Upload files"
 msgstr "Mandar de fichièrs"
 
@@ -491,7 +495,7 @@ msgstr "Ensajatz de partir de la pagina. Lo telecargament serà anullat. Sètz s
 msgid "You have attempted to leave this page. The upload will be canceled. Are you sure?"
 msgstr "Ensajatz de partir de la pagina. Lo mandadís serà anullat. Sètz segur-a ?"
 
-#: themes/default/templates/logout.html.ep:5
+#: themes/default/templates/logout.html.ep:14
 msgid "You have been successfully logged out."
 msgstr "Sètz ben estat desconnectat."
 
diff --git a/themes/default/lib/Lufi/I18N/pt.po b/themes/default/lib/Lufi/I18N/pt.po
index bd3a59f..165f918 100644
--- a/themes/default/lib/Lufi/I18N/pt.po
+++ b/themes/default/lib/Lufi/I18N/pt.po
@@ -48,7 +48,7 @@ msgstr "Um obrigado com a foto de um gatinho no <a href=\"https://framasphere.or
 msgid "Abort"
 msgstr "Interromper"
 
-#: themes/default/templates/layouts/default.html.ep:48 themes/default/templates/layouts/default.html.ep:71
+#: themes/default/templates/layouts/default.html.ep:48 themes/default/templates/layouts/default.html.ep:76
 msgid "About"
 msgstr "Sobre"
 
@@ -73,6 +73,10 @@ msgstr "Voltar à página inicial"
 msgid "Bad CSRF token!"
 msgstr "Símbolo errado CSRF !"
 
+#: lib/Lufi/Controller/Auth.pm:22 lib/Lufi/Controller/Auth.pm:39
+msgid "Bad CSRF token."
+msgstr ""
+
 #: themes/default/templates/partial/render.js.ep:5
 msgid "Click here to refresh the page and restart the download."
 msgstr "Clique aqui para atualizar a página e começar o download."
@@ -273,7 +277,7 @@ msgstr "Parece que a chave do seu URL está incorreta.Por favor, verifique o seu
 msgid "Javascript is disabled. You won't be able to use Lufi."
 msgstr "Javascript está desativado. Lufi não funcionará."
 
-#: themes/default/templates/layouts/default.html.ep:40 themes/default/templates/layouts/default.html.ep:63
+#: themes/default/templates/layouts/default.html.ep:40 themes/default/templates/layouts/default.html.ep:68
 msgid "Language"
 msgstr ""
 
@@ -281,7 +285,7 @@ msgstr ""
 msgid "Login"
 msgstr "Utilizador"
 
-#: themes/default/templates/layouts/default.html.ep:50 themes/default/templates/layouts/default.html.ep:73
+#: themes/default/templates/layouts/default.html.ep:53 themes/default/templates/layouts/default.html.ep:78
 msgid "Logout"
 msgstr "Encerrar sessão"
 
@@ -293,7 +297,7 @@ msgstr "Lufi é um programa de reserva gratuita (como na liberdade de expressão
 msgid "Mail"
 msgstr ""
 
-#: themes/default/templates/files.html.ep:3 themes/default/templates/layouts/default.html.ep:34 themes/default/templates/layouts/default.html.ep:57
+#: themes/default/templates/files.html.ep:3 themes/default/templates/layouts/default.html.ep:34 themes/default/templates/layouts/default.html.ep:62
 msgid "My files"
 msgstr "Meus ficheiros"
 
@@ -323,7 +327,7 @@ msgstr "Contacte o administrador: %1"
 msgid "Please wait while we are getting your file. We first need to download and decrypt all parts before you can get it."
 msgstr "Por favor aguarde durante a recuperação do seu ficheiro. Primeiro devemos recuperar e descodificar todos os fragmentos e depois poderá descarregar o ficheiro."
 
-#: lib/Lufi/Controller/Auth.pm:24
+#: lib/Lufi/Controller/Auth.pm:28
 msgid "Please, check your credentials or your right to access this service: unable to authenticate."
 msgstr ""
 
@@ -335,7 +339,7 @@ msgstr "Privacidade"
 msgid "Purge expired files from localStorage"
 msgstr "Apagar do localStorage os ficheiros expirados"
 
-#: themes/default/templates/layouts/default.html.ep:31 themes/default/templates/layouts/default.html.ep:54
+#: themes/default/templates/layouts/default.html.ep:31 themes/default/templates/layouts/default.html.ep:59
 msgid "Report file"
 msgstr ""
 
@@ -364,7 +368,7 @@ msgstr "Envio do fragmento XX1 de XX2. Por favor aguarde, a barra de progressão
 msgid "Share your files in total privacy on %1"
 msgstr "Partilhe os seus ficheiros com toda a privacidade em %1"
 
-#: themes/default/templates/layouts/default.html.ep:36 themes/default/templates/layouts/default.html.ep:59 themes/default/templates/login.html.ep:26 themes/default/templates/logout.html.ep:8
+#: themes/default/templates/layouts/default.html.ep:36 themes/default/templates/layouts/default.html.ep:64 themes/default/templates/login.html.ep:27 themes/default/templates/logout.html.ep:17
 msgid "Signin"
 msgstr "Conexão"
 
@@ -448,7 +452,7 @@ msgstr "Impossível recuperar o contador para %1. O símbolo é inválido."
 msgid "Unable to get counter for %1. You are not authenticated."
 msgstr "Impossível recuperar o contador para %1. Não está conectado."
 
-#: themes/default/templates/layouts/default.html.ep:33 themes/default/templates/layouts/default.html.ep:56
+#: themes/default/templates/layouts/default.html.ep:33 themes/default/templates/layouts/default.html.ep:61
 msgid "Upload files"
 msgstr "Enviar os ficheiros"
 
@@ -496,7 +500,7 @@ msgstr "Está a tentar sair da página. O download será anulado. Tem a certeza?
 msgid "You have attempted to leave this page. The upload will be canceled. Are you sure?"
 msgstr "Está a tentar sair da página. O envio será anulado. Tem a certeza?"
 
-#: themes/default/templates/logout.html.ep:5
+#: themes/default/templates/logout.html.ep:14
 msgid "You have been successfully logged out."
 msgstr "Foi desconectado com sucesso."
 
diff --git a/themes/default/public/css/lufi.css b/themes/default/public/css/lufi.css
index 3120e76..7b96ea9 100644
--- a/themes/default/public/css/lufi.css
+++ b/themes/default/public/css/lufi.css
@@ -133,6 +133,13 @@ a.classic:focus {
     padding-left: 15px !important;
     padding-right: 15px !important;
 }
+nav .btn-flat {
+    color: #fff !important;
+    text-transform: initial !important;
+}
+nav .btn-flat:focus {
+    background-color: rgba(0,0,0,0.1) !important;
+}
 .white-background {
     background-color: #FFF;
 }
diff --git a/themes/default/templates/layouts/default.html.ep b/themes/default/templates/layouts/default.html.ep
index 99f6e69..8ba70c0 100644
--- a/themes/default/templates/layouts/default.html.ep
+++ b/themes/default/templates/layouts/default.html.ep
@@ -47,7 +47,12 @@
                     </li>
                     <li<%== ' class="active"' if (current_route eq 'about') %>><a href="<%= url_for('/about') %>"><%= l('About') %></a></li>
                 % if ((defined(config('ldap')) || defined(config('htpasswd'))) && is_user_authenticated()) {
-                    <li><a href="<%= url_for('/logout') %>"><%= l('Logout') %></a></li>
+                    <li>
+                        <form action="<%= url_for('/logout') %>" method="POST">
+                            %= csrf_field
+                            <button class="btn-flat" type="submit"><%= l('Logout') %></button>
+                        </form>
+                    </li>
                 % }
                 </ul>
                 <ul id="mobile" class="side-nav">
diff --git a/themes/default/templates/logout.html.ep b/themes/default/templates/logout.html.ep
index d8d8028..40dc187 100644
--- a/themes/default/templates/logout.html.ep
+++ b/themes/default/templates/logout.html.ep
@@ -1,4 +1,13 @@
 % # vim:set sw=4 ts=4 sts=4 ft=html.epl expandtab:
+% if (defined stash('msg')) {
+<div class="col s12">
+    <div class="card pink">
+        <div class="card-content white-text">
+            <strong><%= stash('msg') %></strong>
+        </div>
+    </div>
+</div>
+% } else {
 <div class="col s12">
     <div class="card blue-grey darken-1">
         <div class="card-content white-text">
@@ -9,3 +18,4 @@
         </div>
     </div>
 </div>
+% }