Change logout to use POST instead of GET

Using GET for logging out isn't a very good idea, and can result in
external sites being able to log users out by including things like
<img src="https://tildes.net/logout">

This changes it to require a POST, and uses a form with its submit
button re-styled to look like the other text links in the menu.

tildes/scss/modules/_nav.scss

@@ -30,4 +30,16 @@
       text-decoration: underline;
     }
   }
+
+  .nav-item .btn-link {
+    height: auto;
+    font-size: 0.8rem;
+    font-weight: normal;
+    padding: 0.2rem 0.4rem;
+    border: 0;
+
+    &:hover {
+      text-decoration: underline;
+    }
+  }
 }

tildes/scss/modules/_sidebar.scss

@@ -23,6 +23,10 @@
       font-weight: normal;
     }
   }
+
+  .nav .btn-link {
+    width: auto;
+  }
 }
 
 .sidebar-controls {

tildes/tildes/templates/macros/user_menu.jinja2

@@ -71,7 +71,12 @@
           Settings
         </a>
       </li>
-      <li class="nav-item"><a href="/logout">Log out</a></li>
+      <li class="nav-item">
+        <form action="/logout" method="post">
+          <input type="hidden" name="csrf_token" value="{{ get_csrf_token() }}">
+          <button type="submit" class="btn btn-link">Log out</button>
+        </form>
+      </li>
     </ul>
   </ul>
 {% endmacro %}

tildes/tildes/views/login.py

@@ -124,8 +124,8 @@ def post_login_two_factor(request: Request, code: str) -> Response:
         raise HTTPUnauthorized(body="Invalid code, please try again.")
 
 
-@view_config(route_name="logout")
-def get_logout(request: Request) -> HTTPFound:
+@view_config(route_name="logout", request_method="POST")
+def post_logout(request: Request) -> HTTPFound:
     """Process a log out request."""
     request.session.invalidate()
     request.db_session.add(Log(LogEventType.USER_LOG_OUT, request))