What's the point of this route? Convenience for testing?

The button gets also changed to do a GET request by settinghref. As I understand it, a GET request is needed to also cleanly redirect the user to the external URL.

We could think about simplifying the "Sign out" button to just do a GET /user/logout always, to not have to check whether we have this new config setting.

Hmm I think we ought to keep the POST for compatibilty reasons. Some users may have special integrations with the POST route in their reverse proxy.

As I understand it, a GET request is needed to also cleanly redirect the user to the external URL.

If I understand HTTP correctly, one can also redirect in a POST response, can you try that? Logging out is a action that likely changes state on the server so a GET is semantically incorrect.

Thought that does present a challenge in the styling because we don't have CSS to style a button like a link. Could you show a screenshot of how this link currently looks?

after checking the code, maybe I know why you think post atcion can't be used for redirect action, first, we should comfirm curent logout steps: first do POST/logout by js, backed will response a json struct wich containredirect=xxxx, then js will call a speciall post action to/-/fetch-redirect with a form contain redirect link, then the backen will do a redirect.
ref:

but sadly, in current design,/-/fetch-redirect will will block link to ather service, maybe we can remove this block, or render a warning page with a link for it. /cc@wxiaoguang

but sadly, in current design,/-/fetch-redirect will will block link to ather service, maybe we can remove this block, or render a warning page with a link for it. /cc@wxiaoguang

No, the design is right. Otherwise "open redirect" security vulnerabilities.

You can allow more URL patterns which are known to be safe, but not remove it or bypass it.

Updated the PR so that the "Sign Out" link does an actual POST, please review.

It’s not recommended to use an event handler in this style.

I'm open to suggestions.@silverwind, you wrote:

inline<form> to trigger the POST and change the link to a button with type=submit, so it works without JS.
Thought that does present a challenge in the styling because we don't have CSS to style a button like a link.

Could you help with styling a button?

Yeah I guess I can take a look a bit later. We need to move the event handler to TS (inline scripts are a no-go for strict CSP) and do the styling.