Added: Implementation of POST login and logout

README.rst

@@ -100,12 +100,30 @@ This will add these paths to Django:
 
 You can use them like this in your django templates:
 
+- GET (deprecated):
+
 .. code-block:: html
 
     <a href="{% url 'django_auth_adfs:logout' %}">Logout</a>
     <a href="{% url 'django_auth_adfs:login' %}">Login</a>
     <a href="{% url 'django_auth_adfs:login-no-sso' %}">Login (no SSO)</a>
 
+- POST (recommended):
+
+.. code-block:: html
+
+    <form method="post" action="{% url 'django_auth_adfs:logout' %}">{% csrf_token %}
+        <button type="submit">Logout</button>
+    </form>
+    <form method="post" action="{% url 'django_auth_adfs:login' %}">{% csrf_token %}
+        <input type="hidden" name="next" value="{{ next }}">
+        <button type="submit">Login</button>
+    </form>
+    <form method="post" action="{% url 'django_auth_adfs:login-no-sso' %}">{% csrf_token %}
+        <input type="hidden" name="next" value="{{ next }}">
+        <button type="submit">Login (no SSO)</button>
+    </form>
+
 Contributing
 ------------
 Contributions to the code are more then welcome.

django_auth_adfs/config.py

@@ -337,7 +337,11 @@ def build_authorization_endpoint(self, request, disable_sso=None, force_mfa=Fals
 
         """
         self.load_config()
-        redirect_to = request.GET.get(REDIRECT_FIELD_NAME, None)
+        if request.method == 'POST':
+            redirect_to = request.POST.get(REDIRECT_FIELD_NAME, None)
+        else:
+            redirect_to = request.GET.get(REDIRECT_FIELD_NAME, None)
+            warnings.warn('GET is deprecated and will be removed in future versions. Please switch to POST for secure data transmission.', DeprecationWarning)
         if not redirect_to:
             redirect_to = django_settings.LOGIN_REDIRECT_URL
         redirect_to = base64.urlsafe_b64encode(redirect_to.encode()).decode()

django_auth_adfs/views.py

@@ -1,5 +1,6 @@
 import base64
 import logging
+import warnings
 
 from django.conf import settings as django_settings
 from django.contrib.auth import authenticate, login, logout
@@ -79,6 +80,16 @@ def get(self, request):
         """
         Initiates the OAuth2 flow and redirect the user agent to ADFS
 
+        Args:
+            request (django.http.request.HttpRequest): A Django Request object
+        """
+        warnings.warn('GET is deprecated and will be removed in future versions. Please switch to POST for secure data transmission.', DeprecationWarning)
+        return redirect(provider_config.build_authorization_endpoint(request))
+
+    def post(self, request):
+        """
+        Initiates the OAuth2 flow and redirect the user agent to ADFS
+
         Args:
             request (django.http.request.HttpRequest): A Django Request object
         """
@@ -90,6 +101,16 @@ def get(self, request):
         """
         Initiates the OAuth2 flow and redirect the user agent to ADFS
 
+        Args:
+            request (django.http.request.HttpRequest): A Django Request object
+        """
+        warnings.warn('GET is deprecated and will be removed in future versions. Please switch to POST for secure data transmission.', DeprecationWarning)
+        return redirect(provider_config.build_authorization_endpoint(request, disable_sso=True))
+
+    def post(self, request):
+        """
+        Initiates the OAuth2 flow and redirect the user agent to ADFS
+
         Args:
             request (django.http.request.HttpRequest): A Django Request object
         """
@@ -101,6 +122,16 @@ def get(self, request):
         """
         Initiates the OAuth2 flow and redirect the user agent to ADFS
 
+        Args:
+            request (django.http.request.HttpRequest): A Django Request object
+        """
+        warnings.warn('GET is deprecated and will be removed in future versions. Please switch to POST for secure data transmission.', DeprecationWarning)
+        return redirect(provider_config.build_authorization_endpoint(request, force_mfa=True))
+
+    def post(self, request):
+        """
+        Initiates the OAuth2 flow and redirect the user agent to ADFS
+
         Args:
             request (django.http.request.HttpRequest): A Django Request object
         """
@@ -112,6 +143,17 @@ def get(self, request):
         """
         Logs out the user from both Django and ADFS
 
+        Args:
+            request (django.http.request.HttpRequest): A Django Request object
+        """
+        warnings.warn('GET is deprecated and will be removed in future versions. Please switch to POST for secure data transmission.', DeprecationWarning)
+        logout(request)
+        return redirect(provider_config.build_end_session_endpoint())
+
+    def post(self, request):
+        """
+        Logs out the user from both Django and ADFS
+
         Args:
             request (django.http.request.HttpRequest): A Django Request object
         """

docs/install.rst

@@ -104,8 +104,26 @@ This will add these paths to Django:
 
 You can use them like this in your django templates:
 
+- GET (deprecated):
+
 .. code-block:: html
 
     <a href="{% url 'django_auth_adfs:logout' %}">Logout</a>
     <a href="{% url 'django_auth_adfs:login' %}">Login</a>
     <a href="{% url 'django_auth_adfs:login-no-sso' %}">Login (no SSO)</a>
+
+- POST (recommended):
+
+.. code-block:: html
+
+    <form method="post" action="{% url 'django_auth_adfs:logout' %}">{% csrf_token %}
+        <button type="submit">Logout</button>
+    </form>
+    <form method="post" action="{% url 'django_auth_adfs:login' %}">{% csrf_token %}
+        <input type="hidden" name="next" value="{{ next }}">
+        <button type="submit">Login</button>
+    </form>
+    <form method="post" action="{% url 'django_auth_adfs:login-no-sso' %}">{% csrf_token %}
+        <input type="hidden" name="next" value="{{ next }}">
+        <button type="submit">Login (no SSO)</button>
+    </form>