From ae83a744c3631b25940509db2c342eccac651b43 Mon Sep 17 00:00:00 2001
From: Oliver Byford <oliver.byford@digital.cabinet-office.gov.uk>
Date: Mon, 8 Oct 2018 15:54:05 +0100
Subject: [PATCH] Use form POST request when clearing session data
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

This builds on the work done in #588.

Previously the ‘clear data’ feature used two GET requests – one to display the confirmation screen, and a second to actually clear the session data. This is not ideal because GET requests are meant to be nullipotent (to have no side effects), and links from the docs part of the kit were still pointing to the old URL, which bypassed the confirmation screen.

This adds a form to the confirmation screen which POSTs to itself (/prototype-admin/clear-data), and changes the old data-clearing route to match.
---
 app/views/layout.html                       |  2 +-
 lib/prototype-admin/clear-data-success.html | 23 ++++++++++++
 lib/prototype-admin/clear-data.html         | 39 ++++++++++++++-------
 lib/prototype-admin/clears-data.html        | 36 -------------------
 server.js                                   |  4 +--
 5 files changed, 52 insertions(+), 52 deletions(-)
 create mode 100644 lib/prototype-admin/clear-data-success.html
 delete mode 100644 lib/prototype-admin/clears-data.html

diff --git a/app/views/layout.html b/app/views/layout.html
index a4884221cd..f04a84127b 100644
--- a/app/views/layout.html
+++ b/app/views/layout.html
@@ -52,7 +52,7 @@
             text: "GOV.UK Prototype Kit " + releaseVersion
           },
           {
-            href: "/prototype-admin/clears-data",
+            href: "/prototype-admin/clear-data",
             text: "Clear data"
           }
         ]
diff --git a/lib/prototype-admin/clear-data-success.html b/lib/prototype-admin/clear-data-success.html
new file mode 100644
index 0000000000..14750f8484
--- /dev/null
+++ b/lib/prototype-admin/clear-data-success.html
@@ -0,0 +1,23 @@
+{% extends "layout.html" %}
+
+{% block pageTitle %}
+  Clear data
+{% endblock %}
+
+{% block content %}
+
+  <h1 class="govuk-heading-m">
+    Data cleared
+  </h1>
+
+  <p>
+    The session data has been cleared.
+  </p>
+
+  <p>
+    <a href="/">
+      Prototype home page
+    </a>
+  </p>
+
+{% endblock %}
diff --git a/lib/prototype-admin/clear-data.html b/lib/prototype-admin/clear-data.html
index 14750f8484..10d56395ee 100644
--- a/lib/prototype-admin/clear-data.html
+++ b/lib/prototype-admin/clear-data.html
@@ -1,23 +1,36 @@
+
 {% extends "layout.html" %}
 
 {% block pageTitle %}
-  Clear data
+  Clear data? | GOV.UK Prototype Kit
 {% endblock %}
 
-{% block content %}
+{% block beforeContent %}
+  {{ govukBackLink({
+      "text": "Back",
+      "href": "javascript: window.history.go(-1)"
+    }) 
+  }}
+{% endblock %}
 
-  <h1 class="govuk-heading-m">
-    Data cleared
-  </h1>
+{% block content %}
 
-  <p>
-    The session data has been cleared.
-  </p>
+<form method="post">
+  <div class="govuk-grid-row">
+    <div class="govuk-grid-column-two-thirds">
+      <h1 class="govuk-heading-xl">
+        Clear data?
+      </h1>
+      {{ govukWarningText({
+        text: "This will clear all of the data entered in this session",
+        iconFallbackText: "Warning"
+      }) }}
 
-  <p>
-    <a href="/">
-      Prototype home page
-    </a>
-  </p>
+      {{ govukButton({
+        text: "Clear the data"
+      }) }}
+    </div>
+  </div>
+</form>
 
 {% endblock %}
diff --git a/lib/prototype-admin/clears-data.html b/lib/prototype-admin/clears-data.html
deleted file mode 100644
index 0e6a77906b..0000000000
--- a/lib/prototype-admin/clears-data.html
+++ /dev/null
@@ -1,36 +0,0 @@
-
-{% extends "layout.html" %}
-
-{% block pageTitle %}
-  Clear data? | GOV.UK Prototype Kit
-{% endblock %}
-
-{% block beforeContent %}
-  {{ govukBackLink({
-      "text": "Back",
-      "href": "javascript: window.history.go(-1)"
-    }) 
-  }}
-{% endblock %}
-
-{% block content %}
-
-  <div class="govuk-grid-row">
-    <div class="govuk-grid-column-two-thirds">
-      <h1 class="govuk-heading-xl">
-        Clear data?
-      </h1>
-      {{ govukWarningText({
-        text: "This will clear all of the data entered in this session",
-        iconFallbackText: "Warning"
-      }) }}
-
-
-      {{ govukButton({
-        text: "Clear the data",
-        href: "/prototype-admin/clear-data"
-      }) }}
-    </div>
-</div>
-
-{% endblock %}
diff --git a/server.js b/server.js
index 1eb52695dc..17226fa63c 100644
--- a/server.js
+++ b/server.js
@@ -227,9 +227,9 @@ if (useAutoStoreData === 'true') {
 }
 
 // Clear all data in session if you open /prototype-admin/clear-data
-app.get('/prototype-admin/clear-data', function (req, res) {
+app.post('/prototype-admin/clear-data', function (req, res) {
   req.session.data = {}
-  res.render('prototype-admin/clear-data')
+  res.render('prototype-admin/clear-data-success')
 })
 
 // Redirect root to /docs when in promo mode.