From 8da82878d03bd0016290657249672d0e8d7e3107 Mon Sep 17 00:00:00 2001
From: HJ <92534363+hjvoid@users.noreply.github.com>
Date: Fri, 29 May 2026 10:14:59 +0100
Subject: [PATCH] Revert "PP-15376 session logout functionality"

---
 src/lib/auth.ts                        |  2 +-
 src/web/modules/layout/user_banner.njk | 12 ++----------
 src/web/router.js                      | 23 +++++------------------
 src/web/server.js                      |  5 -----
 4 files changed, 8 insertions(+), 34 deletions(-)

diff --git a/src/lib/auth.ts b/src/lib/auth.ts
index 4f8e350f9..92eb6d626 100644
--- a/src/lib/auth.ts
+++ b/src/lib/auth.ts
@@ -40,6 +40,6 @@ export function revokeSession(req: Request, res: Response, next: NextFunction) {
   logger.info(`Revoking session for user ${req.user && req.user.username}`)
     req.logout((err?: unknown) => {
         if (err) return next(err);
-        res.redirect('/auth');
+        res.redirect('/');
     });
 }
diff --git a/src/web/modules/layout/user_banner.njk b/src/web/modules/layout/user_banner.njk
index f0f75011b..44562d843 100644
--- a/src/web/modules/layout/user_banner.njk
+++ b/src/web/modules/layout/user_banner.njk
@@ -13,18 +13,10 @@
     </div>
 
     <div class="user-profile__item right">
-      <span>
-        <form method="POST" action="/logout">
-          {{ govukButton({
-            text: "Sign out"
-            })
-            }}
-          <input type="hidden" name="_csrf" value="{{ csrf }}">
-        </form>
-      </span>
+      <span><a class="govuk-link govuk-link--no-visited-state" href="/logout">Clear session</a></span>
     </div>
   {% else %}
     <div class="user-profile__item">(OAUTH disabled)</div>
   {% endif %}
   </div>
-</div>
+</div>
\ No newline at end of file
diff --git a/src/web/router.js b/src/web/router.js
index 2852c1eb3..3ed9e974f 100644
--- a/src/web/router.js
+++ b/src/web/router.js
@@ -36,26 +36,13 @@ const router = express.Router()
 const storage = multer.memoryStorage()
 const upload = multer({storage})
 
-const {
-  rateLimitMiddleware
-} = require('@govuk-pay/pay-js-commons/lib/utils/middleware/csp')
-
-router.get(
-  '/auth',
-  passport.authenticate('github', {
-    scope: ['user:email'],
-    prompt: 'consent',
-  })
-);
-
+router.get('/auth', passport.authenticate('github'))
 router.get('/auth/github/callback', (req, res, next) => {
   passport.authenticate('github', {
     failureRedirect: '/auth/unauthorised',
-    successRedirect:
-      (req.session && req.session.authBlockedRedirectUrl) || '/',
-  })(req, res, next);
-});
-
+    successRedirect: req.session && req.session.authBlockedRedirectUrl || '/'
+  })(req, res, next)
+})
 router.get('/auth/unauthorised', auth.unauthorised)
 
 router.get('/', auth.secured(PermissionLevel.VIEW_ONLY), landing.root)
@@ -203,7 +190,7 @@ router.post('/events/by_date', auth.secured(PermissionLevel.USER_SUPPORT), event
 router.get('/parity-checker', auth.secured(PermissionLevel.USER_SUPPORT), events.parityCheckerPage)
 router.post('/parity-checker', auth.secured(PermissionLevel.USER_SUPPORT), events.parityCheck)
 
-router.post('/logout', rateLimitMiddleware, auth.secured(PermissionLevel.VIEW_ONLY), auth.revokeSession)
+router.get('/logout', auth.secured(PermissionLevel.VIEW_ONLY), auth.revokeSession)
 
 router.get('/healthcheck', healthcheck.response)
 
diff --git a/src/web/server.js b/src/web/server.js
index 3b5638532..b5da8d8d6 100644
--- a/src/web/server.js
+++ b/src/web/server.js
@@ -65,11 +65,6 @@ function configureSecureHeaders(instance) {
     crossOriginResourcePolicy: { policy: "cross-origin" }
   }))
   instance.use(csurf())
-
-  instance.use((req, res, next) => {
-    res.locals.csrf = req.csrfToken()
-    next()
-  })
 }
 
 function configureRequestParsing(instance) {