admin: avoid CSRF: use POST instead of GET, mainly for synchronisation methods

admin/api/certificate.go

@@ -23,7 +23,7 @@ func init() {
 	router.GET("/api/teams/:tid/certificate.p12", apiHandler(teamHandler(GetTeamCertificate)))
 	router.DELETE("/api/teams/:tid/certificate.p12", apiHandler(teamHandler(
 		func(team fic.Team, _ []byte) (interface{}, error) { return team.RevokeCert() })))
-	router.GET("/api/teams/:tid/certificate/generate", apiHandler(teamHandler(
+	router.POST("/api/teams/:tid/certificate/generate", apiHandler(teamHandler(
 		func(team fic.Team, _ []byte) (interface{}, error) { return team.GenerateCert() })))
 }