Clear __csrf cookie after logout (#927)

getodk · Jul 20, 2023 · 5c27f00 · 5c27f00
1 parent 19cc257
commit 5c27f00
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 6 deletions.
diff --git a/lib/resources/sessions.js b/lib/resources/sessions.js
@@ -52,12 +52,15 @@ module.exports = (service, endpoint) => {
     auth.canOrReject('session.end', session.actor)
       .then(() => Sessions.terminate(session))
       .then(() => (_, response) => {
-        // revoke the cookie associated w the session, if the session was used to
+        // revoke the cookies associated w the session, if the session was used to
         // terminate itself.
         // TODO: repetitive w above.
-        if (session.token === auth.session.map((s) => s.token).orNull())
+        if (session.token === auth.session.map((s) => s.token).orNull()) {
           response.cookie('__Host-session', 'null', { path: '/', expires: new Date(0),
             httpOnly: true, secure: true, sameSite: 'strict' });
+          response.cookie('__csrf', 'null', { expires: new Date(0),
+            secure: true, sameSite: 'strict' });
+        }
 
         return success;
       });

diff --git a/test/integration/api/sessions.js b/test/integration/api/sessions.js
@@ -195,7 +195,7 @@ describe('api: /sessions', () => {
           .then((token) => service.delete(`/v1/key/${token}/sessions/${token}`)
             .expect(403)))));
 
-    it('should clear the cookie if successful for the current session', testService((service) =>
+    it('should clear cookies if successful for the current session', testService((service) =>
       service.post('/v1/sessions')
         .send({ email: '[email protected]', password: 'alice' })
         .expect(200)
@@ -206,12 +206,14 @@ describe('api: /sessions', () => {
             .set('Authorization', 'Bearer ' + token)
             .expect(200)
             .then(({ headers }) => {
-              const cookie = headers['set-cookie'][0];
-              cookie.should.match(/__Host-session=null/);
+              headers['set-cookie'].should.eql([
+                '__Host-session=null; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly; Secure; SameSite=Strict',
+                '__csrf=null; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Secure; SameSite=Strict'
+              ]);
             });
         })));
 
-    it('should not clear the cookie if using some other session', testService((service) =>
+    it('should not clear cookies if using some other session', testService((service) =>
       service.post('/v1/sessions')
         .send({ email: '[email protected]', password: 'alice' })
         .expect(200)