From 5c27f007a7c737c976b9f45dcdd61c002d54d87f Mon Sep 17 00:00:00 2001
From: Matthew White <matthew-white@users.noreply.github.com>
Date: Thu, 20 Jul 2023 00:12:46 -0400
Subject: [PATCH] Clear __csrf cookie after logout (#927)

---
 lib/resources/sessions.js        |  7 +++++--
 test/integration/api/sessions.js | 10 ++++++----
 2 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/lib/resources/sessions.js b/lib/resources/sessions.js
index 30406e3b3..b6e7738d3 100644
--- a/lib/resources/sessions.js
+++ b/lib/resources/sessions.js
@@ -52,12 +52,15 @@ module.exports = (service, endpoint) => {
     auth.canOrReject('session.end', session.actor)
       .then(() => Sessions.terminate(session))
       .then(() => (_, response) => {
-        // revoke the cookie associated w the session, if the session was used to
+        // revoke the cookies associated w the session, if the session was used to
         // terminate itself.
         // TODO: repetitive w above.
-        if (session.token === auth.session.map((s) => s.token).orNull())
+        if (session.token === auth.session.map((s) => s.token).orNull()) {
           response.cookie('__Host-session', 'null', { path: '/', expires: new Date(0),
             httpOnly: true, secure: true, sameSite: 'strict' });
+          response.cookie('__csrf', 'null', { expires: new Date(0),
+            secure: true, sameSite: 'strict' });
+        }
 
         return success;
       });
diff --git a/test/integration/api/sessions.js b/test/integration/api/sessions.js
index 885bc7fc4..505334e2b 100644
--- a/test/integration/api/sessions.js
+++ b/test/integration/api/sessions.js
@@ -195,7 +195,7 @@ describe('api: /sessions', () => {
           .then((token) => service.delete(`/v1/key/${token}/sessions/${token}`)
             .expect(403)))));
 
-    it('should clear the cookie if successful for the current session', testService((service) =>
+    it('should clear cookies if successful for the current session', testService((service) =>
       service.post('/v1/sessions')
         .send({ email: 'alice@getodk.org', password: 'alice' })
         .expect(200)
@@ -206,12 +206,14 @@ describe('api: /sessions', () => {
             .set('Authorization', 'Bearer ' + token)
             .expect(200)
             .then(({ headers }) => {
-              const cookie = headers['set-cookie'][0];
-              cookie.should.match(/__Host-session=null/);
+              headers['set-cookie'].should.eql([
+                '__Host-session=null; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly; Secure; SameSite=Strict',
+                '__csrf=null; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Secure; SameSite=Strict'
+              ]);
             });
         })));
 
-    it('should not clear the cookie if using some other session', testService((service) =>
+    it('should not clear cookies if using some other session', testService((service) =>
       service.post('/v1/sessions')
         .send({ email: 'alice@getodk.org', password: 'alice' })
         .expect(200)