sessions: reset csrf token listener

inveniosoftware · May 8, 2020 · 5d944cf · 5d944cf
1 parent c79fd75
commit 5d944cf
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 2 deletions.
diff --git a/invenio_accounts/ext.py b/invenio_accounts/ext.py
@@ -31,7 +31,7 @@
 from .datastore import SessionAwareSQLAlchemyUserDatastore
 from .hash import InvenioAesEncryptedEmail, _to_binary
 from .models import Role, User
-from .sessions import login_listener, logout_listener
+from .sessions import csrf_token_reset, login_listener, logout_listener
 from .utils import obj_or_import_string, set_session_info
 
 
@@ -244,7 +244,9 @@ def init_config(self, app):
     def _enable_session_activity(self, app):
         """Enable session activity."""
         user_logged_in.connect(login_listener, app)
+        user_logged_in.connect(csrf_token_reset, app)
         user_logged_out.connect(logout_listener, app)
+        user_logged_out.connect(csrf_token_reset, app)
         from .views.settings import blueprint
         from .views.security import security, revoke_session
         blueprint.route('/security/', methods=['GET'])(security)

diff --git a/invenio_accounts/sessions.py b/invenio_accounts/sessions.py
@@ -107,6 +107,16 @@ def _commit(response=None):
         return response
 
 
+def csrf_token_reset(app, user):
+    """Connect to the user_logged_in signal to reset the csrf token.
+
+    :param app: The Flask application.
+    :param user: The :class:`invenio_accounts.models.User` instance.
+    """
+    from invenio_rest.csrf import reset_token
+    reset_token()
+
+
 def delete_session(sid_s):
     """Delete entries in the data- and kvsessionstore with the given sid_s.
 

diff --git a/setup.py b/setup.py
@@ -77,7 +77,7 @@
     'invenio-base>=1.2.2',
     'invenio-i18n>=1.2.0',
     'invenio-celery>=1.1.2',
-    'invenio-rest>=1.1.3',
+    'invenio-rest>=1.2.1',
     'maxminddb-geolite2>=2017.404',
     'passlib>=1.7.1',
     'pyjwt>=1.5.0',