unset_jwt_cookies now removes csrf tokesn too

vimalloc · vimalloc · commit 307b36fc913c · 2017-03-27T09:50:32.000-06:00
Practically, there isn't any security concerns by leaving them set. We don't do any verification on these cookies when they are sent to a protected endpoint, and if we generated new tokens the values in those cookies would be updated. This is just to make sure we are cleaning up after ourselfs (refs #34)
diff --git a/flask_jwt_extended/utils.py b/flask_jwt_extended/utils.py
@@ -455,4 +455,19 @@ def unset_jwt_cookies(response):
                         secure=get_cookie_secure(),
                         httponly=True,
                         path=get_access_cookie_path())
+
+    if get_cookie_csrf_protect():
+        response.set_cookie(get_refresh_csrf_cookie_name(),
+                            value='',
+                            expires=0,
+                            secure=get_cookie_secure(),
+                            httponly=False,
+                            path='/')
+        response.set_cookie(get_access_csrf_cookie_name(),
+                            value='',
+                            expires=0,
+                            secure=get_cookie_secure(),
+                            httponly=False,
+                            path='/')
+
     return response
