From 307b36fc913c7340aff460b8ceb7425e3c7304d0 Mon Sep 17 00:00:00 2001
From: Landon GB <landogbland@gmail.com>
Date: Mon, 27 Mar 2017 09:50:32 -0600
Subject: [PATCH] unset_jwt_cookies now removes csrf tokesn too

Practically, there isn't any security concerns by leaving them set. We
don't do any verification on these cookies when they are sent to a
protected endpoint, and if we generated new tokens the values in those
cookies would be updated. This is just to make sure we are cleaning up
after ourselfs (refs #34)
---
 flask_jwt_extended/utils.py | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/flask_jwt_extended/utils.py b/flask_jwt_extended/utils.py
index dc2eeb27..6479399e 100644
--- a/flask_jwt_extended/utils.py
+++ b/flask_jwt_extended/utils.py
@@ -455,4 +455,19 @@ def unset_jwt_cookies(response):
                         secure=get_cookie_secure(),
                         httponly=True,
                         path=get_access_cookie_path())
+
+    if get_cookie_csrf_protect():
+        response.set_cookie(get_refresh_csrf_cookie_name(),
+                            value='',
+                            expires=0,
+                            secure=get_cookie_secure(),
+                            httponly=False,
+                            path='/')
+        response.set_cookie(get_access_csrf_cookie_name(),
+                            value='',
+                            expires=0,
+                            secure=get_cookie_secure(),
+                            httponly=False,
+                            path='/')
+
     return response