How to generate a valid CSRF token in after_create_account?

[renchap]

In an app we want to create account in an SPA in addition to the usual forms.
We are using the create-account feature and, if the request is using JSON, we return the new CSRF token as part of the response so the SPA can continue to make requests to the app using this new token:

    after_create_account do
      json_response.merge!(
        csrfToken: rails_csrf_token,
      )

This is similar to what we were doing with Devise where we returned form_authenticity_token in the JSON response after creating the account.

But the token returned is not valid and the next request using this token results in an invalid token 422 error.

When I get the request.session[:_csrf_token] in a before_action and after_action, I can see that the session token is unset after create-account:

Started POST "/auth/create-account" for 127.0.0.1 at 2021-04-23 11:26:19 +0200
Before: DfMTy0kR4XTi61KHHTDP6zOdloE7xJ2NZeEuZg1ITcc=
After:

I am assuming the token is reset after after_create_account is executed but I am not really sure why.

Do you have any idea on how to get the propre token? My current alternative is to do a GET request to fetch a new token immediately after creating the account, but I would prefer to avoid this new request.

Started POST "/auth/create-account" for 127.0.0.1 at 2021-04-23 13:25:59 +0200
Before: w0NIuQS+yzYXzpxq3HiTHzcm4aRnjPnQmWQABV9ka9c=
After:
Started POST "/auth/check" for 127.0.0.1 at 2021-04-23 13:25:59 +0200
Processing by RodauthController#check as JSON
Before:
After: gDbV3Ju14I4A7oX6okxn9Z6yvGnxwi5EoM2fmNHJAuU=

As you can see, it looks like the token stored in the session is only generated during the call to the custom RodauthController#check action

[janko]

I'm not able to reproduce this behaviour in the official demo app, for me the CSRF token is present in after_create_account and correctly returned in the response. Do you think you could create a minimal Rails app that reproduces the issue?

I thought this might be related to Rodauth clearing the whole session when logging the user in (to prevent session fixation attacks), but the user is autologged in after after_create_account is called.

[renchap]

for me the CSRF token is present in after_create_account and correctly returned in the response

Yes it is returned, but is not valid if you try to use it.

but the user is autologged in after after_create_account is called

This would explain the behaviour I see (CSRF token is set in after_create_account, but is then reset), or did you mean "before"?

[janko]

Aha, understood. I think re-setting the CSRF token in #clear_session should do the trick:

clear_session do
  super()
  json_response.merge!(
    csrfToken: rails_csrf_token,
  )
end

[renchap]

It works indeed, thanks I had trouble finding our where exactly the token was being reset.