From d12127e02d66c6aa8f8ffbf1b4a1ce377b049c25 Mon Sep 17 00:00:00 2001
From: Mark Calvert <markcalvert84@gmail.com>
Date: Wed, 30 Oct 2024 23:08:01 +0000
Subject: [PATCH] Refactor logout handling for CKAN version compatibility

---
 ckanext/saml2auth/plugin.py | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/ckanext/saml2auth/plugin.py b/ckanext/saml2auth/plugin.py
index 7a30368..8996e67 100644
--- a/ckanext/saml2auth/plugin.py
+++ b/ckanext/saml2auth/plugin.py
@@ -22,7 +22,6 @@
 from saml2 import entity
 
 from flask import session, redirect, make_response
-from flask_login import logout_user
 
 import ckan.plugins as plugins
 import ckan.plugins.toolkit as toolkit
@@ -35,6 +34,9 @@
 from ckanext.saml2auth import helpers as h
 from saml2.s_utils import UnsupportedBinding
 
+if toolkit.check_ckan_version(min_version="2.10"):
+    from flask_login import logout_user
+
 log = logging.getLogger(__name__)
 
 
@@ -104,8 +106,12 @@ def logout(self):
             domain = h.get_site_domain_for_cookie()
             # Clear session cookie in the browser
             response.set_cookie('ckan', domain=domain, expires=0)
-            # logout user from CKAN
-            logout_user()
+            if toolkit.check_ckan_version(min_version="2.10"):
+                # logout user from CKAN
+                logout_user()
+                field_name = toolkit.config.get("WTF_CSRF_FIELD_NAME")
+                if session.get(field_name):
+                    session.pop(field_name)
 
             if not toolkit.check_ckan_version(min_version="2.10"):
                 # CKAN <= 2.9.x also sets auth_tkt cookie