refactor(a2): regenerate CSRF token after successful login

Author: declan-zhao

a2/resources.php

@@ -350,6 +350,14 @@ function login(&$request, &$response, &$db, &$pdo)
           $sessionid = $request->cookie("sessionid");
           $expires = new DateTime("+5 minutes");
           $expires = $expires->format(DateTimeInterface::ISO8601);
+          $csrf_token = trim(get_guid(), '{}');
+
+          $db->update_web_session_metadata_by_sessionid->execute(array(
+            'metadata' => $csrf_token,
+            'sessionid' => $sessionid,
+          ));
+
+          $response->set_token("csrf_token", $csrf_token);
 
           $db->create_or_update_user_session_info->execute(array(
             'sessionid' => $sessionid,

a2/server.php

@@ -57,6 +57,7 @@ public function __call($method, $arguments)
 // preflight
 $db->get_web_session_info_by_sessionid = $pdo->prepare("SELECT * FROM web_session WHERE sessionid = :sessionid");
 $db->update_web_session_info_by_sessionid = $pdo->prepare("UPDATE web_session SET expires = :expires WHERE sessionid = :sessionid");
+$db->update_web_session_metadata_by_sessionid = $pdo->prepare("UPDATE web_session SET metadata = :metadata WHERE sessionid = :sessionid");
 $db->create_web_session_info = $pdo->prepare("INSERT INTO web_session (sessionid, expires, metadata) VALUES (:sessionid, :expires, :metadata)");
 
 // signup