final cleanup of csrf decoupling in #2854

- Renamed `SessionCSRFStoragePolicy` to `LegacySessionCSRFStoragePolicy` for
  the version that uses the legacy `ISession.get_csrf_token` and
  `ISession.new_csrf_token` apis and set that as the default.

- Added new `SessionCSRFStoragePolicy` that stores data in the session
  similar to how the `SessionAuthenticationPolicy` works.

- `CookieCSRFStoragePolicy` did not properly return the newly generated
  token from `get_csrf_token` after calling `new_csrf_token`. It needed
  to cache the new value since the response callback does not affect
  the current request.

- `CookieCSRFStoragePolicy` was not forwarding the `domain` value to the
  `CookieProfile` causing that setting to be ignored.

- Removed `check_csrf_token` from the `ICSRFStoragePolicy` interface
  to simplify implementations of storage policies.

- Added an introspectable item for the configured storage policy so that
  it appears on the debugtoolbar.

- Added a change note on `ISession` that it no longer required the csrf methods.

- Leave deprecated shims in ``pyramid.session`` for
``check_csrf_origin`` and ``check_csrf_token``.

1 files changed, 3 insertions, 0 deletions

diff --git a/docs/api/csrf.rst b/docs/api/csrf.rst
index f890ee660..38501546e 100644
--- a/docs/api/csrf.rst
+++ b/docs/api/csrf.rst
@@ -5,6 +5,9 @@
 
 .. automodule:: pyramid.csrf
 
+  .. autoclass:: LegacySessionCSRFStoragePolicy
+     :members:
+
   .. autoclass:: SessionCSRFStoragePolicy
      :members: