fixes issues in sessionrequestfunction

recipe/session/sessionRequestFunctions.go

@@ -69,16 +69,27 @@ func CreateNewSessionInRequest(req *http.Request, res http.ResponseWriter, tenan
 	if err != nil {
 		return nil, err
 	}
-	isTopLevelWebsiteDomainIPAddress, err := supertokens.IsAnIPAddress(appInfo.TopLevelWebsiteDomain)
+
+	topLevelWebsiteDomain, err := appInfo.GetTopLevelWebsiteDomain(req, userContext)
+	if err != nil {
+		return nil, err
+	}
+
+	isTopLevelWebsiteDomainIPAddress, err := supertokens.IsAnIPAddress(topLevelWebsiteDomain)
+	if err != nil {
+		return nil, err
+	}
+
+	cookieSameSite, err := config.GetCookieSameSite(req, userContext)
 	if err != nil {
 		return nil, err
 	}
 
 	if outputTokenTransferMethod == sessmodels.CookieTransferMethod &&
-		config.CookieSameSite == "none" &&
+		cookieSameSite == "none" &&
 		!config.CookieSecure &&
 		!((appInfo.TopLevelAPIDomain == "localhost" || isTopLevelAPIDomainIPAddress) &&
-			(appInfo.TopLevelWebsiteDomain == "localhost" || isTopLevelWebsiteDomainIPAddress)) {
+			(topLevelWebsiteDomain == "localhost" || isTopLevelWebsiteDomainIPAddress)) {
 		// We can allow insecure cookie when both website & API domain are localhost or an IP
 		// When either of them is a different domain, API domain needs to have https and a secure cookie to work
 		return nil, defaultErrors.New("Since your API and website domain are different, for sessions to work, please use https on your apiDomain and dont set cookieSecure to false.")
@@ -192,8 +203,17 @@ func GetSessionFromRequest(req *http.Request, res http.ResponseWriter, config se
 		doAntiCsrfCheck = &False
 	}
 
-	if *doAntiCsrfCheck && config.AntiCsrf == AntiCSRF_VIA_CUSTOM_HEADER {
-		if config.AntiCsrf == AntiCSRF_VIA_CUSTOM_HEADER {
+	antiCsrf := config.AntiCsrfFunctionOrString.StrValue
+	if antiCsrf == "" {
+		antiCsrfTemp, err := config.AntiCsrfFunctionOrString.FunctionValue(req, userContext)
+		if err != nil {
+			return nil, err
+		}
+		antiCsrf = antiCsrfTemp
+	}
+
+	if *doAntiCsrfCheck && antiCsrf == AntiCSRF_VIA_CUSTOM_HEADER {
+		if antiCsrf == AntiCSRF_VIA_CUSTOM_HEADER {
 			if GetRidFromHeader(req) == nil {
 				supertokens.LogDebugMessage("getSession: Returning TRY_REFRESH_TOKEN because custom header (rid) was not passed")
 				return nil, errors.TryRefreshTokenError{
@@ -329,7 +349,16 @@ func RefreshSessionInRequest(req *http.Request, res http.ResponseWriter, config
 
 	antiCsrfToken := GetAntiCsrfTokenFromHeaders(req)
 	disableAntiCSRF := requestTokenTransferMethod == sessmodels.HeaderTransferMethod
-	if config.AntiCsrf == AntiCSRF_VIA_CUSTOM_HEADER && !disableAntiCSRF {
+	antiCsrf := config.AntiCsrfFunctionOrString.StrValue
+	if antiCsrf == "" {
+		antiCsrfTemp, err := config.AntiCsrfFunctionOrString.FunctionValue(req, userContext)
+		if err != nil {
+			return nil, err
+		}
+		antiCsrf = antiCsrfTemp
+	}
+
+	if antiCsrf == AntiCSRF_VIA_CUSTOM_HEADER && !disableAntiCSRF {
 		ridFromHeader := GetRidFromHeader(req)
 
 		if ridFromHeader == nil {

recipe/session/sessmodels/models.go

@@ -140,7 +140,7 @@ type TypeNormalisedInput struct {
 }
 
 type AntiCsrfFunctionOrString struct {
-	StrValue      *string
+	StrValue      string
 	FunctionValue func(request *http.Request, userContext supertokens.UserContext) (string, error)
 }
 

recipe/session/utils.go

@@ -58,7 +58,7 @@ func ValidateAndNormaliseUserInput(appInfo supertokens.NormalisedAppinfo, config
 	}
 
 	cookieSameSite := func(request *http.Request, userContext supertokens.UserContext) (string, error) {
-		if config.CookieSameSite != nil {
+		if config != nil && config.CookieSameSite != nil {
 			return normaliseSameSiteOrThrowError(*config.CookieSameSite)
 		}
 		origin, err := appInfo.GetOrigin(request, userContext)
@@ -124,7 +124,11 @@ func ValidateAndNormaliseUserInput(appInfo supertokens.NormalisedAppinfo, config
 			}
 			return AntiCSRF_NONE, nil
 		},
-		StrValue: config.AntiCsrf,
+	}
+	if config != nil && config.AntiCsrf != nil {
+		AntiCsrfFunctionOrString = sessmodels.AntiCsrfFunctionOrString{
+			StrValue: *config.AntiCsrf,
+		}
 	}
 
 	errorHandlers := sessmodels.NormalisedErrorHandlers{