From 15a6ce78623b3490f2800692685027bf4f7ffb9b Mon Sep 17 00:00:00 2001 From: furkansenharputlu Date: Fri, 26 Apr 2024 15:59:02 +0300 Subject: [PATCH] fix: session required in signout --- CHANGELOG.md | 1 + recipe/emailpassword/authFlow_test.go | 6 +++--- recipe/session/signout.go | 4 ++-- recipe/thirdparty/signoutFeature_test.go | 6 +++--- 4 files changed, 9 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1d398cd8..f1d503c4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - `session.CreateNewSession` now defaults to the value of the `st-auth-mode` header (if available) if the configured `config.GetTokenTransferMethod` returns `any`. - Enable smooth switching between `useDynamicAccessTokenSigningKey` settings by allowing refresh calls to change the signing key type of a session. +- Make session required during signout. ## [0.17.5] - 2024-03-14 - Adds a type uint64 to the `accessTokenCookiesExpiryDurationMillis` local variable in `recipe/session/utils.go`. It also removes the redundant `uint64` type forcing needed because of the untyped variable. diff --git a/recipe/emailpassword/authFlow_test.go b/recipe/emailpassword/authFlow_test.go index b2233c0a..42215638 100644 --- a/recipe/emailpassword/authFlow_test.go +++ b/recipe/emailpassword/authFlow_test.go @@ -1387,7 +1387,7 @@ func TestDefaultSignoutRouteRevokesSession(t *testing.T) { assert.Equal(t, "", cookieData1["refreshTokenDomain"]) } -func TestCallingTheAPIwithoutSessionShouldReturnOk(t *testing.T) { +func TestCallingTheAPIwithoutSessionShouldReturnUnauthorized(t *testing.T) { configValue := supertokens.TypeInput{ Supertokens: &supertokens.ConnectionInfo{ ConnectionURI: "http://localhost:8080", @@ -1442,8 +1442,8 @@ func TestCallingTheAPIwithoutSessionShouldReturnOk(t *testing.T) { t.Error(err.Error()) } - assert.Equal(t, 200, res.StatusCode) - assert.Equal(t, "OK", data["status"]) + assert.Equal(t, http.StatusUnauthorized, res.StatusCode) + assert.Empty(t, data["status"]) assert.Nil(t, req.Header["Cookie"]) } diff --git a/recipe/session/signout.go b/recipe/session/signout.go index 88eefa4d..22178f90 100644 --- a/recipe/session/signout.go +++ b/recipe/session/signout.go @@ -27,9 +27,9 @@ func SignOutAPI(apiImplementation sessmodels.APIInterface, options sessmodels.AP return nil } - False := false + sessionRequired := true sessionContainer, err := GetSessionFromRequest(options.Req, options.Res, options.Config, &sessmodels.VerifySessionOptions{ - SessionRequired: &False, + SessionRequired: &sessionRequired, OverrideGlobalClaimValidators: func(globalClaimValidators []claims.SessionClaimValidator, sessionContainer sessmodels.SessionContainer, userContext supertokens.UserContext) ([]claims.SessionClaimValidator, error) { return []claims.SessionClaimValidator{}, nil }, diff --git a/recipe/thirdparty/signoutFeature_test.go b/recipe/thirdparty/signoutFeature_test.go index f1355a3b..b14b6aba 100644 --- a/recipe/thirdparty/signoutFeature_test.go +++ b/recipe/thirdparty/signoutFeature_test.go @@ -35,7 +35,7 @@ import ( "gopkg.in/h2non/gock.v1" ) -func TestThatCallingTheAPIwithoutASessionShouldReturnOk(t *testing.T) { +func TestThatCallingTheAPIwithoutASessionShouldReturnUnauthorized(t *testing.T) { configValue := supertokens.TypeInput{ Supertokens: &supertokens.ConnectionInfo{ ConnectionURI: "http://localhost:8080", @@ -80,7 +80,7 @@ func TestThatCallingTheAPIwithoutASessionShouldReturnOk(t *testing.T) { if err != nil { t.Error(err.Error()) } - assert.Equal(t, http.StatusOK, resp.StatusCode) + assert.Equal(t, http.StatusUnauthorized, resp.StatusCode) dataInBytes, err := ioutil.ReadAll(resp.Body) if err != nil { @@ -94,7 +94,7 @@ func TestThatCallingTheAPIwithoutASessionShouldReturnOk(t *testing.T) { t.Error(err.Error()) } - assert.Equal(t, "OK", response["status"]) + assert.Empty(t, response["status"]) assert.Equal(t, 0, len(resp.Cookies())) }