Skip to content

Commit

Permalink
Merge pull request #418 from supertokens/fix/always_clear_in_401_refr…
Browse files Browse the repository at this point in the history
…eshes

test: move the session object and claims to the BE sdk server
  • Loading branch information
rishabhpoddar authored Jul 9, 2024
2 parents 9284b83 + 06107f0 commit a2a34b7
Show file tree
Hide file tree
Showing 4 changed files with 32 additions and 18 deletions.
6 changes: 6 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

## [unreleased]

## [0.22.1] - 2024-07-09

### Changes

- `refreshPOST` and `RefreshSession` now clears all user tokens upon CSRF failures and if no tokens are found. See the latest comment on https://github.com/supertokens/supertokens-node/issues/141 for more details.

## [0.22.0] - 2024-06-24

### Breaking change
Expand Down
38 changes: 23 additions & 15 deletions recipe/emailpassword/authMode_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -1145,14 +1145,14 @@ func TestRefreshTokenBehaviour(t *testing.T) {
setTokens string
clearedTokens string
}{
{getTokenTransferMethodRes: "any", authHeader: false, authCookie: false, output: "unauthorised", setTokens: "none", clearedTokens: "none"},
{getTokenTransferMethodRes: "header", authHeader: false, authCookie: false, output: "unauthorised", setTokens: "none", clearedTokens: "none"},
{getTokenTransferMethodRes: "cookie", authHeader: false, authCookie: false, output: "unauthorised", setTokens: "none", clearedTokens: "none"},
{getTokenTransferMethodRes: "any", authHeader: false, authCookie: false, output: "unauthorised", setTokens: "none", clearedTokens: "both"},
{getTokenTransferMethodRes: "header", authHeader: false, authCookie: false, output: "unauthorised", setTokens: "none", clearedTokens: "both"},
{getTokenTransferMethodRes: "cookie", authHeader: false, authCookie: false, output: "unauthorised", setTokens: "none", clearedTokens: "both"},
{getTokenTransferMethodRes: "any", authHeader: false, authCookie: true, output: "validatecookie", setTokens: "cookies", clearedTokens: "none"},
{getTokenTransferMethodRes: "header", authHeader: false, authCookie: true, output: "unauthorised", setTokens: "none", clearedTokens: "none"},
{getTokenTransferMethodRes: "header", authHeader: false, authCookie: true, output: "unauthorised", setTokens: "none", clearedTokens: "both"},
{getTokenTransferMethodRes: "cookie", authHeader: false, authCookie: true, output: "validatecookie", setTokens: "cookies", clearedTokens: "none"},
{getTokenTransferMethodRes: "any", authHeader: true, authCookie: false, output: "validateheader", setTokens: "headers", clearedTokens: "none"},
{getTokenTransferMethodRes: "header", authHeader: true, authCookie: false, output: "validateheader", setTokens: "headers", clearedTokens: "none"},
{getTokenTransferMethodRes: "header", authHeader: true, authCookie: false, output: "validateheader", setTokens: "headers", clearedTokens: "both"},
{getTokenTransferMethodRes: "cookie", authHeader: true, authCookie: false, output: "unauthorised", setTokens: "none", clearedTokens: "none"},
{getTokenTransferMethodRes: "any", authHeader: true, authCookie: true, output: "validateheader", setTokens: "headers", clearedTokens: "cookies"},
{getTokenTransferMethodRes: "header", authHeader: true, authCookie: true, output: "validateheader", setTokens: "headers", clearedTokens: "cookies"},
Expand Down Expand Up @@ -1224,6 +1224,13 @@ func TestRefreshTokenBehaviour(t *testing.T) {
assert.Equal(t, refreshRes["accessTokenExpiry"], "Thu, 01 Jan 1970 00:00:00 GMT")
assert.Empty(t, refreshRes["sRefreshToken"])
assert.Equal(t, refreshRes["refreshTokenExpiry"], "Thu, 01 Jan 1970 00:00:00 GMT")
} else if behaviour.clearedTokens == "both" {
assert.Empty(t, refreshRes["accessTokenFromHeader"])
assert.Empty(t, refreshRes["refreshTokenFromHeader"])
assert.Empty(t, refreshRes["sAccessToken"])
assert.Equal(t, refreshRes["accessTokenExpiry"], "Thu, 01 Jan 1970 00:00:00 GMT")
assert.Empty(t, refreshRes["sRefreshToken"])
assert.Equal(t, refreshRes["refreshTokenExpiry"], "Thu, 01 Jan 1970 00:00:00 GMT")
}

switch behaviour.setTokens {
Expand All @@ -1247,17 +1254,18 @@ func TestRefreshTokenBehaviour(t *testing.T) {
}
}

if behaviour.setTokens != "cookies" && behaviour.clearedTokens != "cookies" {
assert.Equal(t, refreshRes["sAccessToken"], "-not-present-")
assert.Equal(t, refreshRes["accessTokenExpiry"], "-not-present-")
assert.Equal(t, refreshRes["sRefreshToken"], "-not-present-")
assert.Equal(t, refreshRes["refreshTokenExpiry"], "-not-present-")
}
if behaviour.setTokens != "headers" && behaviour.clearedTokens != "headers" {
assert.Equal(t, refreshRes["accessTokenFromHeader"], "-not-present-")
assert.Equal(t, refreshRes["refreshTokenFromHeader"], "-not-present-")
if behaviour.setTokens != "both" {
if behaviour.setTokens != "cookies" && behaviour.clearedTokens != "cookies" {
assert.Equal(t, refreshRes["sAccessToken"], "-not-present-")
assert.Equal(t, refreshRes["accessTokenExpiry"], "-not-present-")
assert.Equal(t, refreshRes["sRefreshToken"], "-not-present-")
assert.Equal(t, refreshRes["refreshTokenExpiry"], "-not-present-")
}
if behaviour.setTokens != "headers" && behaviour.clearedTokens != "headers" {
assert.Equal(t, refreshRes["accessTokenFromHeader"], "-not-present-")
assert.Equal(t, refreshRes["refreshTokenFromHeader"], "-not-present-")
}
}

})

t.Run(fmt.Sprintf("behaviour %v with invalid token", behaviour), func(t *testing.T) {
Expand Down
4 changes: 2 additions & 2 deletions recipe/session/sessionRequestFunctions.go
Original file line number Diff line number Diff line change
Expand Up @@ -386,7 +386,7 @@ func RefreshSessionInRequest(req *http.Request, res http.ResponseWriter, config
False := false
return nil, errors.UnauthorizedError{
Msg: "Refresh token not found. Are you sending the refresh token in the request as a cookie?",
ClearTokens: &False,
ClearTokens: &True,
}
}

Expand All @@ -406,7 +406,7 @@ func RefreshSessionInRequest(req *http.Request, res http.ResponseWriter, config

if ridFromHeader == nil {
supertokens.LogDebugMessage("refreshSession: Returning UNAUTHORISED because custom header (rid) was not passed")
clearTokens := false
clearTokens := true
return nil, errors.UnauthorizedError{
Msg: "anti-csrf check failed. Please pass 'rid: \"session\"' header in the request.",
ClearTokens: &clearTokens,
Expand Down
2 changes: 1 addition & 1 deletion supertokens/constants.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ const (
)

// VERSION current version of the lib
const VERSION = "0.22.0"
const VERSION = "0.22.1"

var (
cdiSupported = []string{"3.0"}
Expand Down

0 comments on commit a2a34b7

Please sign in to comment.