fixes issue of refresh not clearing tokens

supertokens · Jul 9, 2024 · 090e29a · 090e29a
1 parent 2e992ae
commit 090e29a
Show file tree

Hide file tree

Showing 9 changed files with 37 additions and 24 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [unreleased]
 
+## [18.0.2] - 2024-07-09
+
+-   `refreshPOST` and `refreshSession` now clears all user tokens upon CSRF failures and if no tokens are found. See the latest comment on https://github.com/supertokens/supertokens-node/issues/141 for more details.
+
 ## [18.0.1] - 2024-06-19
 
 ### Fixes

diff --git a/lib/build/recipe/session/sessionRequestFunctions.js b/lib/build/recipe/session/sessionRequestFunctions.js
@@ -257,7 +257,7 @@ async function refreshSessionInRequest({ res, req, userContext, config, recipeIn
         throw new error_1.default({
             message: "Refresh token not found. Are you sending the refresh token in the request?",
             payload: {
-                clearTokens: false,
+                clearTokens: true,
             },
             type: error_1.default.UNAUTHORISED,
         });
@@ -280,7 +280,7 @@ async function refreshSessionInRequest({ res, req, userContext, config, recipeIn
                 message: "anti-csrf check failed. Please pass 'rid: \"session\"' header in the request.",
                 type: error_1.default.UNAUTHORISED,
                 payload: {
-                    clearTokens: false, // see https://github.com/supertokens/supertokens-node/issues/141
+                    clearTokens: true, // see https://github.com/supertokens/supertokens-node/issues/141
                 },
             });
         }

diff --git a/lib/build/version.d.ts b/lib/build/version.d.ts
diff --git a/lib/build/version.js b/lib/build/version.js
diff --git a/lib/ts/recipe/session/sessionRequestFunctions.ts b/lib/ts/recipe/session/sessionRequestFunctions.ts
@@ -314,7 +314,7 @@ export async function refreshSessionInRequest({
         throw new SessionError({
             message: "Refresh token not found. Are you sending the refresh token in the request?",
             payload: {
-                clearTokens: false,
+                clearTokens: true,
             },
             type: SessionError.UNAUTHORISED,
         });
@@ -338,7 +338,7 @@ export async function refreshSessionInRequest({
                 message: "anti-csrf check failed. Please pass 'rid: \"session\"' header in the request.",
                 type: SessionError.UNAUTHORISED,
                 payload: {
-                    clearTokens: false, // see https://github.com/supertokens/supertokens-node/issues/141
+                    clearTokens: true, // see https://github.com/supertokens/supertokens-node/issues/141
                 },
             });
         }

diff --git a/lib/ts/version.ts b/lib/ts/version.ts
@@ -12,7 +12,7 @@
  * License for the specific language governing permissions and limitations
  * under the License.
  */
-export const version = "18.0.1";
+export const version = "18.0.2";
 
 export const cdiSupported = ["5.0"];
 

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
     "name": "supertokens-node",
-    "version": "18.0.1",
+    "version": "18.0.2",
     "description": "NodeJS driver for SuperTokens core",
     "main": "index.js",
     "scripts": {

diff --git a/test/auth-modes.test.js b/test/auth-modes.test.js
@@ -893,15 +893,15 @@ describe(`auth-modes: ${printPath("[test/auth-modes.test.js]")}`, function () {
             describe("from behaviour table", () => {
                 // prettier-ignore
                 const behaviourTable = [
-                    { getTokenTransferMethodRes: "any", authHeader: false, authCookie: false, output: "unauthorised", setTokens: "none", clearedTokens: "none" },
-                    { getTokenTransferMethodRes: "header", authHeader: false, authCookie: false, output: "unauthorised", setTokens: "none", clearedTokens: "none" },
-                    { getTokenTransferMethodRes: "cookie", authHeader: false, authCookie: false, output: "unauthorised", setTokens: "none", clearedTokens: "none" },
+                    { getTokenTransferMethodRes: "any", authHeader: false, authCookie: false, output: "unauthorised", setTokens: "none", clearedTokens: "both" },
+                    { getTokenTransferMethodRes: "header", authHeader: false, authCookie: false, output: "unauthorised", setTokens: "none", clearedTokens: "both" },
+                    { getTokenTransferMethodRes: "cookie", authHeader: false, authCookie: false, output: "unauthorised", setTokens: "none", clearedTokens: "both" },
                     { getTokenTransferMethodRes: "any", authHeader: false, authCookie: true, output: "validatecookie", setTokens: "cookies", clearedTokens: "none" },
-                    { getTokenTransferMethodRes: "header", authHeader: false, authCookie: true, output: "unauthorised", setTokens: "none", clearedTokens: "none" }, // 5
+                    { getTokenTransferMethodRes: "header", authHeader: false, authCookie: true, output: "unauthorised", setTokens: "none", clearedTokens: "both" }, // 5
                     { getTokenTransferMethodRes: "cookie", authHeader: false, authCookie: true, output: "validatecookie", setTokens: "cookies", clearedTokens: "none" },
                     { getTokenTransferMethodRes: "any", authHeader: true, authCookie: false, output: "validateheader", setTokens: "headers", clearedTokens: "none" },
                     { getTokenTransferMethodRes: "header", authHeader: true, authCookie: false, output: "validateheader", setTokens: "headers", clearedTokens: "none" },
-                    { getTokenTransferMethodRes: "cookie", authHeader: true, authCookie: false, output: "unauthorised", setTokens: "none", clearedTokens: "none" }, // 9
+                    { getTokenTransferMethodRes: "cookie", authHeader: true, authCookie: false, output: "unauthorised", setTokens: "none", clearedTokens: "both" }, // 9
                     { getTokenTransferMethodRes: "any", authHeader: true, authCookie: true, output: "validateheader", setTokens: "headers", clearedTokens: "cookies" },
                     { getTokenTransferMethodRes: "header", authHeader: true, authCookie: true, output: "validateheader", setTokens: "headers", clearedTokens: "cookies" },
                     { getTokenTransferMethodRes: "cookie", authHeader: true, authCookie: true, output: "validatecookie", setTokens: "cookies", clearedTokens: "headers" }, // 12
@@ -964,6 +964,13 @@ describe(`auth-modes: ${printPath("[test/auth-modes.test.js]")}`, function () {
                             assert.strictEqual(refreshRes.accessTokenExpiry, "Thu, 01 Jan 1970 00:00:00 GMT");
                             assert.strictEqual(refreshRes.refreshToken, "");
                             assert.strictEqual(refreshRes.refreshTokenExpiry, "Thu, 01 Jan 1970 00:00:00 GMT");
+                        } else if (conf.clearedTokens === "both") {
+                            assert.strictEqual(refreshRes.accessTokenFromHeader, "");
+                            assert.strictEqual(refreshRes.refreshTokenFromHeader, "");
+                            assert.strictEqual(refreshRes.accessToken, "");
+                            assert.strictEqual(refreshRes.accessTokenExpiry, "Thu, 01 Jan 1970 00:00:00 GMT");
+                            assert.strictEqual(refreshRes.refreshToken, "");
+                            assert.strictEqual(refreshRes.refreshTokenExpiry, "Thu, 01 Jan 1970 00:00:00 GMT");
                         }
 
                         switch (conf.setTokens) {
@@ -985,15 +992,17 @@ describe(`auth-modes: ${printPath("[test/auth-modes.test.js]")}`, function () {
                                 }
                                 break;
                         }
-                        if (conf.setTokens !== "cookies" && conf.clearedTokens !== "cookies") {
-                            assert.strictEqual(refreshRes.accessToken, undefined);
-                            assert.strictEqual(refreshRes.accessTokenExpiry, undefined);
-                            assert.strictEqual(refreshRes.refreshToken, undefined);
-                            assert.strictEqual(refreshRes.refreshTokenExpiry, undefined);
-                        }
-                        if (conf.setTokens !== "headers" && conf.clearedTokens !== "headers") {
-                            assert.strictEqual(refreshRes.accessTokenFromHeader, undefined);
-                            assert.strictEqual(refreshRes.refreshTokenFromHeader, undefined);
+                        if (conf.clearedTokens !== "both") {
+                            if (conf.setTokens !== "cookies" && conf.clearedTokens !== "cookies") {
+                                assert.strictEqual(refreshRes.accessToken, undefined);
+                                assert.strictEqual(refreshRes.accessTokenExpiry, undefined);
+                                assert.strictEqual(refreshRes.refreshToken, undefined);
+                                assert.strictEqual(refreshRes.refreshTokenExpiry, undefined);
+                            }
+                            if (conf.setTokens !== "headers" && conf.clearedTokens !== "headers") {
+                                assert.strictEqual(refreshRes.accessTokenFromHeader, undefined);
+                                assert.strictEqual(refreshRes.refreshTokenFromHeader, undefined);
+                            }
                         }
                     });
                 }