diff --git a/CHANGELOG.md b/CHANGELOG.md index 3ca1cf00d..7a50aaa3c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [unreleased] +## [18.0.2] - 2024-07-09 + +- `refreshPOST` and `refreshSession` now clears all user tokens upon CSRF failures and if no tokens are found. See the latest comment on https://github.com/supertokens/supertokens-node/issues/141 for more details. + ## [18.0.1] - 2024-06-19 ### Fixes diff --git a/lib/build/recipe/session/sessionRequestFunctions.js b/lib/build/recipe/session/sessionRequestFunctions.js index dac80fb8e..1d33897a7 100644 --- a/lib/build/recipe/session/sessionRequestFunctions.js +++ b/lib/build/recipe/session/sessionRequestFunctions.js @@ -257,7 +257,7 @@ async function refreshSessionInRequest({ res, req, userContext, config, recipeIn throw new error_1.default({ message: "Refresh token not found. Are you sending the refresh token in the request?", payload: { - clearTokens: false, + clearTokens: true, }, type: error_1.default.UNAUTHORISED, }); @@ -280,7 +280,7 @@ async function refreshSessionInRequest({ res, req, userContext, config, recipeIn message: "anti-csrf check failed. Please pass 'rid: \"session\"' header in the request.", type: error_1.default.UNAUTHORISED, payload: { - clearTokens: false, // see https://github.com/supertokens/supertokens-node/issues/141 + clearTokens: true, // see https://github.com/supertokens/supertokens-node/issues/141 }, }); } diff --git a/lib/build/version.d.ts b/lib/build/version.d.ts index eb88f6222..f474cb1c6 100644 --- a/lib/build/version.d.ts +++ b/lib/build/version.d.ts @@ -1,4 +1,4 @@ // @ts-nocheck -export declare const version = "18.0.1"; +export declare const version = "18.0.2"; export declare const cdiSupported: string[]; export declare const dashboardVersion = "0.11"; diff --git a/lib/build/version.js b/lib/build/version.js index 9ac2936c1..6a18a166d 100644 --- a/lib/build/version.js +++ b/lib/build/version.js @@ -15,7 +15,7 @@ exports.dashboardVersion = exports.cdiSupported = exports.version = void 0; * License for the specific language governing permissions and limitations * under the License. */ -exports.version = "18.0.1"; +exports.version = "18.0.2"; exports.cdiSupported = ["5.0"]; // Note: The actual script import for dashboard uses v{DASHBOARD_VERSION} exports.dashboardVersion = "0.11"; diff --git a/lib/ts/recipe/session/sessionRequestFunctions.ts b/lib/ts/recipe/session/sessionRequestFunctions.ts index dbfe15051..de4c5b3bb 100644 --- a/lib/ts/recipe/session/sessionRequestFunctions.ts +++ b/lib/ts/recipe/session/sessionRequestFunctions.ts @@ -314,7 +314,7 @@ export async function refreshSessionInRequest({ throw new SessionError({ message: "Refresh token not found. Are you sending the refresh token in the request?", payload: { - clearTokens: false, + clearTokens: true, }, type: SessionError.UNAUTHORISED, }); @@ -338,7 +338,7 @@ export async function refreshSessionInRequest({ message: "anti-csrf check failed. Please pass 'rid: \"session\"' header in the request.", type: SessionError.UNAUTHORISED, payload: { - clearTokens: false, // see https://github.com/supertokens/supertokens-node/issues/141 + clearTokens: true, // see https://github.com/supertokens/supertokens-node/issues/141 }, }); } diff --git a/lib/ts/version.ts b/lib/ts/version.ts index fdbe1bd19..700fb6fdd 100644 --- a/lib/ts/version.ts +++ b/lib/ts/version.ts @@ -12,7 +12,7 @@ * License for the specific language governing permissions and limitations * under the License. */ -export const version = "18.0.1"; +export const version = "18.0.2"; export const cdiSupported = ["5.0"]; diff --git a/package-lock.json b/package-lock.json index daf4f2610..a09dbd095 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "supertokens-node", - "version": "18.0.1", + "version": "18.0.2", "lockfileVersion": 2, "requires": true, "packages": { "": { "name": "supertokens-node", - "version": "18.0.1", + "version": "18.0.2", "license": "Apache-2.0", "dependencies": { "content-type": "^1.0.5", diff --git a/package.json b/package.json index 2aaf7792f..70a8e3d69 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "supertokens-node", - "version": "18.0.1", + "version": "18.0.2", "description": "NodeJS driver for SuperTokens core", "main": "index.js", "scripts": { diff --git a/test/auth-modes.test.js b/test/auth-modes.test.js index 067346d64..0ed01e580 100644 --- a/test/auth-modes.test.js +++ b/test/auth-modes.test.js @@ -893,15 +893,15 @@ describe(`auth-modes: ${printPath("[test/auth-modes.test.js]")}`, function () { describe("from behaviour table", () => { // prettier-ignore const behaviourTable = [ - { getTokenTransferMethodRes: "any", authHeader: false, authCookie: false, output: "unauthorised", setTokens: "none", clearedTokens: "none" }, - { getTokenTransferMethodRes: "header", authHeader: false, authCookie: false, output: "unauthorised", setTokens: "none", clearedTokens: "none" }, - { getTokenTransferMethodRes: "cookie", authHeader: false, authCookie: false, output: "unauthorised", setTokens: "none", clearedTokens: "none" }, + { getTokenTransferMethodRes: "any", authHeader: false, authCookie: false, output: "unauthorised", setTokens: "none", clearedTokens: "both" }, + { getTokenTransferMethodRes: "header", authHeader: false, authCookie: false, output: "unauthorised", setTokens: "none", clearedTokens: "both" }, + { getTokenTransferMethodRes: "cookie", authHeader: false, authCookie: false, output: "unauthorised", setTokens: "none", clearedTokens: "both" }, { getTokenTransferMethodRes: "any", authHeader: false, authCookie: true, output: "validatecookie", setTokens: "cookies", clearedTokens: "none" }, - { getTokenTransferMethodRes: "header", authHeader: false, authCookie: true, output: "unauthorised", setTokens: "none", clearedTokens: "none" }, // 5 + { getTokenTransferMethodRes: "header", authHeader: false, authCookie: true, output: "unauthorised", setTokens: "none", clearedTokens: "both" }, // 5 { getTokenTransferMethodRes: "cookie", authHeader: false, authCookie: true, output: "validatecookie", setTokens: "cookies", clearedTokens: "none" }, { getTokenTransferMethodRes: "any", authHeader: true, authCookie: false, output: "validateheader", setTokens: "headers", clearedTokens: "none" }, { getTokenTransferMethodRes: "header", authHeader: true, authCookie: false, output: "validateheader", setTokens: "headers", clearedTokens: "none" }, - { getTokenTransferMethodRes: "cookie", authHeader: true, authCookie: false, output: "unauthorised", setTokens: "none", clearedTokens: "none" }, // 9 + { getTokenTransferMethodRes: "cookie", authHeader: true, authCookie: false, output: "unauthorised", setTokens: "none", clearedTokens: "both" }, // 9 { getTokenTransferMethodRes: "any", authHeader: true, authCookie: true, output: "validateheader", setTokens: "headers", clearedTokens: "cookies" }, { getTokenTransferMethodRes: "header", authHeader: true, authCookie: true, output: "validateheader", setTokens: "headers", clearedTokens: "cookies" }, { getTokenTransferMethodRes: "cookie", authHeader: true, authCookie: true, output: "validatecookie", setTokens: "cookies", clearedTokens: "headers" }, // 12 @@ -964,6 +964,13 @@ describe(`auth-modes: ${printPath("[test/auth-modes.test.js]")}`, function () { assert.strictEqual(refreshRes.accessTokenExpiry, "Thu, 01 Jan 1970 00:00:00 GMT"); assert.strictEqual(refreshRes.refreshToken, ""); assert.strictEqual(refreshRes.refreshTokenExpiry, "Thu, 01 Jan 1970 00:00:00 GMT"); + } else if (conf.clearedTokens === "both") { + assert.strictEqual(refreshRes.accessTokenFromHeader, ""); + assert.strictEqual(refreshRes.refreshTokenFromHeader, ""); + assert.strictEqual(refreshRes.accessToken, ""); + assert.strictEqual(refreshRes.accessTokenExpiry, "Thu, 01 Jan 1970 00:00:00 GMT"); + assert.strictEqual(refreshRes.refreshToken, ""); + assert.strictEqual(refreshRes.refreshTokenExpiry, "Thu, 01 Jan 1970 00:00:00 GMT"); } switch (conf.setTokens) { @@ -985,15 +992,17 @@ describe(`auth-modes: ${printPath("[test/auth-modes.test.js]")}`, function () { } break; } - if (conf.setTokens !== "cookies" && conf.clearedTokens !== "cookies") { - assert.strictEqual(refreshRes.accessToken, undefined); - assert.strictEqual(refreshRes.accessTokenExpiry, undefined); - assert.strictEqual(refreshRes.refreshToken, undefined); - assert.strictEqual(refreshRes.refreshTokenExpiry, undefined); - } - if (conf.setTokens !== "headers" && conf.clearedTokens !== "headers") { - assert.strictEqual(refreshRes.accessTokenFromHeader, undefined); - assert.strictEqual(refreshRes.refreshTokenFromHeader, undefined); + if (conf.clearedTokens !== "both") { + if (conf.setTokens !== "cookies" && conf.clearedTokens !== "cookies") { + assert.strictEqual(refreshRes.accessToken, undefined); + assert.strictEqual(refreshRes.accessTokenExpiry, undefined); + assert.strictEqual(refreshRes.refreshToken, undefined); + assert.strictEqual(refreshRes.refreshTokenExpiry, undefined); + } + if (conf.setTokens !== "headers" && conf.clearedTokens !== "headers") { + assert.strictEqual(refreshRes.accessTokenFromHeader, undefined); + assert.strictEqual(refreshRes.refreshTokenFromHeader, undefined); + } } }); }