Merge pull request #363 from supertokens/ignore-protected-props

refactor: Ignore protected props in create new session

CHANGELOG.md

@@ -16,6 +16,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Changes
 
 -   Dashboard APIs now return a status code `403` for all non-GET requests if the currently logged in Dashboard User is not listed in the `admins` array
+-   Now ignoring protected props in the payload in `CreateNewSession` and `CreateNewSessionWithoutRequestResponse`
 
 ## [0.13.2] - 2023-08-28
 

recipe/session/accessTokenVersions_test.go

@@ -171,27 +171,30 @@ func TestShouldThrowErrorWhenUsingProtectedProps(t *testing.T) {
 		testServer.Close()
 	}()
 
-	appSub := "asdf"
-	body := map[string]map[string]*string{
-		"payload": {
-			"sub": &appSub,
-		},
+	sessionResponse, err := CreateNewSessionWithoutRequestResponse("public", "testing", map[string]interface{}{
+		"customProps": "custom",
+	}, map[string]interface{}{}, nil)
+
+	if err != nil {
+		t.Error(err.Error())
 	}
 
-	postBody, err := json.Marshal(body)
+	newSession, err := CreateNewSessionWithoutRequestResponse("public", "testing2", sessionResponse.GetAccessTokenPayload(), map[string]interface{}{}, nil)
+
 	if err != nil {
 		t.Error(err.Error())
 	}
-	res2, err2 := http.Post(testServer.URL+"/create", "application/json", bytes.NewBuffer(postBody))
-	if err2 != nil {
+
+	accessToken := newSession.GetAccessToken()
+
+	parsedToken, err := ParseJWTWithoutSignatureVerification(accessToken)
+	if err != nil {
 		t.Error(err.Error())
 	}
 
-	assert.Equal(t, 400, res2.StatusCode)
-	cookies := unittesting.ExtractInfoFromResponse(res2)
-	assert.True(t, cookies["accessTokenFromAny"] == "")
-	assert.True(t, cookies["refreshTokenFromAny"] == "")
-	assert.True(t, cookies["frontToken"] == "")
+	assert.True(t, parsedToken.Payload["customProps"] == "custom")
+	// This makes sure it does not reuse the sub from the old payload
+	assert.True(t, parsedToken.Payload["sub"] == "testing2")
 }
 
 func TestMergeIntoATShouldHelpMigratingV2TokenUsingProtectedProps(t *testing.T) {

recipe/session/constants.go

@@ -31,3 +31,17 @@ const (
 	CookieSameSite_LAX    = "lax"
 	CookieSameSite_STRICT = "strict"
 )
+
+var JWKCacheMaxAgeInMs int64 = 60000
+var JWKRefreshRateLimit = 500
+var protectedProps = []string{
+	"sub",
+	"iat",
+	"exp",
+	"sessionHandle",
+	"parentRefreshTokenHash1",
+	"refreshTokenHash1",
+	"antiCsrfToken",
+	"rsub",
+	"tId",
+}

recipe/session/main.go

@@ -64,6 +64,10 @@ func CreateNewSessionWithoutRequestResponse(tenantId string, userID string, acce
 
 	finalAccessTokenPayload["iss"] = issuer
 
+	for _, protectedProp := range protectedProps {
+		delete(finalAccessTokenPayload, protectedProp)
+	}
+
 	for _, claim := range claimsAddedByOtherRecipes {
 		finalAccessTokenPayload, err = claim.Build(userID, tenantId, finalAccessTokenPayload, userContext[0])
 		if err != nil {

recipe/session/recipeImplementation.go

@@ -32,19 +32,6 @@ import (
 	"github.com/supertokens/supertokens-golang/supertokens"
 )
 
-var protectedProps = []string{
-	"sub",
-	"iat",
-	"exp",
-	"sessionHandle",
-	"parentRefreshTokenHash1",
-	"refreshTokenHash1",
-	"antiCsrfToken",
-	"tId",
-}
-
-var JWKCacheMaxAgeInMs int64 = 60000
-var JWKRefreshRateLimit = 500
 var jwksCache *sessmodels.GetJWKSResult = nil
 var mutex sync.RWMutex
 

recipe/session/sessionRequestFunctions.go

@@ -43,6 +43,10 @@ func CreateNewSessionInRequest(req *http.Request, res http.ResponseWriter, tenan
 	issuer := appInfo.APIDomain.GetAsStringDangerous() + appInfo.APIBasePath.GetAsStringDangerous()
 	finalAccessTokenPayload["iss"] = issuer
 
+	for _, protectedProp := range protectedProps {
+		delete(finalAccessTokenPayload, protectedProp)
+	}
+
 	for _, claim := range claimsAddedByOtherRecipes {
 		_finalAccessTokenPayload, err := claim.Build(userID, tenantId, finalAccessTokenPayload, userContext)
 		if err != nil {