From 20cd6b96556cf9340fe00e5c80576e0b14f19acb Mon Sep 17 00:00:00 2001 From: furkansenharputlu Date: Wed, 24 Apr 2024 23:43:41 +0300 Subject: [PATCH 1/4] fix: default to st-auth-mode if getTokenTransferMethod returns any in createNewSession --- CHANGELOG.md | 1 + recipe/emailpassword/authMode_test.go | 44 ++++++++++++++++++----- recipe/session/sessionRequestFunctions.go | 7 +++- 3 files changed, 43 insertions(+), 9 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 8f031e8e..1ca35438 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [unreleased] +- `session.CreateNewSession` now defaults to the value of the `st-auth-mode` header (if available) if the configured `config.GetTokenTransferMethod` returns `any`. ## [0.17.5] - 2024-03-14 - Adds a type uint64 to the `accessTokenCookiesExpiryDurationMillis` local variable in `recipe/session/utils.go`. It also removes the redundant `uint64` type forcing needed because of the untyped variable. diff --git a/recipe/emailpassword/authMode_test.go b/recipe/emailpassword/authMode_test.go index 17146498..10a7c4ea 100644 --- a/recipe/emailpassword/authMode_test.go +++ b/recipe/emailpassword/authMode_test.go @@ -224,15 +224,43 @@ func TestWithGetTokenTransferMethodProvidedCreateNewSessionWithShouldUseHeaderIf defer testServer.Close() setupRoutesForTest(t, mux) - resp := createNewSession(t, testServer.URL, nil, nil, nil, nil) + t.Run("no st-auth-mode", func(t *testing.T) { + resp := createNewSession(t, testServer.URL, nil, nil, nil, nil) + + assert.Equal(t, resp["sAccessToken"], "-not-present-") + assert.Equal(t, resp["sRefreshToken"], "-not-present-") + assert.Equal(t, resp["antiCsrf"], "-not-present-") + assert.NotEmpty(t, resp["accessTokenFromHeader"]) + assert.NotEqual(t, resp["accessTokenFromHeader"], "-not-present-") + assert.NotEmpty(t, resp["refreshTokenFromHeader"]) + assert.NotEqual(t, resp["refreshTokenFromHeader"], "-not-present-") + }) - assert.Equal(t, resp["sAccessToken"], "-not-present-") - assert.Equal(t, resp["sRefreshToken"], "-not-present-") - assert.Equal(t, resp["antiCsrf"], "-not-present-") - assert.NotEmpty(t, resp["accessTokenFromHeader"]) - assert.NotEqual(t, resp["accessTokenFromHeader"], "-not-present-") - assert.NotEmpty(t, resp["refreshTokenFromHeader"]) - assert.NotEqual(t, resp["refreshTokenFromHeader"], "-not-present-") + t.Run("st-auth-mode is cookie", func(t *testing.T) { + authMode := string(sessmodels.CookieTransferMethod) + resp := createNewSession(t, testServer.URL, &authMode, nil, nil, nil) + + assert.NotEqual(t, resp["sAccessToken"], "-not-present-") + assert.NotEqual(t, resp["sRefreshToken"], "-not-present-") + assert.NotEqual(t, resp["antiCsrf"], "-not-present-") + assert.NotEmpty(t, resp["accessTokenFromHeader"]) + assert.Equal(t, resp["accessTokenFromHeader"], "-not-present-") + assert.NotEmpty(t, resp["refreshTokenFromHeader"]) + assert.Equal(t, resp["refreshTokenFromHeader"], "-not-present-") + }) + + t.Run("st-auth-mode is header", func(t *testing.T) { + authMode := string(sessmodels.HeaderTransferMethod) + resp := createNewSession(t, testServer.URL, &authMode, nil, nil, nil) + + assert.Equal(t, resp["sAccessToken"], "-not-present-") + assert.Equal(t, resp["sRefreshToken"], "-not-present-") + assert.Equal(t, resp["antiCsrf"], "-not-present-") + assert.NotEmpty(t, resp["accessTokenFromHeader"]) + assert.NotEqual(t, resp["accessTokenFromHeader"], "-not-present-") + assert.NotEmpty(t, resp["refreshTokenFromHeader"]) + assert.NotEqual(t, resp["refreshTokenFromHeader"], "-not-present-") + }) } func TestWithGetTokenTransferMethodProvidedCreateNewSessionWithShouldUseHeaderIfMethodReturnsHeader(t *testing.T) { diff --git a/recipe/session/sessionRequestFunctions.go b/recipe/session/sessionRequestFunctions.go index c542a804..be796f27 100644 --- a/recipe/session/sessionRequestFunctions.go +++ b/recipe/session/sessionRequestFunctions.go @@ -60,7 +60,12 @@ func CreateNewSessionInRequest(req *http.Request, res http.ResponseWriter, tenan outputTokenTransferMethod := config.GetTokenTransferMethod(req, true, userContext) if outputTokenTransferMethod == sessmodels.AnyTransferMethod { - outputTokenTransferMethod = sessmodels.HeaderTransferMethod + authMode := GetAuthmodeFromHeader(req) + if authMode != nil && *authMode == sessmodels.CookieTransferMethod { + outputTokenTransferMethod = *authMode + } else { + outputTokenTransferMethod = sessmodels.HeaderTransferMethod + } } supertokens.LogDebugMessage(fmt.Sprintf("createNewSession: using transfer method %s", outputTokenTransferMethod)) From 74a8b3bf5f5cd96426c272db33080fbec38a6eeb Mon Sep 17 00:00:00 2001 From: furkansenharputlu Date: Thu, 25 Apr 2024 16:33:46 +0300 Subject: [PATCH 2/4] feat: use dynamic signing key switching --- CHANGELOG.md | 1 + recipe/session/recipeImplementation.go | 2 +- recipe/session/sessionFunctions.go | 7 +- .../sessionHandlingFuncsWithoutReq_test.go | 85 +++++++++++++++++++ 4 files changed, 91 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1ca35438..1d398cd8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [unreleased] - `session.CreateNewSession` now defaults to the value of the `st-auth-mode` header (if available) if the configured `config.GetTokenTransferMethod` returns `any`. +- Enable smooth switching between `useDynamicAccessTokenSigningKey` settings by allowing refresh calls to change the signing key type of a session. ## [0.17.5] - 2024-03-14 - Adds a type uint64 to the `accessTokenCookiesExpiryDurationMillis` local variable in `recipe/session/utils.go`. It also removes the redundant `uint64` type forcing needed because of the untyped variable. diff --git a/recipe/session/recipeImplementation.go b/recipe/session/recipeImplementation.go index ca8b9b0e..c6b2a464 100644 --- a/recipe/session/recipeImplementation.go +++ b/recipe/session/recipeImplementation.go @@ -294,7 +294,7 @@ func MakeRecipeImplementation(querier supertokens.Querier, config sessmodels.Typ supertokens.LogDebugMessage("refreshSession: Started") - response, err := refreshSessionHelper(config, querier, refreshToken, antiCsrfToken, disableAntiCsrf, userContext) + response, err := refreshSessionHelper(config, querier, refreshToken, antiCsrfToken, disableAntiCsrf, config.UseDynamicAccessTokenSigningKey, userContext) if err != nil { return nil, err } diff --git a/recipe/session/sessionFunctions.go b/recipe/session/sessionFunctions.go index 43b0f858..fb7be614 100644 --- a/recipe/session/sessionFunctions.go +++ b/recipe/session/sessionFunctions.go @@ -224,10 +224,11 @@ func getSessionInformationHelper(querier supertokens.Querier, sessionHandle stri return nil, nil } -func refreshSessionHelper(config sessmodels.TypeNormalisedInput, querier supertokens.Querier, refreshToken string, antiCsrfToken *string, disableAntiCsrf bool, userContext supertokens.UserContext) (sessmodels.CreateOrRefreshAPIResponse, error) { +func refreshSessionHelper(config sessmodels.TypeNormalisedInput, querier supertokens.Querier, refreshToken string, antiCsrfToken *string, disableAntiCsrf bool, useDynamicAccessTokenSigningKey bool, userContext supertokens.UserContext) (sessmodels.CreateOrRefreshAPIResponse, error) { requestBody := map[string]interface{}{ - "refreshToken": refreshToken, - "enableAntiCsrf": !disableAntiCsrf && config.AntiCsrfFunctionOrString.StrValue == AntiCSRF_VIA_TOKEN, + "refreshToken": refreshToken, + "enableAntiCsrf": !disableAntiCsrf && config.AntiCsrfFunctionOrString.StrValue == AntiCSRF_VIA_TOKEN, + "useDynamicSigningKey": useDynamicAccessTokenSigningKey, } if antiCsrfToken != nil { requestBody["antiCsrfToken"] = *antiCsrfToken diff --git a/recipe/session/sessionHandlingFuncsWithoutReq_test.go b/recipe/session/sessionHandlingFuncsWithoutReq_test.go index e5085137..e27cfb67 100644 --- a/recipe/session/sessionHandlingFuncsWithoutReq_test.go +++ b/recipe/session/sessionHandlingFuncsWithoutReq_test.go @@ -2,6 +2,7 @@ package session import ( "errors" + "strings" "testing" "github.com/stretchr/testify/assert" @@ -472,3 +473,87 @@ func TestRefreshShouldReturnErrorForNonTokens(t *testing.T) { assert.NotNil(t, err2) assert.True(t, errors.As(err2, &sessionError.UnauthorizedError{})) } + +func TestUseDynamicAccessTokenSigningKey(t *testing.T) { + useDynamicAccessTokenSigningKey := true + configValue := supertokens.TypeInput{ + Supertokens: &supertokens.ConnectionInfo{ + ConnectionURI: "http://localhost:8080", + }, + AppInfo: supertokens.AppInfo{ + AppName: "SuperTokens", + WebsiteDomain: "supertokens.io", + APIDomain: "api.supertokens.io", + }, + RecipeList: []supertokens.Recipe{ + Init(&sessmodels.TypeInput{ + UseDynamicAccessTokenSigningKey: &useDynamicAccessTokenSigningKey, + }), + }, + } + BeforeEach() + unittesting.StartUpST("localhost", "8080") + defer AfterEach() + + checkAccessTokenSigningKeyType := func(t *testing.T, tokens sessmodels.SessionTokens, isDynamic bool) { + t.Helper() + + info, err := ParseJWTWithoutSignatureVerification(tokens.AccessToken) + assert.NoError(t, err) + + if isDynamic { + assert.True(t, strings.HasPrefix(*info.KID, "d-")) + } else { + assert.True(t, strings.HasPrefix(*info.KID, "s-")) + } + } + + err := supertokens.Init(configValue) + assert.NoError(t, err) + + res, err := CreateNewSessionWithoutRequestResponse("public", "test-user-id", map[string]interface{}{ + "tokenProp": true, + }, map[string]interface{}{ + "dbProp": true, + }, nil) + + assert.NoError(t, err) + + tokens := res.GetAllSessionTokensDangerously() + checkAccessTokenSigningKeyType(t, tokens, true) + + resetAll() + + // here we change to false + useDynamicAccessTokenSigningKey = false + err = supertokens.Init(configValue) + assert.NoError(t, err) + + t.Run("should throw when verifying", func(t *testing.T) { + _, err = GetSessionWithoutRequestResponse(tokens.AccessToken, tokens.AntiCsrfToken, nil) + assert.Equal(t, err.Error(), "The access token doesn't match the useDynamicAccessTokenSigningKey setting") + }) + + t.Run("should work after refresh", func(t *testing.T) { + disableAntiCsrf := true + refreshedSession, err := RefreshSessionWithoutRequestResponse(*tokens.RefreshToken, &disableAntiCsrf, tokens.AntiCsrfToken) + assert.NoError(t, err) + + tokensAfterRefresh := refreshedSession.GetAllSessionTokensDangerously() + assert.True(t, tokensAfterRefresh.AccessAndFrontendTokenUpdated) + checkAccessTokenSigningKeyType(t, tokensAfterRefresh, false) + + verifiedSession, err := GetSessionWithoutRequestResponse(tokensAfterRefresh.AccessToken, tokensAfterRefresh.AntiCsrfToken, nil) + assert.NoError(t, err) + + tokensAfterVerify := verifiedSession.GetAllSessionTokensDangerously() + assert.True(t, tokensAfterVerify.AccessAndFrontendTokenUpdated) + checkAccessTokenSigningKeyType(t, tokensAfterVerify, false) + + verifiedSession2, err := GetSessionWithoutRequestResponse(tokensAfterVerify.AccessToken, tokensAfterVerify.AntiCsrfToken, nil) + assert.NoError(t, err) + + tokensAfterVerify2 := verifiedSession2.GetAllSessionTokensDangerously() + assert.False(t, tokensAfterVerify2.AccessAndFrontendTokenUpdated) + }) +} From 15a6ce78623b3490f2800692685027bf4f7ffb9b Mon Sep 17 00:00:00 2001 From: furkansenharputlu Date: Fri, 26 Apr 2024 15:59:02 +0300 Subject: [PATCH 3/4] fix: session required in signout --- CHANGELOG.md | 1 + recipe/emailpassword/authFlow_test.go | 6 +++--- recipe/session/signout.go | 4 ++-- recipe/thirdparty/signoutFeature_test.go | 6 +++--- 4 files changed, 9 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1d398cd8..f1d503c4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,6 +9,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - `session.CreateNewSession` now defaults to the value of the `st-auth-mode` header (if available) if the configured `config.GetTokenTransferMethod` returns `any`. - Enable smooth switching between `useDynamicAccessTokenSigningKey` settings by allowing refresh calls to change the signing key type of a session. +- Make session required during signout. ## [0.17.5] - 2024-03-14 - Adds a type uint64 to the `accessTokenCookiesExpiryDurationMillis` local variable in `recipe/session/utils.go`. It also removes the redundant `uint64` type forcing needed because of the untyped variable. diff --git a/recipe/emailpassword/authFlow_test.go b/recipe/emailpassword/authFlow_test.go index b2233c0a..42215638 100644 --- a/recipe/emailpassword/authFlow_test.go +++ b/recipe/emailpassword/authFlow_test.go @@ -1387,7 +1387,7 @@ func TestDefaultSignoutRouteRevokesSession(t *testing.T) { assert.Equal(t, "", cookieData1["refreshTokenDomain"]) } -func TestCallingTheAPIwithoutSessionShouldReturnOk(t *testing.T) { +func TestCallingTheAPIwithoutSessionShouldReturnUnauthorized(t *testing.T) { configValue := supertokens.TypeInput{ Supertokens: &supertokens.ConnectionInfo{ ConnectionURI: "http://localhost:8080", @@ -1442,8 +1442,8 @@ func TestCallingTheAPIwithoutSessionShouldReturnOk(t *testing.T) { t.Error(err.Error()) } - assert.Equal(t, 200, res.StatusCode) - assert.Equal(t, "OK", data["status"]) + assert.Equal(t, http.StatusUnauthorized, res.StatusCode) + assert.Empty(t, data["status"]) assert.Nil(t, req.Header["Cookie"]) } diff --git a/recipe/session/signout.go b/recipe/session/signout.go index 88eefa4d..22178f90 100644 --- a/recipe/session/signout.go +++ b/recipe/session/signout.go @@ -27,9 +27,9 @@ func SignOutAPI(apiImplementation sessmodels.APIInterface, options sessmodels.AP return nil } - False := false + sessionRequired := true sessionContainer, err := GetSessionFromRequest(options.Req, options.Res, options.Config, &sessmodels.VerifySessionOptions{ - SessionRequired: &False, + SessionRequired: &sessionRequired, OverrideGlobalClaimValidators: func(globalClaimValidators []claims.SessionClaimValidator, sessionContainer sessmodels.SessionContainer, userContext supertokens.UserContext) ([]claims.SessionClaimValidator, error) { return []claims.SessionClaimValidator{}, nil }, diff --git a/recipe/thirdparty/signoutFeature_test.go b/recipe/thirdparty/signoutFeature_test.go index f1355a3b..b14b6aba 100644 --- a/recipe/thirdparty/signoutFeature_test.go +++ b/recipe/thirdparty/signoutFeature_test.go @@ -35,7 +35,7 @@ import ( "gopkg.in/h2non/gock.v1" ) -func TestThatCallingTheAPIwithoutASessionShouldReturnOk(t *testing.T) { +func TestThatCallingTheAPIwithoutASessionShouldReturnUnauthorized(t *testing.T) { configValue := supertokens.TypeInput{ Supertokens: &supertokens.ConnectionInfo{ ConnectionURI: "http://localhost:8080", @@ -80,7 +80,7 @@ func TestThatCallingTheAPIwithoutASessionShouldReturnOk(t *testing.T) { if err != nil { t.Error(err.Error()) } - assert.Equal(t, http.StatusOK, resp.StatusCode) + assert.Equal(t, http.StatusUnauthorized, resp.StatusCode) dataInBytes, err := ioutil.ReadAll(resp.Body) if err != nil { @@ -94,7 +94,7 @@ func TestThatCallingTheAPIwithoutASessionShouldReturnOk(t *testing.T) { t.Error(err.Error()) } - assert.Equal(t, "OK", response["status"]) + assert.Empty(t, response["status"]) assert.Equal(t, 0, len(resp.Cookies())) } From 57c6201496273b73890559fc6a1fc4400166f330 Mon Sep 17 00:00:00 2001 From: rishabhpoddar Date: Tue, 30 Apr 2024 23:54:48 +0530 Subject: [PATCH 4/4] preps for release --- CHANGELOG.md | 5 +++++ supertokens/constants.go | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index f1d503c4..6b954343 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,8 +7,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [unreleased] +## [0.18.0] - 2024-04-30 + +### Changes - `session.CreateNewSession` now defaults to the value of the `st-auth-mode` header (if available) if the configured `config.GetTokenTransferMethod` returns `any`. - Enable smooth switching between `useDynamicAccessTokenSigningKey` settings by allowing refresh calls to change the signing key type of a session. + +### Breaking changes - Make session required during signout. ## [0.17.5] - 2024-03-14 diff --git a/supertokens/constants.go b/supertokens/constants.go index 200d0d49..e3db5743 100644 --- a/supertokens/constants.go +++ b/supertokens/constants.go @@ -21,7 +21,7 @@ const ( ) // VERSION current version of the lib -const VERSION = "0.17.5" +const VERSION = "0.18.0" var ( cdiSupported = []string{"3.0"}