From fd9fc4884b8bd0111560c0a4b552c3532751c40f Mon Sep 17 00:00:00 2001 From: Nemi Shah Date: Tue, 12 Sep 2023 11:32:55 +0530 Subject: [PATCH 1/2] Ignore protected props in create new session --- CHANGELOG.md | 1 + recipe/session/accessTokenVersions_test.go | 17 ++++++++++++----- recipe/session/constants.go | 14 ++++++++++++++ recipe/session/main.go | 4 ++++ recipe/session/recipeImplementation.go | 13 ------------- recipe/session/sessionRequestFunctions.go | 4 ++++ 6 files changed, 35 insertions(+), 18 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 91fb4590..dd41c2d7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -16,6 +16,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ### Changes - Dashboard APIs now return a status code `403` for all non-GET requests if the currently logged in Dashboard User is not listed in the `admins` array +- Now ignoring protected props in the payload in `CreateNewSession` and `CreateNewSessionWithoutRequestResponse` ## [0.13.2] - 2023-08-28 diff --git a/recipe/session/accessTokenVersions_test.go b/recipe/session/accessTokenVersions_test.go index 1260a144..57b38f58 100644 --- a/recipe/session/accessTokenVersions_test.go +++ b/recipe/session/accessTokenVersions_test.go @@ -184,14 +184,21 @@ func TestShouldThrowErrorWhenUsingProtectedProps(t *testing.T) { } res2, err2 := http.Post(testServer.URL+"/create", "application/json", bytes.NewBuffer(postBody)) if err2 != nil { - t.Error(err.Error()) + t.Error(err2.Error()) } - assert.Equal(t, 400, res2.StatusCode) + assert.Equal(t, 200, res2.StatusCode) cookies := unittesting.ExtractInfoFromResponse(res2) - assert.True(t, cookies["accessTokenFromAny"] == "") - assert.True(t, cookies["refreshTokenFromAny"] == "") - assert.True(t, cookies["frontToken"] == "") + assert.False(t, cookies["accessTokenFromAny"] == "") + assert.False(t, cookies["refreshTokenFromAny"] == "") + assert.False(t, cookies["frontToken"] == "") + + parsedToken, err := ParseJWTWithoutSignatureVerification(cookies["accessTokenFromAny"]) + if err != nil { + t.Error(err.Error()) + } + + assert.True(t, parsedToken.Payload["sub"] != "asdf") } func TestMergeIntoATShouldHelpMigratingV2TokenUsingProtectedProps(t *testing.T) { diff --git a/recipe/session/constants.go b/recipe/session/constants.go index 2f2070b0..1db241f1 100644 --- a/recipe/session/constants.go +++ b/recipe/session/constants.go @@ -31,3 +31,17 @@ const ( CookieSameSite_LAX = "lax" CookieSameSite_STRICT = "strict" ) + +var JWKCacheMaxAgeInMs int64 = 60000 +var JWKRefreshRateLimit = 500 +var protectedProps = []string{ + "sub", + "iat", + "exp", + "sessionHandle", + "parentRefreshTokenHash1", + "refreshTokenHash1", + "antiCsrfToken", + "rsub", + "tId", +} diff --git a/recipe/session/main.go b/recipe/session/main.go index 029ee339..94f8d30b 100644 --- a/recipe/session/main.go +++ b/recipe/session/main.go @@ -64,6 +64,10 @@ func CreateNewSessionWithoutRequestResponse(tenantId string, userID string, acce finalAccessTokenPayload["iss"] = issuer + for _, protectedProp := range protectedProps { + delete(finalAccessTokenPayload, protectedProp) + } + for _, claim := range claimsAddedByOtherRecipes { finalAccessTokenPayload, err = claim.Build(userID, tenantId, finalAccessTokenPayload, userContext[0]) if err != nil { diff --git a/recipe/session/recipeImplementation.go b/recipe/session/recipeImplementation.go index d154981c..2a45518f 100644 --- a/recipe/session/recipeImplementation.go +++ b/recipe/session/recipeImplementation.go @@ -32,19 +32,6 @@ import ( "github.com/supertokens/supertokens-golang/supertokens" ) -var protectedProps = []string{ - "sub", - "iat", - "exp", - "sessionHandle", - "parentRefreshTokenHash1", - "refreshTokenHash1", - "antiCsrfToken", - "tId", -} - -var JWKCacheMaxAgeInMs int64 = 60000 -var JWKRefreshRateLimit = 500 var jwksCache *sessmodels.GetJWKSResult = nil var mutex sync.RWMutex diff --git a/recipe/session/sessionRequestFunctions.go b/recipe/session/sessionRequestFunctions.go index 3a15c42e..65db1a8b 100644 --- a/recipe/session/sessionRequestFunctions.go +++ b/recipe/session/sessionRequestFunctions.go @@ -43,6 +43,10 @@ func CreateNewSessionInRequest(req *http.Request, res http.ResponseWriter, tenan issuer := appInfo.APIDomain.GetAsStringDangerous() + appInfo.APIBasePath.GetAsStringDangerous() finalAccessTokenPayload["iss"] = issuer + for _, protectedProp := range protectedProps { + delete(finalAccessTokenPayload, protectedProp) + } + for _, claim := range claimsAddedByOtherRecipes { _finalAccessTokenPayload, err := claim.Build(userID, tenantId, finalAccessTokenPayload, userContext) if err != nil { From 7e3047f3e468df346c96106df4b9f79033f0268a Mon Sep 17 00:00:00 2001 From: Nemi Shah Date: Tue, 12 Sep 2023 11:50:50 +0530 Subject: [PATCH 2/2] Update test for access token versions --- recipe/session/accessTokenVersions_test.go | 30 ++++++++++------------ 1 file changed, 13 insertions(+), 17 deletions(-) diff --git a/recipe/session/accessTokenVersions_test.go b/recipe/session/accessTokenVersions_test.go index 57b38f58..d24970d3 100644 --- a/recipe/session/accessTokenVersions_test.go +++ b/recipe/session/accessTokenVersions_test.go @@ -171,34 +171,30 @@ func TestShouldThrowErrorWhenUsingProtectedProps(t *testing.T) { testServer.Close() }() - appSub := "asdf" - body := map[string]map[string]*string{ - "payload": { - "sub": &appSub, - }, - } + sessionResponse, err := CreateNewSessionWithoutRequestResponse("public", "testing", map[string]interface{}{ + "customProps": "custom", + }, map[string]interface{}{}, nil) - postBody, err := json.Marshal(body) if err != nil { t.Error(err.Error()) } - res2, err2 := http.Post(testServer.URL+"/create", "application/json", bytes.NewBuffer(postBody)) - if err2 != nil { - t.Error(err2.Error()) + + newSession, err := CreateNewSessionWithoutRequestResponse("public", "testing2", sessionResponse.GetAccessTokenPayload(), map[string]interface{}{}, nil) + + if err != nil { + t.Error(err.Error()) } - assert.Equal(t, 200, res2.StatusCode) - cookies := unittesting.ExtractInfoFromResponse(res2) - assert.False(t, cookies["accessTokenFromAny"] == "") - assert.False(t, cookies["refreshTokenFromAny"] == "") - assert.False(t, cookies["frontToken"] == "") + accessToken := newSession.GetAccessToken() - parsedToken, err := ParseJWTWithoutSignatureVerification(cookies["accessTokenFromAny"]) + parsedToken, err := ParseJWTWithoutSignatureVerification(accessToken) if err != nil { t.Error(err.Error()) } - assert.True(t, parsedToken.Payload["sub"] != "asdf") + assert.True(t, parsedToken.Payload["customProps"] == "custom") + // This makes sure it does not reuse the sub from the old payload + assert.True(t, parsedToken.Payload["sub"] == "testing2") } func TestMergeIntoATShouldHelpMigratingV2TokenUsingProtectedProps(t *testing.T) {