supertokens · porcellus · Jul 1, 2024 · Jun 26, 2024 · Jun 28, 2024
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,7 +7,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [unreleased]
 
-## [20.1.1] - 2024-07-13
+## [20.1.2] - 2024-06-26
+
+### Changes
+
+- Fixed a session refresh loop caused by blocked cookie writes. The SDK would throw/log a helpful error message when this happens.
+
+## [20.1.1] - 2024-06-13
 
 ### Changes
 

diff --git a/bundle/bundle.js b/bundle/bundle.js
diff --git a/lib/build/axios.js b/lib/build/axios.js
diff --git a/lib/build/fetch.js b/lib/build/fetch.js
diff --git a/lib/build/version.d.ts b/lib/build/version.d.ts
diff --git a/lib/build/version.js b/lib/build/version.js
diff --git a/lib/build/xmlhttprequest.js b/lib/build/xmlhttprequest.js
diff --git a/lib/ts/axios.ts b/lib/ts/axios.ts
@@ -243,7 +243,9 @@ export function responseInterceptor(axiosInstance: any) {
                 !doNotDoInterception &&
                 // we do not call doesSessionExist here cause the user might override that
                 // function here and then it may break the logic of our original implementation.
-                !((await getLocalSessionState(true)).status === "EXISTS")
+
+                // Calling getLocalSessionState with tryRefresh: false, since the session would have been refreshed in the try block if expired.
+                (await getLocalSessionState(false)).status === "NOT_EXISTS"
             ) {
                 logDebugMessage(
                     "responseInterceptor: local session doesn't exist, so removing anti-csrf and sFrontToken"
@@ -597,7 +599,10 @@ async function saveTokensFromHeaders(response: AxiosResponse) {
 
     const antiCsrfToken = response.headers["anti-csrf"];
     if (antiCsrfToken !== undefined) {
-        const tok = await getLocalSessionState(true);
+        // Call getLocalSessionState with tryRefresh: false as the session was just refreshed.
+        // If the local session doesn't exist, it means we failed to write to cookies.
+        // Using tryRefresh: true would cause an infinite refresh loop.
+        const tok = await getLocalSessionState(false);
         if (tok.status === "EXISTS") {
             logDebugMessage("doRequest: Setting anti-csrf token");
             await AntiCsrfToken.setItem(tok.lastAccessTokenUpdate, antiCsrfToken);

diff --git a/lib/ts/fetch.ts b/lib/ts/fetch.ts
@@ -668,8 +668,24 @@ export async function getLocalSessionState(tryRefresh: boolean): Promise<LocalSe
                     status: "NOT_EXISTS"
                 };
             }
-            logDebugMessage("getLocalSessionState: Retrying post refresh");
-            return await getLocalSessionState(tryRefresh);
+
+            const lastAccessTokenUpdate = await getFromCookies(LAST_ACCESS_TOKEN_UPDATE);
+            const frontTokenExists = await FrontToken.doesTokenExists();
+
+            // If we fail to retrieve the local session state after a successful refresh,
+            // it indicates an issue with writing to cookies. Without the FrontToken,
+            // session refresh may work but other SDK functionalities won't work as expected.
+            // Therefore, we throw an error here instead of retrying.
+            if (!frontTokenExists || lastAccessTokenUpdate === undefined) {
+                const errorMessage = `Failed to retrieve local session state from cookies after a successful session refresh. This indicates a configuration error or that the browser is preventing cookie writes (e.g., incognito mode).`;
+                console.error(errorMessage);
+                throw new Error(errorMessage);
+            }
+
+            logDebugMessage(
+                "getLocalSessionState: returning EXISTS since both frontToken and lastAccessTokenUpdate exists post refresh"
+            );
+            return { status: "EXISTS", lastAccessTokenUpdate };
         } else {
             logDebugMessage("getLocalSessionState: returning: " + response.status);
             return response;
@@ -797,7 +813,10 @@ async function saveTokensFromHeaders(response: Response) {
     }
     const antiCsrfToken = response.headers.get("anti-csrf");
     if (antiCsrfToken !== null) {
-        const tok = await getLocalSessionState(true);
+        // Call getLocalSessionState with tryRefresh: false as the session was just refreshed.
+        // If the local session doesn't exist, it means we failed to write to cookies.
+        // Using tryRefresh: true would cause an infinite refresh loop.
+        const tok = await getLocalSessionState(false);
         if (tok.status === "EXISTS") {
             logDebugMessage("saveTokensFromHeaders: Setting anti-csrf token");
             await AntiCsrfToken.setItem(tok.lastAccessTokenUpdate, antiCsrfToken);

diff --git a/lib/ts/version.ts b/lib/ts/version.ts
@@ -12,6 +12,6 @@
  * License for the specific language governing permissions and limitations
  * under the License.
  */
-export const package_version = "20.1.1";
+export const package_version = "20.1.2";
 
 export const supported_fdi = ["1.16", "1.17", "1.18", "1.19", "2.0", "3.0"];
diff --git a/lib/ts/xmlhttprequest.ts b/lib/ts/xmlhttprequest.ts
@@ -56,10 +56,6 @@ export function addInterceptorsToXMLHttpRequest() {
     // define constructor for my proxy object
     XMLHttpRequest = function (this: XMLHttpRequestType) {
         const actual: XMLHttpRequestType = new oldXMLHttpRequest();
-        let delayedQueue = firstEventLoopDone;
-        function delayIfNecessary(cb: () => void | Promise<void>) {
-            delayedQueue = delayedQueue.finally(() => cb()?.catch(console.error));
-        }
 
         const self = this;
         const listOfFunctionCallsInProxy: { (xhr: XMLHttpRequestType): void }[] = [];
@@ -70,6 +66,21 @@ export function addInterceptorsToXMLHttpRequest() {
 
         const eventHandlers: Map<keyof XMLHttpRequestEventMap, Set<XHREventListener<any>>> = new Map();
 
+        let delayedQueue = firstEventLoopDone;
+        function delayIfNecessary(cb: () => void | Promise<void>) {
+            delayedQueue = delayedQueue.finally(() =>
+                cb()?.catch(err => {
+                    const ev = new ProgressEvent("error");
+                    (ev as any).error = err;
+                    if (self.onerror !== undefined && self.onerror !== null) {
+                        self.onerror(ev);
+                    }
+
+                    redispatchEvent("error", ev);
+                })
+            );
+        }
+
         // We define these during open
         // let method: string = "";
         let url: string | URL = "";
@@ -215,7 +226,8 @@ export function addInterceptorsToXMLHttpRequest() {
                     return true;
                 } finally {
                     logDebugMessage("XHRInterceptor.handleResponse: doFinallyCheck running");
-                    if (!((await getLocalSessionState(false)).status === "EXISTS")) {
+                    // Calling getLocalSessionState with tryRefresh: false, since the session would have been refreshed in the try block if expired.
+                    if ((await getLocalSessionState(false)).status === "NOT_EXISTS") {
                         logDebugMessage(
                             "XHRInterceptor.handleResponse: local session doesn't exist, so removing anti-csrf and sFrontToken"
                         );

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "supertokens-website",
-  "version": "20.1.1",
+  "version": "20.1.2",
   "description": "frontend sdk for website to be used for auth solution.",
   "main": "index.js",
   "dependencies": {

diff --git a/test/cross.auto_refresh.test.js b/test/cross.auto_refresh.test.js
@@ -856,5 +856,54 @@ addTestCases((name, transferMethod, setupFunc, setupArgs = []) => {
 
             await page.setRequestInterception(false);
         });
+
+        it("should break out of session refresh loop if cookie writes are disabled", async function () {
+            await startST(300, false);
+            await setup({
+                disableCookies: true
+            });
+
+            let consoleLogs = [];
+            page.on("console", message => {
+                consoleLogs.push(message.text());
+            });
+
+            await page.evaluate(async () => {
+                supertokens.init({
+                    apiDomain: BASE_URL,
+                    maxRetryAttemptsForSessionRefresh: 5
+                });
+
+                const userId = "testing-supertokens-website";
+
+                const loginResponse = await toTest({
+                    url: `${BASE_URL}/login`,
+                    method: "post",
+                    headers: {
+                        Accept: "application/json",
+                        "Content-Type": "application/json"
+                    },
+                    body: JSON.stringify({ userId })
+                });
+
+                assert.strictEqual(loginResponse.statusCode, 200);
+                assert.strictEqual(loginResponse.responseText, userId);
+
+                await assert.rejects(async () => {
+                    await toTest({ url: `${BASE_URL}/` });
+                });
+            });
+
+            assert(
+                consoleLogs.includes(
+                    "Saving to cookies was not successful, this indicates a configuration error or the browser preventing us from writing the cookies (e.g.: incognito mode)."
+                )
+            );
+            assert(
+                consoleLogs.includes(
+                    "Failed to retrieve local session state from cookies after a successful session refresh. This indicates a configuration error or that the browser is preventing cookie writes (e.g., incognito mode)."
+                )
+            );
+        });
     });
 });