supertokens · porcellus · Jul 3, 2024 · Jul 3, 2024 · Jul 3, 2024
diff --git a/bundle/bundle.js b/bundle/bundle.js
diff --git a/lib/build/fetch.js b/lib/build/fetch.js
diff --git a/lib/ts/fetch.ts b/lib/ts/fetch.ts
@@ -439,16 +439,32 @@ export async function onUnauthorisedResponse(
                     });
                     return { result: "SESSION_EXPIRED" };
                 }
-                if (
-                    postLockLSS.status !== preRequestLSS.status ||
-                    (postLockLSS.status === "EXISTS" &&
-                        preRequestLSS.status === "EXISTS" &&
-                        postLockLSS.lastAccessTokenUpdate !== preRequestLSS.lastAccessTokenUpdate)
-                ) {
+
+                const postLockSessionExists = postLockLSS.status === "EXISTS";
+                const preRequestSessionExists = preRequestLSS.status === "EXISTS";
+                const sessionStatusChanged = postLockLSS.status !== preRequestLSS.status;
+                const accessTokenTimestampChanged =
+                    "lastAccessTokenUpdate" in postLockLSS &&
+                    "lastAccessTokenUpdate" in preRequestLSS &&
+                    postLockLSS.lastAccessTokenUpdate !== preRequestLSS.lastAccessTokenUpdate;
+
+                // If the session status has changed, we should return early and retry the request
+                // only if postLockLSS.status is "EXISTS".
+                if (sessionStatusChanged && postLockSessionExists) {
+                    logDebugMessage(
+                        "onUnauthorisedResponse: Retrying early because session status has changed and postLockLSS.status is EXISTS"
+                    );
+                    return { result: "RETRY" };
+                }
+
+                // If the session exists in both postLockLSS and preRequestLSS, we should return early
+                // and retry the request only if the access token timestamp has changed.
+                // This indicates that another process has already called this API and succeeded,
+                // so we don't need to call it again.
+                if (postLockSessionExists && preRequestSessionExists && accessTokenTimestampChanged) {
                     logDebugMessage(
                         "onUnauthorisedResponse: Retrying early because pre and post lastAccessTokenUpdate don't match"
                     );
-                    // means that some other process has already called this API and succeeded. so we need to call it again
                     return { result: "RETRY" };
                 }
 

diff --git a/test/axios.headers.test.js b/test/axios.headers.test.js
@@ -437,39 +437,6 @@ describe.skip("Axios AuthHttpRequest class tests header", function () {
         }
     });
 
-    it("test sameSite is none if using iframe axios", async function () {
-        await startST(3);
-        const browser = await puppeteer.launch({
-            args: ["--no-sandbox", "--disable-setuid-sandbox"]
-        });
-        try {
-            const page = await browser.newPage();
-            await page.goto(BASE_URL + "/index.html", { waitUntil: "load" });
-            await page.addScriptTag({ path: `./bundle/bundle.js`, type: "text/javascript" });
-            await page.evaluate(async () => {
-                let BASE_URL = "http://localhost.org:8080";
-                supertokens.addAxiosInterceptors(axios);
-                supertokens.init({
-                    apiDomain: BASE_URL,
-                    tokenTransferMethod: "header",
-                    isInIframe: true
-                });
-                let userId = "testing-supertokens-website";
-                let loginResponse = await axios.post(`${BASE_URL}/login`, JSON.stringify({ userId }), {
-                    headers: {
-                        Accept: "application/json",
-                        "Content-Type": "application/json"
-                    }
-                });
-            });
-
-            let cookies = await page.cookies();
-            assert(cookies.length === 0);
-        } finally {
-            await browser.close();
-        }
-    });
-
     it("test rid is there", async function () {
         await startST(3);
         const browser = await puppeteer.launch({

diff --git a/test/axios.test.js b/test/axios.test.js
@@ -509,38 +509,6 @@ describe("Axios AuthHttpRequest class tests", function () {
         }
     });
 
-    it("test sameSite is none if using iframe axios", async function () {
-        await startST(3);
-        const browser = await puppeteer.launch({
-            args: ["--no-sandbox", "--disable-setuid-sandbox"]
-        });
-        try {
-            const page = await browser.newPage();
-            await page.goto(BASE_URL + "/index.html", { waitUntil: "load" });
-            await page.addScriptTag({ path: `./bundle/bundle.js`, type: "text/javascript" });
-            await page.evaluate(async () => {
-                let BASE_URL = "http://localhost.org:8080";
-                supertokens.addAxiosInterceptors(axios);
-                supertokens.init({
-                    apiDomain: BASE_URL,
-                    isInIframe: true
-                });
-                let userId = "testing-supertokens-website";
-                let loginResponse = await axios.post(`${BASE_URL}/login`, JSON.stringify({ userId }), {
-                    headers: {
-                        Accept: "application/json",
-                        "Content-Type": "application/json"
-                    }
-                });
-            });
-
-            let cookies = await page.cookies();
-            assert(cookies.length === 0);
-        } finally {
-            await browser.close();
-        }
-    });
-
     it("test rid is there", async function () {
         await startST(3);
         const browser = await puppeteer.launch({

diff --git a/test/fetch.test.js b/test/fetch.test.js
@@ -494,40 +494,6 @@ describe("Fetch AuthHttpRequest class tests", function () {
         }
     });
 
-    it("test sameSite is none if using iframe", async function () {
-        await startST(3);
-        const browser = await puppeteer.launch({
-            args: ["--no-sandbox", "--disable-setuid-sandbox"]
-        });
-        try {
-            const page = await browser.newPage();
-            await page.goto(BASE_URL + "/index.html", { waitUntil: "load" });
-            await page.addScriptTag({ path: `./bundle/bundle.js`, type: "text/javascript" });
-            await page.evaluate(async () => {
-                let BASE_URL = "http://localhost.org:8080";
-                supertokens.init({
-                    apiDomain: BASE_URL,
-                    isInIframe: true
-                });
-                let userId = "testing-supertokens-website";
-
-                await fetch(`${BASE_URL}/login`, {
-                    method: "post",
-                    headers: {
-                        Accept: "application/json",
-                        "Content-Type": "application/json"
-                    },
-                    body: JSON.stringify({ userId })
-                });
-            });
-
-            let cookies = await page.cookies();
-            assert(cookies.length === 0);
-        } finally {
-            await browser.close();
-        }
-    });
-
     it("test rid is there", async function () {
         await startST(3);
         const browser = await puppeteer.launch({

diff --git a/test/interception.basic1.test.js b/test/interception.basic1.test.js
@@ -210,14 +210,25 @@ addTestCases((name, transferMethod, setupFunc, setupArgs = []) => {
 
         it("test sameSite is none if using iframe", async function () {
             await startST(3);
+
+            // NOTE: Using localhost:8080 as the base URL because browsers ignore
+            // SameSite=None, Secure: true cookies on HTTP non-localhost domains.
+
+            const BASE_URL = "http://localhost:8080";
+            await page.goto(BASE_URL + "/index.html", { waitUntil: "load" });
+            await page.addScriptTag({ path: `./bundle/bundle.js`, type: "text/javascript" });
+            await page.evaluate(BASE_URL => (window.BASE_URL = BASE_URL), BASE_URL);
+            await new Promise(r => setTimeout(r, 100));
+
             await setup({
                 isInIframe: true
             });
+
             await page.evaluate(async () => {
                 const userId = "testing-supertokens-website";
 
                 await toTest({
-                    url: `${BASE_URL}/login`,
+                    url: `http://localhost:8080/login`,
                     method: "post",
                     headers: {
                         Accept: "application/json",
@@ -227,8 +238,18 @@ addTestCases((name, transferMethod, setupFunc, setupArgs = []) => {
                 });
             });
 
-            const cookies = await page.cookies();
-            assert.strictEqual(cookies.length, 0);
+            let cookies = await page.cookies();
+
+            // Assert that all frontend cookies are sameSite=None and Secure: true
+            const frontendCookies =
+                transferMethod === "cookie"
+                    ? ["sAntiCsrf", "sFrontToken", "st-last-access-token-update"]
+                    : ["sFrontToken", "st-last-access-token-update", "st-access-token", "st-refresh-token"];
+            frontendCookies.forEach(cookieName => {
+                const cookie = cookies.find(cookie => cookie.name === cookieName);
+                assert(cookie.sameSite === "None");
+                assert(cookie.secure === true);
+            });
         });
 
         it("test warnings when cookie writes are not successful", async function () {