Merge pull request #304 from supertokens/refactor/additional-tests-and-changes

chore: Add additional tests for session verification

Author: rishabhpoddar

CHANGELOG.md

@@ -7,6 +7,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [unreleased]
 
+- Adds additional tests for session verification
+
 ## [0.12.7] - 2023-06-05
 
 ### Fixes

recipe/session/session_test.go

@@ -2018,6 +2018,63 @@ func TestThatLockingForJWKSCacheWorksFine(t *testing.T) {
 	JWKCacheMaxAgeInMs = originalCacheAge
 }
 
+func TestThatGetSessionThrowsWIthDynamicKeysIfSessionWasCreatedWithStaticKeys(t *testing.T) {
+	False := false
+	configValue := supertokens.TypeInput{
+		Supertokens: &supertokens.ConnectionInfo{
+			ConnectionURI: "http://localhost:8080",
+		},
+		AppInfo: supertokens.AppInfo{
+			APIDomain:     "api.supertokens.io",
+			AppName:       "SuperTokens",
+			WebsiteDomain: "supertokens.io",
+		},
+		RecipeList: []supertokens.Recipe{
+			Init(&sessmodels.TypeInput{
+				UseDynamicAccessTokenSigningKey: &False,
+			}),
+		},
+	}
+
+	BeforeEach()
+	unittesting.SetKeyValueInConfig("access_token_dynamic_signing_key_update_interval", "0.0014")
+	unittesting.StartUpST("localhost", "8080")
+	defer AfterEach()
+	err := supertokens.Init(configValue)
+	if err != nil {
+		t.Error(err.Error())
+	}
+
+	session, err := CreateNewSessionWithoutRequestResponse("testing-user", map[string]interface{}{}, map[string]interface{}{}, nil)
+
+	resetAll()
+	True := true
+	configValue = supertokens.TypeInput{
+		Supertokens: &supertokens.ConnectionInfo{
+			ConnectionURI: "http://localhost:8080",
+		},
+		AppInfo: supertokens.AppInfo{
+			AppName:       "SuperTokens",
+			WebsiteDomain: "supertokens.io",
+			APIDomain:     "api.supertokens.io",
+		},
+		RecipeList: []supertokens.Recipe{
+			Init(&sessmodels.TypeInput{
+				UseDynamicAccessTokenSigningKey: &True,
+			}),
+		},
+	}
+	err = supertokens.Init(configValue)
+	if err != nil {
+		t.Error(err.Error())
+	}
+
+	sessionTokens := session.GetAllSessionTokensDangerously()
+	session, err = GetSessionWithoutRequestResponse(sessionTokens.AccessToken, sessionTokens.AntiCsrfToken, nil)
+	assert.Error(t, err)
+	assert.Equal(t, err.Error(), "The access token doesn't match the useDynamicAccessTokenSigningKey setting")
+}
+
 func jwksLockTestRoutine(t *testing.T, shouldStop *bool, index int, group *sync.WaitGroup, doPost func([]string)) {
 	jwks, err := GetCombinedJWKS()
 	if err != nil {

recipe/session/verifySession_test.go

@@ -925,6 +925,56 @@ func TestThatVerifySessionReturns401IfNoAccessTokenIsSentAndMiddlewareIsNotAdded
 	assert.Equal(t, res.StatusCode, 401)
 }
 
+func TestThatAntiCSRFCheckIsSkippedIfSessionRequiredIsFalseAndNoAccessTokenIsPassed(t *testing.T) {
+	AntiCsrf := AntiCSRF_VIA_CUSTOM_HEADER
+	configValue := supertokens.TypeInput{
+		Supertokens: &supertokens.ConnectionInfo{
+			ConnectionURI: "http://localhost:8080",
+		},
+		AppInfo: supertokens.AppInfo{
+			AppName:       "SuperTokens",
+			WebsiteDomain: "supertokens.io",
+			APIDomain:     "api.supertokens.io",
+		},
+		RecipeList: []supertokens.Recipe{
+			Init(&sessmodels.TypeInput{
+				AntiCsrf: &AntiCsrf,
+				GetTokenTransferMethod: func(req *http.Request, forCreateNewSession bool, userContext supertokens.UserContext) sessmodels.TokenTransferMethod {
+					return sessmodels.CookieTransferMethod
+				},
+			}),
+		},
+	}
+	BeforeEach()
+	unittesting.StartUpST("localhost", "8080")
+	defer AfterEach()
+	err := supertokens.Init(configValue)
+	if err != nil {
+		t.Error(err.Error())
+	}
+
+	app := getTestApp([]typeTestEndpoint{})
+	defer app.Close()
+
+	session, err := CreateNewSessionWithoutRequestResponse("test-user", map[string]interface{}{}, map[string]interface{}{}, nil)
+	assert.NoError(t, err)
+
+	sessionTokens := session.GetAllSessionTokensDangerously()
+
+	req, err := http.NewRequest(http.MethodGet, app.URL+"/verify", nil)
+	assert.NoError(t, err)
+	req.Header.Add("Cookie", "sAccessToken="+*sessionTokens.RefreshToken)
+
+	res, err := http.DefaultClient.Do(req)
+	assert.Equal(t, res.StatusCode, 401)
+
+	req, err = http.NewRequest(http.MethodGet, app.URL+"/verify-optional", nil)
+	assert.NoError(t, err)
+
+	res, err = http.DefaultClient.Do(req)
+	assert.Equal(t, res.StatusCode, 200)
+}
+
 type typeTestEndpoint struct {
 	path                          string
 	overrideGlobalClaimValidators func(globalClaimValidators []claims.SessionClaimValidator, sessionContainer sessmodels.SessionContainer, userContext supertokens.UserContext) ([]claims.SessionClaimValidator, error)
@@ -971,6 +1021,19 @@ func getTestApp(endpoints []typeTestEndpoint) *httptest.Server {
 		w.Write(respBytes)
 	})
 
+	False := false
+	mux.HandleFunc("/verify-optional", VerifySession(&sessmodels.VerifySessionOptions{
+		SessionRequired: &False,
+	}, func(rw http.ResponseWriter, r *http.Request) {
+		GetSession(r, rw, &sessmodels.VerifySessionOptions{
+			SessionRequired: &False,
+		})
+	}))
+
+	mux.HandleFunc("/verify", VerifySession(&sessmodels.VerifySessionOptions{}, func(rw http.ResponseWriter, r *http.Request) {
+		GetSession(r, rw, &sessmodels.VerifySessionOptions{})
+	}))
+
 	mux.HandleFunc("/default-claims", VerifySession(nil, func(w http.ResponseWriter, r *http.Request) {
 		sessionContainer := GetSessionFromRequestContext(r.Context())
 		resp := map[string]interface{}{