fix: Improve code based on suggestions and failed existing tests

Author: KShivendu

supertokens_python/constants.py

@@ -11,19 +11,9 @@
 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 # License for the specific language governing permissions and limitations
 # under the License.
-SUPPORTED_CDI_VERSIONS = [
-    "2.9",
-    "2.10",
-    "2.11",
-    "2.12",
-    "2.13",
-    "2.14",
-    "2.15",
-    "2.16",
-    "2.17",
-    "2.18",
-    "2.19",
-]
+from __future__ import annotations
+
+SUPPORTED_CDI_VERSIONS = ["2.21"]
 VERSION = "0.12.4"
 TELEMETRY = "/telemetry"
 USER_COUNT = "/users/count"
@@ -38,3 +28,4 @@
 API_VERSION = "/apiversion"
 API_VERSION_HEADER = "cdi-version"
 DASHBOARD_VERSION = "0.4"
+HUNDRED_YEARS_IN_MS = 3153600000000

supertokens_python/recipe/session/__init__.py

@@ -28,7 +28,6 @@
 
 InputErrorHandlers = utils.InputErrorHandlers
 InputOverrideConfig = utils.InputOverrideConfig
-JWTConfig = utils.JWTConfig
 SessionContainer = interfaces.SessionContainer
 exceptions = ex
 
@@ -48,8 +47,9 @@ def init(
     ] = None,
     error_handlers: Union[InputErrorHandlers, None] = None,
     override: Union[InputOverrideConfig, None] = None,
-    jwt: Union[JWTConfig, None] = None,
     invalid_claim_status_code: Union[int, None] = None,
+    use_dynamic_access_token_signing_key: Union[bool, None] = None,
+    expose_access_token_to_frontend_in_cookie_based_auth: Union[bool, None] = None,
 ) -> Callable[[AppInfo], RecipeModule]:
     return SessionRecipe.init(
         cookie_domain,
@@ -60,6 +60,7 @@ def init(
         get_token_transfer_method,
         error_handlers,
         override,
-        jwt,
         invalid_claim_status_code,
+        use_dynamic_access_token_signing_key,
+        expose_access_token_to_frontend_in_cookie_based_auth,
     )

supertokens_python/recipe/session/access_token.py

@@ -75,9 +75,11 @@ def get_info_from_access_token(
             if payload is None:
                 raise PyJWKClientError("No key found")
 
-        elif jwt_info.version > 3:
+        elif jwt_info.version >= 3:
             for client in jwk_clients:
-                matching_key = client.get_matching_key_from_jwt(jwt_info.raw_token_string)
+                matching_key = client.get_matching_key_from_jwt(
+                    jwt_info.raw_token_string
+                )
                 payload = jwt.decode(  # type: ignore
                     jwt_info.raw_token_string,
                     matching_key,
@@ -97,9 +99,7 @@ def get_info_from_access_token(
             user_data = payload.get("userData")
         else:
             user_id = sanitize_string(payload.get("sub"))
-            expiry_time = sanitize_number(
-                payload.get("exp", 0) * 1000
-            )  # FIXME: Is using 0 as default okay?
+            expiry_time = sanitize_number(payload.get("exp", 0) * 1000)
             time_created = sanitize_number(payload.get("iat", 0) * 1000)
             user_data = payload
 
@@ -113,7 +113,9 @@ def get_info_from_access_token(
         if anti_csrf_token is None and do_anti_csrf_check:
             raise Exception("Access token does not contain the anti-csrf token")
 
-        assert isinstance(expiry_time, int)
+        assert isinstance(
+            expiry_time, (int, float)
+        )  # FIXME: Use only int once core is updated
 
         if expiry_time < get_timestamp_ms():
             raise Exception("Access token expired")
@@ -139,8 +141,12 @@ def validate_access_token_structure(payload: Dict[str, Any], version: int) -> No
     if version >= 3:
         if (
             not isinstance(payload.get("sub"), str)
-            or not isinstance(payload.get("exp"), int)
-            or not isinstance(payload.get("iat"), int)
+            or not isinstance(
+                payload.get("exp"), (int, float)
+            )  # TODO: Leave only int once core is updated
+            or not isinstance(
+                payload.get("iat"), (int, float)
+            )  # TODO: Leave only int once core is updated
             or not isinstance(payload.get("sessionHandle"), str)
             or not isinstance(payload.get("refreshTokenHash1"), str)
         ):

supertokens_python/recipe/session/api/implementation.py

@@ -30,7 +30,7 @@
 
 from typing import Any, Dict
 
-from supertokens_python.recipe.session.session_request_functions import (
+from ..session_request_functions import (
     get_session_from_request,
     refresh_session_in_request,
 )
@@ -88,5 +88,8 @@ async def verify_session(
             api_options.request,
             api_options.config,
             api_options.recipe_implementation,
+            session_required=session_required,
+            anti_csrf_check=anti_csrf_check,
+            override_global_claim_validators=override_global_claim_validators,
             user_context=user_context,
         )

supertokens_python/recipe/session/asyncio/__init__.py

@@ -14,7 +14,6 @@
 from typing import Any, Dict, List, Union, TypeVar, Callable, Optional
 
 from supertokens_python.exceptions import SuperTokensError
-from supertokens_python.framework.request import BaseRequest
 from supertokens_python.recipe.openid.interfaces import (
     GetOpenIdDiscoveryConfigurationResult,
 )
@@ -38,8 +37,10 @@
     RefreshSessionUnauthorizedResult,
     RefreshSessionTokenTheftErrorResult,
 )
-from supertokens_python.recipe.session.recipe import SessionRecipe
-from supertokens_python.recipe.session.session_request_functions import (
+from supertokens_python.recipe.session.recipe import (
+    SessionRecipe,
+)
+from ..session_request_functions import (
     get_session_from_request,
     create_new_session_in_request,
     refresh_session_in_request,
@@ -278,7 +279,7 @@ async def remove_claim(
 
 
 async def get_session(
-    request: BaseRequest,
+    request: Any,
     session_required: Optional[bool] = None,
     anti_csrf_check: Optional[bool] = None,
     check_database: Optional[bool] = None,

supertokens_python/recipe/session/constants.py

@@ -35,3 +35,12 @@
 
 JWKCacheMaxAgeInMs = 60 * 1000
 JWKRequestCooldownInMs = 500 * 1000
+protected_props = [
+    "sub",
+    "iat",
+    "exp",
+    "sessionHandle",
+    "parentRefreshTokenHash1",
+    "refreshTokenHash1",
+    "antiCsrfToken",
+]

supertokens_python/recipe/session/cookie_and_header.py

@@ -32,7 +32,7 @@
     available_token_transfer_methods,
 )
 from ...logger import log_debug_message
-from .utils import HUNDRED_YEARS_IN_MS
+from supertokens_python.constants import HUNDRED_YEARS_IN_MS
 
 if TYPE_CHECKING:
     from supertokens_python.framework.request import BaseRequest

supertokens_python/recipe/session/interfaces.py

@@ -84,7 +84,12 @@ def __init__(
 
 
 class ReqResInfo:
-    def __init__(self, request: BaseRequest, transfer_method: TokenTransferMethod):
+    def __init__(
+        self,
+        request: Optional[BaseRequest] = None,
+        transfer_method: Optional[TokenTransferMethod] = None,
+    ):
+        # TODO: See if making args optional will cause any issues
         self.request = request
         self.transfer_method = transfer_method
 

supertokens_python/recipe/session/jwks.py

@@ -80,7 +80,7 @@ def get_matching_key_from_jwt(self, token: str) -> str:
         assert self.jwk_set is not None
 
         try:
-            return str(self.jwk_set[kid].key)  # type: ignore
+            return self.jwk_set[kid].key  # type: ignore
         except KeyError:
             if not self.is_cooling_down():
                 # One more attempt to fetch the latest keys

supertokens_python/recipe/session/jwt.py

@@ -11,7 +11,6 @@
 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 # License for the specific language governing permissions and limitations
 # under the License.
-from base64 import b64decode
 from json import dumps, loads
 from typing import Any, Dict, Optional
 
@@ -68,7 +67,7 @@ def parse_jwt_without_signature_verification(jwt: str) -> ParsedJWTInfo:
     header, payload, signature = splitted_input
     # checking the header
     if header not in _allowed_headers:
-        parsed_header = loads(b64decode(header.encode()))
+        parsed_header = loads(utf_base64decode(header))
         header_version = parsed_header.get("version")
 
         # We have to ensure version is a string, otherwise Number.parseInt can have unexpected results

supertokens_python/recipe/session/recipe.py

@@ -19,16 +19,20 @@
 from supertokens_python.framework.response import BaseResponse
 from typing_extensions import Literal
 
-from supertokens_python.utils import default_user_context
+from supertokens_python.utils import (
+    default_user_context,
+)
 
-from .api import handle_refresh_api, handle_signout_api
-from .cookie_and_header import get_cors_allowed_headers
+from .cookie_and_header import (
+    get_cors_allowed_headers,
+)
 from .exceptions import (
     SuperTokensSessionError,
     TokenTheftError,
     UnauthorisedError,
     InvalidClaimsError,
 )
+from ... import AppInfo
 from ...types import MaybeAwaitable
 
 if TYPE_CHECKING:
@@ -42,7 +46,6 @@
 from supertokens_python.recipe.openid.recipe import OpenIdRecipe
 from supertokens_python.recipe_module import APIHandled, RecipeModule
 
-from .api.implementation import APIImplementation
 from .constants import SESSION_REFRESH, SIGNOUT
 from .interfaces import (
     APIInterface,
@@ -59,7 +62,6 @@
     InputErrorHandlers,
     InputOverrideConfig,
     TokenTransferMethod,
-    JWTConfig,
     validate_and_normalise_user_input,
 )
 
@@ -72,8 +74,6 @@ def __init__(
         self,
         recipe_id: str,
         app_info: AppInfo,
-        use_dynamic_access_token_signing_key: Union[bool, None] = None,
-        expose_access_token_to_frontend_in_cookie_based_auth: Union[bool, None] = None,
         cookie_domain: Union[str, None] = None,
         cookie_secure: Union[bool, None] = None,
         cookie_same_site: Union[Literal["lax", "none", "strict"], None] = None,
@@ -90,8 +90,9 @@ def __init__(
         ] = None,
         error_handlers: Union[InputErrorHandlers, None] = None,
         override: Union[InputOverrideConfig, None] = None,
-        jwt: Union[JWTConfig, None] = None,
         invalid_claim_status_code: Union[int, None] = None,
+        use_dynamic_access_token_signing_key: Union[bool, None] = None,
+        expose_access_token_to_frontend_in_cookie_based_auth: Union[bool, None] = None,
     ):
         super().__init__(recipe_id, app_info)
         self.openid_recipe = OpenIdRecipe(
@@ -103,8 +104,6 @@ def __init__(
         )
         self.config = validate_and_normalise_user_input(
             app_info,
-            use_dynamic_access_token_signing_key,
-            expose_access_token_to_frontend_in_cookie_based_auth,
             cookie_domain,
             cookie_secure,
             cookie_same_site,
@@ -113,8 +112,9 @@ def __init__(
             get_token_transfer_method,
             error_handlers,
             override,
-            jwt,
             invalid_claim_status_code,
+            use_dynamic_access_token_signing_key,
+            expose_access_token_to_frontend_in_cookie_based_auth,
         )
         log_debug_message("session init: anti_csrf: %s", self.config.anti_csrf)
         if self.config.cookie_domain is not None:
@@ -145,6 +145,9 @@ def __init__(
             if self.config.override.functions is None
             else self.config.override.functions(recipe_implementation)
         )
+
+        from .api.implementation import APIImplementation
+
         api_implementation = APIImplementation()
         self.api_implementation: APIInterface = (
             api_implementation
@@ -188,6 +191,9 @@ async def handle_api_request(
         method: str,
         response: BaseResponse,
     ) -> Union[BaseResponse, None]:
+        # TODO: See if this import can be done globally without triggering cyclic import issues
+        from .api import handle_refresh_api, handle_signout_api
+
         if request_id == SESSION_REFRESH:
             return await handle_refresh_api(
                 self.api_implementation,
@@ -266,7 +272,6 @@ def init(
         ] = None,
         error_handlers: Union[InputErrorHandlers, None] = None,
         override: Union[InputOverrideConfig, None] = None,
-        jwt: Union[JWTConfig, None] = None,
         invalid_claim_status_code: Union[int, None] = None,
         use_dynamic_access_token_signing_key: Union[bool, None] = None,
         expose_access_token_to_frontend_in_cookie_based_auth: Union[bool, None] = None,
@@ -276,8 +281,6 @@ def func(app_info: AppInfo):
                 SessionRecipe.__instance = SessionRecipe(
                     SessionRecipe.recipe_id,
                     app_info,
-                    use_dynamic_access_token_signing_key,
-                    expose_access_token_to_frontend_in_cookie_based_auth,
                     cookie_domain,
                     cookie_secure,
                     cookie_same_site,
@@ -286,8 +289,9 @@ def func(app_info: AppInfo):
                     get_token_transfer_method,
                     error_handlers,
                     override,
-                    jwt,
                     invalid_claim_status_code,
+                    use_dynamic_access_token_signing_key,
+                    expose_access_token_to_frontend_in_cookie_based_auth,
                 )
                 return SessionRecipe.__instance
             raise_general_exception(