|
13 | 13 | from supertokens_python.recipe.session.jwt import ( |
14 | 14 | parse_jwt_without_signature_verification, |
15 | 15 | ) |
| 16 | +from supertokens_python.recipe.session.access_token import validate_access_token_structure |
16 | 17 | from tests.utils import get_st_init_args, setup_function, start_st, teardown_function |
17 | 18 |
|
18 | 19 | _ = setup_function # type:ignore |
@@ -197,3 +198,64 @@ async def test_should_validate_v3_tokens_with_check_database_enabled(app: TestCl |
197 | 198 | "sessionExists": True, |
198 | 199 | "sessionHandle": info["body"]["sessionHandle"], |
199 | 200 | } |
| 201 | + |
| 202 | + |
| 203 | +async def test_validation_logic_with_keys_that_can_use_json_nulls_values_in_claims(): |
| 204 | + """We want to make sure that for access token claims that can be null, the SDK does not fail access token validation if the |
| 205 | + core does not send them as part of the payload. For this we verify that validation passes when the keys are None, empty, |
| 206 | + or of a different type. |
| 207 | +
|
| 208 | + For now this test checks for: |
| 209 | + - antiCsrfToken |
| 210 | + - parentRefreshTokenHash1 |
| 211 | +
|
| 212 | + But this test should be updated to include any keys that the core considers optional in the payload (i.e either it sends |
| 213 | + JSON null or skips them entirely) |
| 214 | + """ |
| 215 | + |
| 216 | + V3 = 3 |
| 217 | + payload = { |
| 218 | + "sessionHandle": "", |
| 219 | + "sub": "", |
| 220 | + "refreshTokenHash1": "", |
| 221 | + "exp": float(0), |
| 222 | + "iat": float(0) |
| 223 | + } |
| 224 | + |
| 225 | + validate_access_token_structure(payload, V3) |
| 226 | + |
| 227 | + payload = { |
| 228 | + "sessionHandle": "", |
| 229 | + "sub": "", |
| 230 | + "refreshTokenHash1": "", |
| 231 | + "exp": float(0), |
| 232 | + "iat": float(0), |
| 233 | + "parentRefreshTokenHash1": None, |
| 234 | + "antiCsrfToken": None, |
| 235 | + } |
| 236 | + |
| 237 | + validate_access_token_structure(payload, V3) |
| 238 | + |
| 239 | + payload = { |
| 240 | + "sessionHandle": "", |
| 241 | + "sub": "", |
| 242 | + "refreshTokenHash1": "", |
| 243 | + "exp": float(0), |
| 244 | + "iat": float(0), |
| 245 | + "parentRefreshTokenHash1": "", |
| 246 | + "antiCsrfToken": "", |
| 247 | + } |
| 248 | + |
| 249 | + validate_access_token_structure(payload, V3) |
| 250 | + |
| 251 | + payload = { |
| 252 | + "sessionHandle": "", |
| 253 | + "sub": "", |
| 254 | + "refreshTokenHash1": "", |
| 255 | + "exp": float(0), |
| 256 | + "iat": float(0), |
| 257 | + "parentRefreshTokenHash1": 1, |
| 258 | + "antiCsrfToken": 1, |
| 259 | + } |
| 260 | + |
| 261 | + validate_access_token_structure(payload, V3) |
0 commit comments