Remove unused code and other suggested changes

Author: KShivendu

supertokens_python/recipe/session/access_token.py

@@ -47,7 +47,7 @@ def get_info_from_access_token(
         verify_jwt(jwt_info, jwt_signing_public_key)
         payload = jwt_info.payload
 
-        validate_access_token_structure(payload, jwt_info.version)
+        validate_access_token_structure(payload)
 
         session_handle = sanitize_string(payload.get("sessionHandle"))
         user_id = sanitize_string(payload.get("userId"))
@@ -85,19 +85,7 @@ def get_info_from_access_token(
         raise_try_refresh_token_exception(e)
 
 
-def validate_access_token_structure(payload: Dict[str, Any], version: int) -> None:
-    if version >= 3:
-        if (
-            not isinstance(payload.get("sub"), str)
-            or not isinstance(payload.get("exp"), int)
-            or not isinstance(payload.get("iat"), int)
-            or not isinstance(payload.get("sessionHandle"), str)
-            or not isinstance(payload.get("refreshTokenHash1"), str)
-        ):
-            raise Exception(
-                "Access token does not contain all the information. Maybe the structure has changed?"
-            )
-
+def validate_access_token_structure(payload: Dict[str, Any]) -> None:
     if (
         not isinstance(payload.get("sessionHandle"), str)
         or payload.get("userData") is None

supertokens_python/recipe/session/asyncio/__init__.py

@@ -31,6 +31,7 @@
     GetSessionUnauthorizedErrorResult,
     GetSessionTryRefreshTokenErrorResult,
     GetSessionClaimValidationErrorResult,
+    GetSessionClaimValidationErrorResponseObject,
     CreateNewSessionResult,
     GetSessionOkResult,
     RefreshSessionOkResult,
@@ -371,8 +372,11 @@ async def get_session_without_request_response(
         except SuperTokensError as e:
             if isinstance(e, InvalidClaimsError):
                 return GetSessionClaimValidationErrorResult(
-                    e
-                )  # FIXME: is this correct?
+                    error=e,
+                    response=GetSessionClaimValidationErrorResponseObject(
+                        message="invalid claim", claim_validation_errors=e.payload
+                    ),
+                )
             raise e
 
     return res

supertokens_python/recipe/session/cookie_and_header.py

@@ -32,6 +32,7 @@
     available_token_transfer_methods,
 )
 from ...logger import log_debug_message
+from .utils import HUNDRED_YEARS_IN_MS
 
 if TYPE_CHECKING:
     from supertokens_python.framework.request import BaseRequest
@@ -41,7 +42,6 @@
         TokenTransferMethod,
         TokenType,
         SessionConfig,
-        HUNDRED_YEARS_IN_MS,
     )
 
 from json import dumps
@@ -69,13 +69,6 @@ def _set_front_token_in_headers(
     )
 
 
-def front_token_response_mutator(front_token: str):
-    def mutator(response: BaseResponse):
-        return _set_front_token_in_headers(response, front_token)
-
-    return mutator
-
-
 def get_cors_allowed_headers():
     return [
         ANTI_CSRF_HEADER_KEY,

supertokens_python/recipe/session/interfaces.py

@@ -88,8 +88,6 @@ def __init__(self, request: BaseRequest, transfer_method: TokenTransferMethod):
         self.request = request
         self.transfer_method = transfer_method
 
-        self.response_mutators = []  # TODO: Use this everywhere!
-
 
 class CreateNewSessionResult:
     status = "OK"
@@ -108,7 +106,7 @@ def __init__(self, session: SessionContainer):
 class GetSessionUnauthorizedErrorResult:
     status = "UNAUTHORISED"
 
-    def __init__(self, error: UnauthorisedError):
+    def __init__(self, error: Exception):
         self.error = error
 
 
@@ -119,11 +117,24 @@ def __init__(self, error: TryRefreshTokenError):
         self.error = error
 
 
+class GetSessionClaimValidationErrorResponseObject:
+    def __init__(
+        self, message: str, claim_validation_errors: List[ClaimValidationError]
+    ):
+        self.message = message
+        self.claim_validation_errors = claim_validation_errors
+
+
 class GetSessionClaimValidationErrorResult:
     status = "CLAIM_VALIDATION_ERROR"
 
-    def __init__(self, error: InvalidClaimsError):
+    def __init__(
+        self,
+        error: InvalidClaimsError,
+        response: GetSessionClaimValidationErrorResponseObject,
+    ):
         self.error = error
+        self.response = response
 
 
 class RefreshSessionOkResult:

supertokens_python/recipe/session/jwt.py

@@ -11,16 +11,15 @@
 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 # License for the specific language governing permissions and limitations
 # under the License.
-import base64
-import json
 from base64 import b64decode
 from json import dumps, loads
 from textwrap import wrap
-from typing import Any, Dict, Optional
+from typing import Any, Dict
 
 from Crypto.Hash import SHA256
 from Crypto.PublicKey import RSA
 from Crypto.Signature.pkcs1_15 import PKCS115_SigScheme
+
 from supertokens_python.utils import utf_base64decode, utf_base64encode
 
 _key_start = "-----BEGIN PUBLIC KEY-----\n"
@@ -47,72 +46,39 @@
 class ParsedJWTInfo:
     def __init__(
         self,
-        version: int,
         raw_token_string: str,
         raw_payload: str,
         header: str,
         payload: Dict[str, Any],
         signature: str,
-        kid: Optional[str],
     ) -> None:
-        self.version = version
         self.raw_token_string = raw_token_string
         self.raw_payload = raw_payload
         self.header = header
         self.payload = payload
         self.signature = signature
-        self.kid = kid
 
 
 def parse_jwt_without_signature_verification(jwt: str) -> ParsedJWTInfo:
     splitted_input = jwt.split(".")
     if len(splitted_input) != 3:
         raise Exception("invalid jwt")
 
-    # V1 and V2 are functionally identical, plus all legacy tokens should be V2 now.
-    # So we can assume these defaults:
-    version = 2
-    kid = None
-    # V2 or older tokens didn't save the key id
     header, payload, signature = splitted_input
-    # checking the header
     if header not in _allowed_headers:
-        parsed_header = json.loads(base64.b64decode(header.encode()))
-        header_version = parsed_header.get("version")
-
-        # We have to ensure version is a string, otherwise Number.parseInt can have unexpected results
-        if not isinstance(header_version, str):
-            raise Exception("JWT header mismatch")
-
-        try:
-            version = int(header_version)
-        except ValueError:
-            version = None
-
-        kid = parsed_header.get("kid")
-        # Number.isInteger returns false for Number.NaN (if it fails to parse the version)
-        if (
-            parsed_header["typ"] != "JWT"
-            or not isinstance(version, int)
-            or version < 3
-            or kid is None
-        ):
-            raise Exception("JWT header mismatch")
+        raise Exception("jwt header mismatch")
 
     return ParsedJWTInfo(
-        version=version,
         raw_token_string=jwt,
         raw_payload=payload,
         header=header,
         # Ideally we would only parse this after the signature verification is done
         # We do this at the start, since we want to check if a token can be a supertokens access token or not.
         payload=loads(utf_base64decode(payload)),
         signature=signature,
-        kid=kid,  # TODO: How can ever be None since we are checking for it in the above code?
     )
 
 
-# TODO: Should remove
 def verify_jwt(info: ParsedJWTInfo, jwt_signing_public_key: str):
     public_key = RSA.import_key(
         _key_start + "\n".join(wrap(jwt_signing_public_key, width=64)) + _key_end

supertokens_python/recipe/session/recipe.py

@@ -140,7 +140,7 @@ def __init__(
                 recipe_id,
                 app_info,
                 None,
-                None,  # FIXME
+                None,
                 openid_feature_override,
             )
             recipe_implementation = RecipeImplementation(

supertokens_python/recipe/session/recipe_implementation.py

@@ -102,9 +102,6 @@ def get_jwt_signing_public_key_list(self) -> List[Dict[str, Any]]:
         ]
 
 
-LEGACY_ID_REFRESH_TOKEN_COOKIE_NAME = "sIdRefreshToken"
-
-
 class RecipeImplementation(RecipeInterface):  # pylint: disable=too-many-public-methods
     def __init__(self, querier: Querier, config: SessionConfig, app_info: AppInfo):
         super().__init__()
@@ -296,16 +293,12 @@ async def get_session(
         access_token_obj: Optional[ParsedJWTInfo] = None
         try:
             access_token_obj = parse_jwt_without_signature_verification(access_token)
-            validate_access_token_structure(
-                access_token_obj.payload, access_token_obj.version
-            )
+            validate_access_token_structure(access_token_obj.payload)
         except Exception as e:
             log_debug_message(
                 "getSession: Returning UNAUTHORISED because parsing failed"
             )
-            return GetSessionUnauthorizedErrorResult(
-                UnauthorisedError(str(e), False)
-            )  # FIXME: Is this correct?
+            return GetSessionUnauthorizedErrorResult(e)
 
         try:
             response = await session_functions.get_session(
@@ -320,14 +313,12 @@ async def get_session(
                 log_debug_message(
                     "getSession: Returning TRY_REFRESH_TOKEN_ERROR because of an exception during get_session"
                 )
-                return GetSessionUnauthorizedErrorResult(e)  # FIXME: Is this correct?
+                return GetSessionUnauthorizedErrorResult(e)
 
             log_debug_message(
                 "getSession: Returning UNAUTHORISED because of an exception during get_session"
             )
-            return GetSessionUnauthorizedErrorResult(
-                UnauthorisedError(str(e), False)
-            )  # FIXME: Is this correct?
+            return GetSessionUnauthorizedErrorResult(e)
 
         log_debug_message("getSession: Success!")
 
@@ -340,9 +331,7 @@ async def get_session(
             access_token_updated = True
         else:
             payload = access_token_obj.payload
-            access_token_str = (
-                access_token_obj.raw_token_string
-            )  # FIXME: Is this correct?
+            access_token_str = access_token
             expiry_time = response["session"]["expiryTime"]
             access_token_updated = False
 
@@ -384,7 +373,7 @@ async def refresh_session(
         log_debug_message("refreshSession: Started")
 
         try:
-            response = await session_functions.refresh_session(  # FIXME: Update the real definition
+            response = await session_functions.refresh_session(
                 self,
                 refresh_token,
                 anti_csrf_token,
@@ -419,13 +408,12 @@ async def refresh_session(
             if isinstance(e, SuperTokensError):
                 if isinstance(e, TokenTheftError):
                     return RefreshSessionTokenTheftErrorResult(e)
-                # FIXME: Is this correct?
                 if isinstance(e, UnauthorisedError):
                     return RefreshSessionUnauthorizedResult(e)
 
             return RefreshSessionUnauthorizedResult(
-                UnauthorisedError("UNAUTHORIZED", clear_tokens=True)
-            )  # FIXME: Is this correct?
+                UnauthorisedError(str(e), clear_tokens=False)
+            )
 
     async def revoke_session(
         self, session_handle: str, user_context: Dict[str, Any]

supertokens_python/recipe/session/session_class.py

@@ -11,7 +11,8 @@
 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 # License for the specific language governing permissions and limitations
 # under the License.
-from typing import Any, Dict, List, TypeVar, Union
+from typing import Any, Dict, List, TypeVar, Union, Optional
+from typing_extensions import TypedDict
 
 from supertokens_python.recipe.session.exceptions import (
     raise_invalid_claims_exception,
@@ -31,13 +32,20 @@
     SessionClaimValidator,
     SessionContainer,
 )
-from .jwt import parse_jwt_without_signature_verification
 from .recipe_implementation import protected_props
 from ...framework import BaseRequest
 
 _T = TypeVar("_T")
 
 
+class GetSessionTokensDangerouslyDict(TypedDict):
+    accessToken: str
+    accessAndFrontTokenUpdated: bool
+    refreshToken: Optional[str]
+    frontToken: str
+    antiCsrfToken: Optional[str]
+
+
 class Session(SessionContainer):
     async def attach_to_request_response(
         self, request: BaseRequest, transfer_method: TokenTransferMethod
@@ -129,11 +137,13 @@ def get_handle(self, user_context: Union[Dict[str, Any], None] = None) -> str:
     def get_access_token(self, user_context: Union[Dict[str, Any], None] = None) -> str:
         return self.access_token
 
-    def get_all_session_tokens_dangerously(self) -> Dict[str, Any]:
+    def get_all_session_tokens_dangerously(self) -> GetSessionTokensDangerouslyDict:
         return {
             "accessToken": self.access_token,
             "accessAndFrontTokenUpdated": self.access_token_updated,
-            "refreshToken": self.refresh_token,
+            "refreshToken": None
+            if self.refresh_token is None
+            else self.refresh_token.token,
             "frontToken": self.front_token,
             "antiCsrfToken": self.anti_csrf_token,
         }
@@ -263,14 +273,7 @@ async def merge_into_access_token_payload(
             raise_unauthorised_exception("Session does not exist anymore.")
 
         if response.access_token is not None:
-            resp_token = parse_jwt_without_signature_verification(
-                response.access_token.token
-            )
-            payload = (
-                response.session.user_data_in_jwt
-                if resp_token.version < 3
-                else resp_token.payload
-            )
+            payload = response.session.user_data_in_jwt
             self.user_data_in_access_token = payload
             self.access_token = response.access_token.token
             self.front_token = build_front_token(

supertokens_python/recipe/session/session_functions.py

@@ -149,7 +149,7 @@ async def get_session(
 
     if (
         access_token_info is not None
-        and not handshake_info.access_token_blacklisting_enabled
+        and not always_check_core
         and access_token_info["parentRefreshTokenHash1"] is None
     ):
         return {