Merge pull request #443 from supertokens/fix/protected-prop-createsession

fix: ignore protected props in create_new_session functions

Author: rishabhpoddar

CHANGELOG.md

@@ -8,13 +8,18 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [unreleased]
 
+
+## [0.16.0] - 2023-09-13
+
+
 ### Added
 
 -   The Dashboard recipe now accepts a new `admins` property which can be used to give Dashboard Users write privileges for the user dashboard.
 
 ### Changes
 
 -   Dashboard APIs now return a status code `403` for all non-GET requests if the currently logged in Dashboard User is not listed in the `admins` array
+- Now ignoring protected props in the payload in `create_new_session` and `create_new_session_without_request_response`
 
 ## [0.15.3] - 2023-09-24
 

setup.py

@@ -70,7 +70,7 @@
 
 setup(
     name="supertokens_python",
-    version="0.15.3",
+    version="0.16.0",
     author="SuperTokens",
     license="Apache 2.0",
     author_email="[email protected]",

supertokens_python/constants.py

@@ -14,7 +14,7 @@
 from __future__ import annotations
 
 SUPPORTED_CDI_VERSIONS = ["3.0"]
-VERSION = "0.15.3"
+VERSION = "0.16.0"
 TELEMETRY = "/telemetry"
 USER_COUNT = "/users/count"
 USER_DELETE = "/user/remove"

supertokens_python/recipe/session/asyncio/__init__.py

@@ -41,6 +41,7 @@
     get_session_from_request,
     refresh_session_in_request,
 )
+from ..constants import protected_props
 from ..utils import get_required_claim_validators
 
 from supertokens_python.recipe.multitenancy.constants import DEFAULT_TENANT_ID
@@ -106,6 +107,10 @@ async def create_new_session_without_request_response(
 
     final_access_token_payload = {**access_token_payload, "iss": issuer}
 
+    for prop in protected_props:
+        if prop in final_access_token_payload:
+            del final_access_token_payload[prop]
+
     for claim in claims_added_by_other_recipes:
         update = await claim.build(user_id, tenant_id, user_context)
         final_access_token_payload = {**final_access_token_payload, **update}

supertokens_python/recipe/session/constants.py

@@ -42,5 +42,6 @@
     "parentRefreshTokenHash1",
     "refreshTokenHash1",
     "antiCsrfToken",
+    "rsub",
     "tId",
 ]

supertokens_python/recipe/session/recipe_implementation.py

@@ -47,6 +47,7 @@
     from supertokens_python import AppInfo
 
 from .interfaces import SessionContainer
+from .constants import protected_props
 from supertokens_python.querier import Querier
 from supertokens_python.recipe.multitenancy.constants import DEFAULT_TENANT_ID
 
@@ -378,8 +379,13 @@ async def merge_into_access_token_payload(
         if session_info is None:
             return False
 
+        new_access_token_payload = session_info.custom_claims_in_access_token_payload
+        for k in protected_props:
+            if k in new_access_token_payload:
+                del new_access_token_payload[k]
+
         new_access_token_payload = {
-            **session_info.custom_claims_in_access_token_payload,
+            **new_access_token_payload,
             **access_token_payload_update,
         }
         for k in access_token_payload_update.keys():

supertokens_python/recipe/session/session_request_functions.py

@@ -60,6 +60,7 @@
     set_request_in_user_context_if_not_defined,
 )
 from supertokens_python.supertokens import Supertokens
+from .constants import protected_props
 
 if TYPE_CHECKING:
     from supertokens_python.recipe.session.recipe import SessionRecipe
@@ -240,6 +241,10 @@ async def create_new_session_in_request(
 
     final_access_token_payload = {**access_token_payload, "iss": issuer}
 
+    for prop in protected_props:
+        if prop in final_access_token_payload:
+            del final_access_token_payload[prop]
+
     for claim in claims_added_by_other_recipes:
         update = await claim.build(user_id, tenant_id, user_context)
         final_access_token_payload = {**final_access_token_payload, **update}

tests/sessions/test_access_token_version.py

@@ -203,6 +203,27 @@ async def test_should_validate_v3_tokens_with_check_database_enabled(app: TestCl
     }
 
 
+async def test_ignore_protected_props_in_create_session():
+    init(**get_st_init_args([session.init()]))
+    start_st()
+
+    s = await create_new_session_without_request_response(
+        "public",
+        "user1",
+        {"foo": "bar"},
+    )
+    payload = parse_jwt_without_signature_verification(s.access_token).payload
+    assert payload["foo"] == "bar"
+    assert payload["sub"] == "user1"
+
+    s2 = await create_new_session_without_request_response(
+        "public", "user2", s.get_access_token_payload()
+    )
+    payload = parse_jwt_without_signature_verification(s2.access_token).payload
+    assert payload["foo"] == "bar"
+    assert payload["sub"] == "user2"
+
+
 async def test_validation_logic_with_keys_that_can_use_json_nulls_values_in_claims():
     """We want to make sure that for access token claims that can be null, the SDK does not fail access token validation if the
     core does not send them as part of the payload. For this we verify that validation passes when the keys are None, empty,