Merge pull request #275 from supertokens/fix/clear-sesion

fix: Clear session changes for header based auth

Author: porcellus

CHANGELOG.md

@@ -6,6 +6,24 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## unreleased
+
+### Breaking changes
+
+-   The frontend SDK should be updated to a version supporting the header-based sessions!
+    -   supertokens-auth-react: >= 0.32.0
+    -   supertokens-web-js: >= 0.5.0
+    -   supertokens-website: >= 16.0.0
+    -   supertokens-react-native: >= 4.0.0
+    -   !!!TODO: re-check before release and add mobile SDKs
+- Only supporting FDI 1.16
+
+### Added
+
+-   Added support for authorizing requests using the `Authorization` header instead of cookies
+    -   Added `get_token_transfer_method` config option
+    -   Check out https://supertokens.com/docs/thirdpartyemailpassword/common-customizations/sessions/token-transfer-method for more information
+
+
 # [0.11.13] - 2023-01-06
 
 - Add missing `original` attribute to flask response and remove logic for cases where `response` is `None`

frontendDriverInterfaceSupported.json

@@ -1,6 +1,6 @@
 {
     "_comment": "contains a list of frontend-driver interfaces branch names that this core supports",
     "versions": [
-        "1.15"
+        "1.16"
     ]
 }

setup.py

@@ -70,7 +70,7 @@
 
 setup(
     name="supertokens_python",
-    version="0.11.13",
+    version="0.12.0",
     author="SuperTokens",
     license="Apache 2.0",
     author_email="[email protected]",

supertokens_python/constants.py

@@ -12,7 +12,7 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 SUPPORTED_CDI_VERSIONS = ["2.9", "2.10", "2.11", "2.12", "2.13", "2.14", "2.15"]
-VERSION = "0.11.13"
+VERSION = "0.12.0"
 TELEMETRY = "/telemetry"
 USER_COUNT = "/users/count"
 USER_DELETE = "/user/remove"

supertokens_python/framework/django/django_response.py

@@ -14,7 +14,7 @@
 import json
 from datetime import datetime
 from math import ceil
-from typing import Any, Dict, Union
+from typing import Any, Dict, Optional
 
 from supertokens_python.framework.response import BaseResponse
 
@@ -42,7 +42,7 @@ def set_cookie(
         value: str,
         expires: int,
         path: str = "/",
-        domain: Union[str, None] = None,
+        domain: Optional[str] = None,
         secure: bool = False,
         httponly: bool = False,
         samesite: str = "lax",
@@ -69,11 +69,14 @@ def set_status_code(self, status_code: int):
     def set_header(self, key: str, value: str):
         self.response[key] = value
 
-    def get_header(self, key: str):
+    def get_header(self, key: str) -> Optional[str]:
         if self.response.has_header(key):
             return self.response[key]
         return None
 
+    def remove_header(self, key: str):
+        del self.response[key]
+
     def set_json_content(self, content: Dict[str, Any]):
         if not self.response_sent:
             self.set_header("Content-Type", "application/json; charset=utf-8")

supertokens_python/framework/fastapi/fastapi_response.py

@@ -14,7 +14,7 @@
 import json
 from math import ceil
 from time import time
-from typing import Any, Dict, Union
+from typing import Any, Dict, Optional
 
 from supertokens_python.framework.response import BaseResponse
 
@@ -44,7 +44,7 @@ def set_cookie(
         value: str,
         expires: int,
         path: str = "/",
-        domain: Union[str, None] = None,
+        domain: Optional[str] = None,
         secure: bool = False,
         httponly: bool = False,
         samesite: str = "lax",
@@ -78,9 +78,12 @@ def set_cookie(
     def set_header(self, key: str, value: str):
         self.response.headers[key] = value
 
-    def get_header(self, key: str) -> Union[str, None]:
+    def get_header(self, key: str) -> Optional[str]:
         return self.response.headers.get(key, None)
 
+    def remove_header(self, key: str):
+        del self.response.headers[key]
+
     def set_status_code(self, status_code: int):
         if not self.status_set:
             self.response.status_code = status_code

supertokens_python/framework/flask/flask_response.py

@@ -12,7 +12,7 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 import json
-from typing import Any, Dict, List, Union
+from typing import Any, Dict, List, Optional
 
 from supertokens_python.framework.response import BaseResponse
 
@@ -40,7 +40,7 @@ def set_cookie(
         value: str,
         expires: int,
         path: str = "/",
-        domain: Union[str, None] = None,
+        domain: Optional[str] = None,
         secure: bool = False,
         httponly: bool = False,
         samesite: str = "lax",
@@ -59,9 +59,12 @@ def set_cookie(
     def set_header(self, key: str, value: str):
         self.response.headers.set(key, value)
 
-    def get_header(self, key: str) -> Union[None, str]:
+    def get_header(self, key: str) -> Optional[str]:
         return self.response.headers.get(key)
 
+    def remove_header(self, key: str):
+        del self.response.headers[key]
+
     def set_status_code(self, status_code: int):
         if not self.status_set:
             self.response.status_code = status_code

supertokens_python/framework/response.py

@@ -13,7 +13,7 @@
 # under the License.
 
 from abc import ABC, abstractmethod
-from typing import Any, Dict, Union
+from typing import Any, Dict, Optional
 
 
 class BaseResponse(ABC):
@@ -31,19 +31,23 @@ def set_cookie(
         #    max_age: Union[int, None] = None,
         expires: int,
         path: str = "/",
-        domain: Union[str, None] = None,
+        domain: Optional[str] = None,
         secure: bool = False,
         httponly: bool = False,
         samesite: str = "lax",
     ):
         pass
 
     @abstractmethod
-    def set_header(self, key: str, value: str):
+    def set_header(self, key: str, value: str) -> None:
         pass
 
     @abstractmethod
-    def get_header(self, key: str) -> Union[str, None]:
+    def get_header(self, key: str) -> Optional[str]:
+        pass
+
+    @abstractmethod
+    def remove_header(self, key: str) -> None:
         pass
 
     @abstractmethod

supertokens_python/recipe/session/cookie_and_header.py

@@ -97,6 +97,11 @@ def set_header(response: BaseResponse, key: str, value: str, allow_duplicate: bo
         response.set_header(key, value)
 
 
+def remove_header(response: BaseResponse, key: str):
+    if response.get_header(key) is not None:
+        response.remove_header(key)
+
+
 def get_cookie(request: BaseRequest, key: str):
     cookie_val = request.get_cookie(key)
     if cookie_val is None:
@@ -171,23 +176,31 @@ def get_rid_header(request: BaseRequest):
 
 
 def clear_session_from_all_token_transfer_methods(
-    response: BaseResponse, recipe: SessionRecipe, request: BaseRequest
+    response: BaseResponse, recipe: SessionRecipe
 ):
+    # We are clearing the session in all transfermethods to be sure to override cookies in case they have been already added to the response.
+    # This is done to handle the following use-case:
+    # If the app overrides signInPOST to check the ban status of the user after the original implementation and throwing an UNAUTHORISED error
+    # In this case: the SDK has attached cookies to the response, but none was sent with the request
+    # We can't know which to clear since we can't reliably query or remove the set-cookie header added to the response (causes issues in some frameworks, i.e.: hapi)
+    # The safe solution in this case is to overwrite all the response cookies/headers with an empty value, which is what we are doing here.
     for transfer_method in available_token_transfer_methods:
-        if get_token(request, "access", transfer_method) is not None:
-            _clear_session(response, recipe.config, transfer_method)
+        _clear_session(response, recipe.config, transfer_method)
 
 
 def _clear_session(
     response: BaseResponse,
     config: SessionConfig,
     transfer_method: TokenTransferMethod,
 ):
-    # If we can tell it's a cookie based session we are not clearing using headers
+    # If we can be specific about which transferMethod we want to clear, there is no reason to clear the other ones
     token_types: List[TokenType] = ["access", "refresh"]
     for token_type in token_types:
         _set_token(response, config, token_type, "", 0, transfer_method)
 
+    remove_header(
+        response, ANTI_CSRF_HEADER_KEY
+    )  # This can be added multiple times in some cases, but that should be OK
     set_header(response, FRONT_TOKEN_HEADER_SET_KEY, "remove", False)
     set_header(
         response, ACCESS_CONTROL_EXPOSE_HEADERS, FRONT_TOKEN_HEADER_SET_KEY, True

supertokens_python/recipe/session/interfaces.py

@@ -34,7 +34,9 @@
 from .utils import SessionConfig, TokenTransferMethod
 
 if TYPE_CHECKING:
-    from supertokens_python.framework import BaseRequest, BaseResponse
+    from supertokens_python.framework import BaseRequest
+
+from supertokens_python.framework import BaseResponse
 
 
 class SessionObj:

supertokens_python/recipe/session/utils.py

@@ -138,7 +138,7 @@ async def on_token_theft_detected(
         response: BaseResponse,
     ) -> BaseResponse:
         log_debug_message("Clearing tokens because of TOKEN_THEFT_DETECTED response")
-        clear_session_from_all_token_transfer_methods(response, recipe, request)
+        clear_session_from_all_token_transfer_methods(response, recipe)
         return await resolve(
             self.__on_token_theft_detected(request, session_handle, user_id, response)
         )
@@ -159,7 +159,7 @@ async def on_unauthorised(
     ):
         if do_clear_cookies:
             log_debug_message("Clearing tokens because of UNAUTHORISED response")
-            clear_session_from_all_token_transfer_methods(response, recipe, request)
+            clear_session_from_all_token_transfer_methods(response, recipe)
         return await resolve(self.__on_unauthorised(request, message, response))
 
     async def on_invalid_claim(

tests/Django/test_django.py

@@ -13,14 +13,17 @@
 # under the License.
 
 import json
+from datetime import datetime
 from inspect import isawaitable
 from typing import Any, Dict, Union
 
-from datetime import datetime
 from django.http import HttpRequest, HttpResponse, JsonResponse
 from django.test import RequestFactory, TestCase
 from supertokens_python import InputAppInfo, SupertokensConfig, init
 from supertokens_python.framework.django import middleware
+from supertokens_python.framework.django.django_response import (
+    DjangoResponse as SuperTokensDjangoWrapper,
+)
 from supertokens_python.recipe import emailpassword, session
 from supertokens_python.recipe.emailpassword.interfaces import APIInterface, APIOptions
 from supertokens_python.recipe.session import SessionContainer
@@ -389,3 +392,13 @@ async def test_optional_session(self):
         assert response.status_code == 200
         dict_response = json.loads(response.content)
         assert dict_response["s"] == "empty session"
+
+
+def test_remove_header_works():
+    response = HttpResponse()
+    st_response = SuperTokensDjangoWrapper(response)
+
+    st_response.set_header("foo", "bar")
+    assert st_response.get_header("foo") == "bar"
+    st_response.remove_header("foo")
+    assert st_response.get_header("foo") is None