fix: Clear legacy sIdRefreshToken and fix other linter issues

Author: KShivendu

supertokens_python/recipe/jwt/recipe.py

@@ -93,7 +93,10 @@ async def handle_api_request(
             self.recipe_implementation,
         )
 
-        return await jwks_get(self.api_implementation, options)
+        if request_id == GET_JWKS_API:
+            return await jwks_get(self.api_implementation, options)
+
+        return None
 
     async def handle_error(
         self, request: BaseRequest, err: SuperTokensError, response: BaseResponse

supertokens_python/recipe/session/access_token.py

@@ -50,7 +50,7 @@ def get_info_from_access_token(
     do_anti_csrf_check: bool,
 ):
     # TODO: Add different tests to verify this works as expected
-    try:
+    try:  # pylint: disable=too-many-nested-blocks
         payload: Optional[Dict[str, Any]] = None
 
         if jwt_info.version < 3:

supertokens_python/recipe/session/asyncio/__init__.py

@@ -11,38 +11,37 @@
 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 # License for the specific language governing permissions and limitations
 # under the License.
-from typing import Any, Dict, List, Union, TypeVar, Callable, Optional
+from typing import Any, Callable, Dict, List, Optional, TypeVar, Union
 
 from supertokens_python.recipe.openid.interfaces import (
     GetOpenIdDiscoveryConfigurationResult,
 )
 from supertokens_python.recipe.session.interfaces import (
+    ClaimsValidationResult,
+    GetClaimValueOkResult,
+    JSONObject,
     RegenerateAccessTokenOkResult,
-    SessionContainer,
-    SessionInformationResult,
     SessionClaim,
     SessionClaimValidator,
+    SessionContainer,
     SessionDoesNotExistError,
-    ClaimsValidationResult,
-    JSONObject,
-    GetClaimValueOkResult,
-)
-from supertokens_python.recipe.session.recipe import (
-    SessionRecipe,
-)
-from ..session_request_functions import (
-    get_session_from_request,
-    create_new_session_in_request,
-    refresh_session_in_request,
+    SessionInformationResult,
 )
+from supertokens_python.recipe.session.recipe import SessionRecipe
 from supertokens_python.types import MaybeAwaitable
 from supertokens_python.utils import FRAMEWORKS, resolve
-from ..utils import get_required_claim_validators
+
 from ...jwt.interfaces import (
     CreateJwtOkResult,
     CreateJwtResultUnsupportedAlgorithm,
     GetJWKSResult,
 )
+from ..session_request_functions import (
+    create_new_session_in_request,
+    get_session_from_request,
+    refresh_session_in_request,
+)
+from ..utils import get_required_claim_validators
 
 _T = TypeVar("_T")
 
@@ -332,7 +331,7 @@ async def get_session_without_request_response(
     - override_global_claim_validators: Alter the
     - user_context: user context
 
-    Returned statuses:
+    Results:
     - OK: The session was successfully validated, including claim validation
     - CLAIM_VALIDATION_ERROR: While the access token is valid, one or more claim validators have failed. Our frontend SDKs expect a 403 response the contents matching the value returned from this function.
     - TRY_REFRESH_TOKEN_ERROR: This means, that the access token structure was valid, but it didn't pass validation for some reason and the user should call the refresh API.
@@ -347,7 +346,7 @@ async def get_session_without_request_response(
 
     recipe_interface_impl = SessionRecipe.get_instance().recipe_implementation
 
-    session_ = await recipe_interface_impl.get_session(
+    session = await recipe_interface_impl.get_session(
         access_token,
         anti_csrf_token,
         anti_csrf_check,
@@ -357,13 +356,13 @@ async def get_session_without_request_response(
         user_context,
     )
 
-    if session_ is not None:
+    if session is not None:
         claim_validators = await get_required_claim_validators(
-            session_, override_global_claim_validators, user_context
+            session, override_global_claim_validators, user_context
         )
-        await session_.assert_claims(claim_validators, user_context)
+        await session.assert_claims(claim_validators, user_context)
 
-    return session_
+    return session
 
 
 async def refresh_session(

supertokens_python/recipe/session/constants.py

@@ -33,8 +33,8 @@
 
 available_token_transfer_methods: List[TokenTransferMethod] = ["cookie", "header"]
 
-JWKCacheMaxAgeInMs = 60 * 1000 # 1min
-JWKRequestCooldownInMs = 500 # 0.5s
+JWKCacheMaxAgeInMs = 60 * 1000  # 1min
+JWKRequestCooldownInMs = 500  # 0.5s
 protected_props = [
     "sub",
     "iat",

supertokens_python/recipe/session/cookie_and_header.py

@@ -262,7 +262,7 @@ def _set_token(
     expires: int,
     transfer_method: TokenTransferMethod,
 ):
-    log_debug_message(f"Setting {token_type} token as {transfer_method}")
+    log_debug_message("Setting %s token as %s", token_type, transfer_method)
     if transfer_method == "cookie":
         _set_cookie(
             response,

supertokens_python/recipe/session/exceptions.py

@@ -31,8 +31,17 @@ def raise_try_refresh_token_exception(ex: Union[str, Exception]) -> NoReturn:
     raise TryRefreshTokenError(ex) from None
 
 
-def raise_unauthorised_exception(msg: str, clear_tokens: bool = True) -> NoReturn:
-    raise UnauthorisedError(msg, clear_tokens) from None
+def raise_unauthorised_exception(
+    msg: str,
+    clear_tokens: bool = True,
+    response_mutators: Optional[List[ResponseMutator]] = None,
+) -> NoReturn:
+    if response_mutators is not None:
+        response_mutators = []
+
+    err = UnauthorisedError(msg, clear_tokens)
+    err.response_mutators.extend(UnauthorisedError.response_mutators)
+    raise err
 
 
 class SuperTokensSessionError(SuperTokensError):

supertokens_python/recipe/session/jwt.py

@@ -16,13 +16,10 @@
 
 from supertokens_python.utils import utf_base64decode, utf_base64encode
 
-"""
-why separators is used in dumps:
-- without it's use, output of dumps is: '{"alg": "RS256", "typ": "JWT", "version": "1"}'
-- with it's use, output of dumps is: '{"alg":"RS256","typ":"JWT","version":"1"}'
-
-we require the non-spaced version, else the base64 encoding string will end up different than required
-"""
+# why separators is used in dumps:
+# - without it's use, output of dumps is: '{"alg": "RS256", "typ": "JWT", "version": "1"}'
+# - with it's use, output of dumps is: '{"alg":"RS256","typ":"JWT","version":"1"}'
+# we require the non-spaced version, else the base64 encoding string will end up different than required
 _allowed_headers = [
     utf_base64encode(
         dumps(

supertokens_python/recipe/session/recipe.py

@@ -58,6 +58,7 @@
 from .recipe_implementation import (
     RecipeImplementation,
 )
+from .api import handle_refresh_api, handle_signout_api
 from .utils import (
     InputErrorHandlers,
     InputOverrideConfig,
@@ -191,9 +192,6 @@ async def handle_api_request(
         method: str,
         response: BaseResponse,
     ) -> Union[BaseResponse, None]:
-        # TODO: See if this import can be done globally without triggering cyclic import issues
-        from .api import handle_refresh_api, handle_signout_api
-
         if request_id == SESSION_REFRESH:
             return await handle_refresh_api(
                 self.api_implementation,
@@ -216,7 +214,7 @@ async def handle_api_request(
                     self.recipe_implementation,
                 ),
             )
-        return await self.openid_recipe.handle_api_request(  # FIXME: Update nested functions to also return None if nothing matches
+        return await self.openid_recipe.handle_api_request(
             request_id, request, path, method, response
         )
 

supertokens_python/recipe/session/recipe_implementation.py

@@ -203,9 +203,7 @@ async def get_session(
                 access_token_obj.payload, access_token_obj.version
             )
         except Exception:
-            if (
-                session_required is False
-            ):  # FIXME: But we are setting the default to None instead of False
+            if session_required is False:
                 log_debug_message(
                     "getSession: Returning undefined because parsing failed and session_required is False"
                 )

supertokens_python/recipe/session/session_functions.py

@@ -117,7 +117,9 @@ async def create_new_session(
 
     return CreateOrRefreshAPIResponse(
         CreateOrRefreshAPIResponseSession(
-            response["handle"], response["userId"], response["userDataInJWT"]
+            response["session"]["handle"],
+            response["session"]["userId"],
+            response["session"]["userDataInJWT"],
         ),
         TokenInfo(
             response["accessToken"]["token"],
@@ -327,7 +329,9 @@ async def refresh_session(
         response.pop("status", None)
         return CreateOrRefreshAPIResponse(
             CreateOrRefreshAPIResponseSession(
-                response["handle"], response["userId"], response["userDataInJWT"]
+                response["session"]["handle"],
+                response["session"]["userId"],
+                response["session"]["userDataInJWT"],
             ),
             TokenInfo(
                 response["accessToken"]["token"],

supertokens_python/recipe/session/session_request_functions.py

@@ -13,10 +13,9 @@
 # under the License.
 from __future__ import annotations
 
-from typing import Any, Callable, Dict, List, Optional, Union
+from typing import Any, Callable, Dict, List, Optional, Union, TYPE_CHECKING
 
 from supertokens_python.logger import log_debug_message
-from supertokens_python.recipe.session import SessionRecipe
 from supertokens_python.recipe.session.access_token import (
     validate_access_token_structure,
 )
@@ -38,8 +37,8 @@
     SessionClaimValidator,
     SessionContainer,
 )
-from supertokens_python.exceptions import SuperTokensError
 from supertokens_python.recipe.session.exceptions import (
+    SuperTokensSessionError,
     TokenTheftError,
     UnauthorisedError,
 )
@@ -61,6 +60,10 @@
     normalise_http_method,
     set_request_in_user_context_if_not_defined,
 )
+from supertokens_python import Supertokens
+
+if TYPE_CHECKING:
+    from supertokens_python.recipe.session.recipe import SessionRecipe
 
 LEGACY_ID_REFRESH_TOKEN_COOKIE_NAME = "sIdRefreshToken"
 
@@ -84,7 +87,7 @@ async def get_session_from_request(
 
     if not hasattr(request, "wrapper_used") or not request.wrapper_used:
         request = FRAMEWORKS[
-            SessionRecipe.get_instance().app_info.framework
+            Supertokens.get_instance().app_info.framework
         ].wrap_request(request)
 
     log_debug_message("getSession: Wrapping done")
@@ -219,7 +222,7 @@ async def create_new_session_in_request(
 
     if not hasattr(request, "wrapper_used") or not request.wrapper_used:
         request = FRAMEWORKS[
-            SessionRecipe.get_instance().app_info.framework
+            Supertokens.get_instance().app_info.framework
         ].wrap_request(request)
 
     log_debug_message("createNewSession: Wrapping done")
@@ -265,14 +268,12 @@ async def create_new_session_in_request(
         )
 
     disable_anti_csrf = output_transfer_method == "header"
-    session = (
-        await SessionRecipe.get_instance().recipe_implementation.create_new_session(
-            user_id,
-            final_access_token_payload,
-            session_data_in_database,
-            disable_anti_csrf,
-            user_context=user_context,
-        )
+    session = await recipe_instance.recipe_implementation.create_new_session(
+        user_id,
+        final_access_token_payload,
+        session_data_in_database,
+        disable_anti_csrf,
+        user_context=user_context,
     )
 
     log_debug_message("createNewSession: Session created in core built")
@@ -310,7 +311,7 @@ async def refresh_session_in_request(
 
     if not hasattr(request, "wrapper_used") or not request.wrapper_used:
         request = FRAMEWORKS[
-            SessionRecipe.get_instance().app_info.framework
+            Supertokens.get_instance().app_info.framework
         ].wrap_request(request)
 
     log_debug_message("refreshSession: Wrapping done")
@@ -370,6 +371,7 @@ async def refresh_session_in_request(
         return raise_unauthorised_exception(
             "Refresh token not found. Are you sending the refresh token in the request?",
             clear_tokens=False,
+            response_mutators=response_mutators,
         )
 
     assert refresh_token is not None
@@ -394,7 +396,7 @@ async def refresh_session_in_request(
         session = await recipe_interface_impl.refresh_session(
             refresh_token, anti_csrf_token, disable_anti_csrf, user_context
         )
-    except SuperTokensError as e:
+    except SuperTokensSessionError as e:
         if isinstance(e, TokenTheftError) or (
             isinstance(e, UnauthorisedError) and getattr(e, "clear_tokens") is True
         ):
@@ -414,6 +416,7 @@ async def refresh_session_in_request(
                     )
                 )
 
+        e.response_mutators.extend(response_mutators)
         raise e
 
     log_debug_message(

tests/Fastapi/test_fastapi.py

@@ -18,6 +18,7 @@
 from fastapi.requests import Request
 from fastapi.testclient import TestClient
 from pytest import fixture, mark
+
 from supertokens_python import InputAppInfo, SupertokensConfig, init
 from supertokens_python.framework.fastapi import get_middleware
 from supertokens_python.recipe import emailpassword, session
@@ -599,6 +600,9 @@ async def refresh_post(
     assert res.status_code == 401
     assert_info_clears_tokens(info, token_transfer_method)
 
+    assert info["sIdRefreshToken"]["value"] == ""
+    assert info["sIdRefreshToken"]["expires"] == "Thu, 01 Jan 1970 00:00:00 GMT"
+
 
 @mark.asyncio
 @mark.parametrize("token_transfer_method", ["cookie", "header"])
@@ -623,3 +627,39 @@ async def test_revoking_session_after_create_new_session_with_throwing_unauthori
 
     assert res.status_code == 401
     assert_info_clears_tokens(info, token_transfer_method)
+
+
+@mark.asyncio
+async def test_session_with_legacy_refresh_token_and_unauthorized_should_clear_legacy_token(
+    driver_config_client: TestClient,
+):
+    init(
+        **get_st_init_args(
+            [
+                session.init(
+                    anti_csrf="VIA_TOKEN",
+                )
+            ]
+        )
+    )  # type: ignore
+    start_st()
+
+    headers: Dict[str, Any] = {}
+    cookies: Dict[str, Any] = {}
+
+    cookies.update(
+        # Invalid refresh token so that core throws an unauthorized error
+        {"sRefreshToken": "non-existing-token", "sIdRefreshToken": "irrelevant-value"}
+    )
+
+    res = driver_config_client.post(
+        "/auth/session/refresh", headers=headers, cookies=cookies
+    )
+    info = extract_info(res)
+
+    assert res.status_code == 401
+    assert res.json() == {"message": "unauthorised"}
+    assert_info_clears_tokens(info, "cookie")
+
+    assert info["sIdRefreshToken"]["value"] == ""
+    assert info["sIdRefreshToken"]["expires"] == "Thu, 01 Jan 1970 00:00:00 GMT"