Merge pull request #511 from supertokens/fix/always_clear_in_401_refreshes

rishabhpoddar · web-flow · commit 534d345c363a · 2024-07-09T22:41:55.000+05:30
test: move the session object and claims to the BE sdk server
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,6 +8,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [unreleased]
 
+## [0.23.1] - 2024-07-09
+
+### Changes
+
+-   `refresh_post` and `refresh_session` now clears all user tokens upon CSRF failures and if no tokens are found. See the latest comment on https://github.com/supertokens/supertokens-node/issues/141 for more details.
+
 ## [0.23.0] - 2024-06-24
 
 ### Breaking change
diff --git a/setup.py b/setup.py
@@ -83,7 +83,7 @@
 
 setup(
     name="supertokens_python",
-    version="0.23.0",
+    version="0.23.1",
     author="SuperTokens",
     license="Apache 2.0",
     author_email="team@supertokens.com",
diff --git a/supertokens_python/constants.py b/supertokens_python/constants.py
@@ -14,7 +14,7 @@
 from __future__ import annotations
 
 SUPPORTED_CDI_VERSIONS = ["3.0"]
-VERSION = "0.23.0"
+VERSION = "0.23.1"
 TELEMETRY = "/telemetry"
 USER_COUNT = "/users/count"
 USER_DELETE = "/user/remove"
diff --git a/supertokens_python/recipe/session/session_request_functions.py b/supertokens_python/recipe/session/session_request_functions.py
@@ -439,7 +439,7 @@ async def refresh_session_in_request(
 
         return raise_unauthorised_exception(
             "Refresh token not found. Are you sending the refresh token in the request?",
-            clear_tokens=False,
+            clear_tokens=True,
             response_mutators=response_mutators,
         )
 
@@ -460,7 +460,7 @@ async def refresh_session_in_request(
             # see https://github.com/supertokens/supertokens-node/issues/141
             raise_unauthorised_exception(
                 "anti-csrf check failed. Please pass 'rid: \"session\"' header in the request.",
-                clear_tokens=False,
+                clear_tokens=True,
             )
         disable_anti_csrf = True
 
diff --git a/tests/sessions/test_auth_mode.py b/tests/sessions/test_auth_mode.py
@@ -475,15 +475,15 @@ async def test_should_update_acccess_token_payload(
 @mark.parametrize(
     "transfer_method, auth_header, auth_cookie, output, set_tokens, cleared_tokens",
     [
-        ("any", False, False, "unauthorised", None, None),
-        ("header", False, False, "unauthorised", None, None),
-        ("cookie", False, False, "unauthorised", None, None),
+        ("any", False, False, "unauthorised", None, "both"),
+        ("header", False, False, "unauthorised", None, "both"),
+        ("cookie", False, False, "unauthorised", None, "both"),
         ("any", False, True, "validatecookie", "cookies", None),
-        ("header", False, True, "unauthorised", None, None),
+        ("header", False, True, "unauthorised", None, "both"),
         ("cookie", False, True, "validatecookie", "cookies", None),
         ("any", True, False, "validateheader", "headers", None),
         ("header", True, False, "validateheader", "headers", None),
-        ("cookie", True, False, "unauthorised", None, None),
+        ("cookie", True, False, "unauthorised", None, "both"),
         ("any", True, True, "validateheader", "headers", "cookies"),
         ("header", True, True, "validateheader", "headers", "cookies"),
         ("cookie", True, True, "validatecookie", "cookies", "headers"),
@@ -544,6 +544,18 @@ async def test_refresh_session_parametrized(
             refresh_result["sRefreshToken"]["expires"]
             == "Thu, 01 Jan 1970 00:00:00 GMT"
         )
+    elif cleared_tokens == "both":
+        assert refresh_result["accessTokenFromHeader"] == ""
+        assert refresh_result["refreshTokenFromHeader"] == ""
+        assert refresh_result["accessToken"] == ""
+        assert (
+            refresh_result["sAccessToken"]["expires"] == "Thu, 01 Jan 1970 00:00:00 GMT"
+        )
+        assert refresh_result["refreshToken"] == ""
+        assert (
+            refresh_result["sRefreshToken"]["expires"]
+            == "Thu, 01 Jan 1970 00:00:00 GMT"
+        )
 
     if set_tokens == "headers":
         assert refresh_result["accessTokenFromHeader"] != ""
@@ -565,12 +577,13 @@ async def test_refresh_session_parametrized(
     else:
         assert False, "Invalid set_tokens value"
 
-    if set_tokens != "cookies" and cleared_tokens != "cookies":
-        assert refresh_result["accessToken"] is None
-        assert refresh_result["refreshToken"] is None
-    elif set_tokens != "headers" and cleared_tokens != "headers":
-        assert refresh_result["accessTokenFromHeader"] is None
-        assert refresh_result["refreshTokenFromHeader"] is None
+    if cleared_tokens != "both":
+        if set_tokens != "cookies" and cleared_tokens != "cookies":
+            assert refresh_result["accessToken"] is None
+            assert refresh_result["refreshToken"] is None
+        elif set_tokens != "headers" and cleared_tokens != "headers":
+            assert refresh_result["accessTokenFromHeader"] is None
+            assert refresh_result["refreshTokenFromHeader"] is None
 
 
 async def refresh_session(

Original file line number	Diff line number	Diff line change
`@@ -439,7 +439,7 @@ async def refresh_session_in_request(`
`439`	`439`
`440`	`440`	`return raise_unauthorised_exception(`
`441`	`441`	`"Refresh token not found. Are you sending the refresh token in the request?",`
`442`		`- clear_tokens=False,`
	`442`	`+ clear_tokens=True,`
`443`	`443`	`response_mutators=response_mutators,`
`444`	`444`	`)`
`445`	`445`
`@@ -460,7 +460,7 @@ async def refresh_session_in_request(`
`460`	`460`	`# see https://github.com/supertokens/supertokens-node/issues/141`
`461`	`461`	`raise_unauthorised_exception(`
`462`	`462`	`"anti-csrf check failed. Please pass 'rid: \"session\"' header in the request.",`
`463`		`- clear_tokens=False,`
	`463`	`+ clear_tokens=True,`
`464`	`464`	`)`
`465`	`465`	`disable_anti_csrf = True`
`466`	`466`