1313# under the License.
1414
1515from datetime import datetime , timedelta
16- from typing import Any , Dict , List
16+ from typing import Any , Dict , List , Optional
1717from unittest .mock import MagicMock
1818
19- from fastapi import FastAPI
19+ from fastapi import FastAPI , Depends
2020from fastapi .requests import Request
21+ from fastapi .responses import JSONResponse
2122from fastapi .testclient import TestClient
2223from pytest import fixture , mark
2324
4142 merge_into_access_token_payload ,
4243 update_session_data_in_database ,
4344)
44- from supertokens_python .recipe .session .interfaces import RecipeInterface
45+ from supertokens_python .recipe .session .interfaces import (
46+ RecipeInterface ,
47+ SessionContainer ,
48+ )
4549from supertokens_python .recipe .session .jwt import (
4650 parse_jwt_without_signature_verification ,
4751)
5256 refresh_session ,
5357 revoke_session ,
5458)
59+ from supertokens_python .recipe .session .framework .fastapi import verify_session
5560from tests .utils import clean_st , reset , setup_st , start_st
5661
5762pytestmark = mark .asyncio
@@ -251,6 +256,13 @@ async def create_api(request: Request): # type: ignore
251256 await async_create_new_session (request , "test-user" , {}, {})
252257 return ""
253258
259+ @app .post ("/sessioninfo-optional" )
260+ async def _session_info (s : Optional [SessionContainer ] = Depends (verify_session (session_required = False ))): # type: ignore
261+ if s is not None :
262+ return JSONResponse ({"session" : s .get_handle (), "user_id" : s .get_user_id ()})
263+ else :
264+ return JSONResponse ({"message" : "no session" })
265+
254266 return TestClient (app )
255267
256268
@@ -707,7 +719,7 @@ async def test_that_verify_session_doesnt_always_call_core():
707719 assert session3 .refresh_token is not None
708720
709721 assert (
710- AllowedProcessStates .CALLING_SERVICE_IN_VERIFY
722+ AllowedProcessStates .CALLING_SERVICE_IN_VERIFYG
711723 not in ProcessState .get_instance ().history
712724 )
713725
@@ -724,3 +736,49 @@ async def test_that_verify_session_doesnt_always_call_core():
724736 AllowedProcessStates .CALLING_SERVICE_IN_VERIFY
725737 in ProcessState .get_instance ().history
726738 ) # Core got called this time
739+
740+
741+ async def test_anti_csrf_header_via_custom_header_check_happens_only_when_access_token_is_provided (
742+ driver_config_client : TestClient ,
743+ ):
744+ args = get_st_init_args ([session .init (anti_csrf = "VIA_CUSTOM_HEADER" , get_token_transfer_method = lambda * _ : "cookie" )]) # type: ignore
745+ init (** args ) # type: ignore
746+ start_st ()
747+
748+ response = driver_config_client .post ("/create" )
749+ assert response .status_code == 200
750+
751+ # With access token:
752+ # without RID:
753+ response = driver_config_client .post ("/sessioninfo-optional" )
754+ assert response .status_code == 401
755+ assert response .json () == {"message" : "try refresh token" }
756+
757+ # with RID:
758+ response = driver_config_client .post (
759+ "/sessioninfo-optional" ,
760+ headers = {
761+ "rid" : "session" ,
762+ },
763+ )
764+ assert response .status_code == 200
765+ assert list (response .json ()) == ["session" , "user_id" ]
766+
767+ # Clear access tokens:
768+ driver_config_client .cookies .clear ()
769+
770+ # Without access tokens:
771+ # without RID:
772+ response = driver_config_client .post ("/sessioninfo-optional" )
773+ assert response .status_code == 200
774+ assert response .json () == {"message" : "no session" }
775+
776+ # with RID:
777+ response = driver_config_client .post (
778+ "/sessioninfo-optional" ,
779+ headers = {
780+ "rid" : "session" ,
781+ },
782+ )
783+ assert response .status_code == 200
784+ assert response .json () == {"message" : "no session" }
0 commit comments