fix: ignore protected props in create_new_session functions

KShivendu · KShivendu · commit ddf1a6cabd9f · 2023-09-12T14:39:53.000+05:30
diff --git a/supertokens_python/recipe/session/asyncio/__init__.py b/supertokens_python/recipe/session/asyncio/__init__.py
@@ -41,6 +41,7 @@
     get_session_from_request,
     refresh_session_in_request,
 )
+from ..constants import protected_props
 from ..utils import get_required_claim_validators
 
 from supertokens_python.recipe.multitenancy.constants import DEFAULT_TENANT_ID
@@ -106,6 +107,10 @@ async def create_new_session_without_request_response(
 
     final_access_token_payload = {**access_token_payload, "iss": issuer}
 
+    for prop in protected_props:
+        if prop in final_access_token_payload:
+            del final_access_token_payload[prop]
+
     for claim in claims_added_by_other_recipes:
         update = await claim.build(user_id, tenant_id, user_context)
         final_access_token_payload = {**final_access_token_payload, **update}
diff --git a/supertokens_python/recipe/session/constants.py b/supertokens_python/recipe/session/constants.py
@@ -42,5 +42,6 @@
     "parentRefreshTokenHash1",
     "refreshTokenHash1",
     "antiCsrfToken",
+    "rsub",
     "tId",
 ]
diff --git a/supertokens_python/recipe/session/recipe_implementation.py b/supertokens_python/recipe/session/recipe_implementation.py
@@ -47,6 +47,7 @@
     from supertokens_python import AppInfo
 
 from .interfaces import SessionContainer
+from .constants import protected_props
 from supertokens_python.querier import Querier
 from supertokens_python.recipe.multitenancy.constants import DEFAULT_TENANT_ID
 
@@ -378,8 +379,13 @@ async def merge_into_access_token_payload(
         if session_info is None:
             return False
 
+        new_access_token_payload = session_info.custom_claims_in_access_token_payload
+        for k in protected_props:
+            if k in new_access_token_payload:
+                del new_access_token_payload[k]
+
         new_access_token_payload = {
-            **session_info.custom_claims_in_access_token_payload,
+            **new_access_token_payload,
             **access_token_payload_update,
         }
         for k in access_token_payload_update.keys():
diff --git a/supertokens_python/recipe/session/session_request_functions.py b/supertokens_python/recipe/session/session_request_functions.py
@@ -60,6 +60,7 @@
     set_request_in_user_context_if_not_defined,
 )
 from supertokens_python.supertokens import Supertokens
+from .constants import protected_props
 
 if TYPE_CHECKING:
     from supertokens_python.recipe.session.recipe import SessionRecipe
@@ -240,6 +241,10 @@ async def create_new_session_in_request(
 
     final_access_token_payload = {**access_token_payload, "iss": issuer}
 
+    for prop in protected_props:
+        if prop in final_access_token_payload:
+            del final_access_token_payload[prop]
+
     for claim in claims_added_by_other_recipes:
         update = await claim.build(user_id, tenant_id, user_context)
         final_access_token_payload = {**final_access_token_payload, **update}

Original file line number	Diff line number	Diff line change
`@@ -42,5 +42,6 @@`
`42`	`42`	`"parentRefreshTokenHash1",`
`43`	`43`	`"refreshTokenHash1",`
`44`	`44`	`"antiCsrfToken",`
	`45`	`+ "rsub",`
`45`	`46`	`"tId",`
`46`	`47`	`]`