Merge pull request #384 from supertokens/test/access-token-validation

rishabhpoddar · web-flow · commit e6e798d2d2ab · 2023-08-03T11:30:05.000+05:30
test: Add test for access token validation
diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
@@ -31,8 +31,10 @@
 -   [ ] If have added a new web framework, update the `supertokens_python/utils.py` file to include that in the `FRAMEWORKS` variable
 -   [ ] If added a new recipe that has a User type with extra info, then be sure to change the User type in supertokens_python/types.py
 -   [ ] Make sure that `syncio` / `asyncio` functions are consistent.
- 
+-   [ ] If access token structure has changed
+    -   Modified test in `tests/sessions/test_access_token_version.py` to account for any new claims that are optional or omitted by the core
+
 ## Remaining TODOs for this PR
 
 -   [ ] Item1
--   [ ] Item2
+-   [ ] Item2
diff --git a/tests/sessions/test_access_token_version.py b/tests/sessions/test_access_token_version.py
@@ -13,6 +13,9 @@
 from supertokens_python.recipe.session.jwt import (
     parse_jwt_without_signature_verification,
 )
+from supertokens_python.recipe.session.access_token import (
+    validate_access_token_structure,
+)
 from tests.utils import get_st_init_args, setup_function, start_st, teardown_function
 
 _ = setup_function  # type:ignore
@@ -197,3 +200,64 @@ async def test_should_validate_v3_tokens_with_check_database_enabled(app: TestCl
         "sessionExists": True,
         "sessionHandle": info["body"]["sessionHandle"],
     }
+
+
+async def test_validation_logic_with_keys_that_can_use_json_nulls_values_in_claims():
+    """We want to make sure that for access token claims that can be null, the SDK does not fail access token validation if the
+    core does not send them as part of the payload. For this we verify that validation passes when the keys are None, empty,
+    or of a different type.
+
+    For now this test checks for:
+    - antiCsrfToken
+    - parentRefreshTokenHash1
+
+    But this test should be updated to include any keys that the core considers optional in the payload (i.e either it sends
+    JSON null or skips them entirely)
+    """
+
+    V3 = 3
+    payload = {
+        "sessionHandle": "",
+        "sub": "",
+        "refreshTokenHash1": "",
+        "exp": float(0),
+        "iat": float(0),
+    }
+
+    validate_access_token_structure(payload, V3)
+
+    payload = {
+        "sessionHandle": "",
+        "sub": "",
+        "refreshTokenHash1": "",
+        "exp": float(0),
+        "iat": float(0),
+        "parentRefreshTokenHash1": None,
+        "antiCsrfToken": None,
+    }
+
+    validate_access_token_structure(payload, V3)
+
+    payload = {
+        "sessionHandle": "",
+        "sub": "",
+        "refreshTokenHash1": "",
+        "exp": float(0),
+        "iat": float(0),
+        "parentRefreshTokenHash1": "",
+        "antiCsrfToken": "",
+    }
+
+    validate_access_token_structure(payload, V3)
+
+    payload = {
+        "sessionHandle": "",
+        "sub": "",
+        "refreshTokenHash1": "",
+        "exp": float(0),
+        "iat": float(0),
+        "parentRefreshTokenHash1": 1,
+        "antiCsrfToken": 1,
+    }
+
+    validate_access_token_structure(payload, V3)
