Merge pull request #464 from supertokens/flask-fix

fix: flask issue with gunicorn

Author: rishabhpoddar

CHANGELOG.md

@@ -8,6 +8,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [unreleased]
 
+## [0.18.3] - 2023-12-07
+
+- Fixes security issue with shared `g` objects from gunicorn: https://github.com/supertokens/supertokens-python/issues/463
+
 ## [0.18.2] - 2023-12-05
 
 - Updates LinkedIn OAuth implementation as per the latest [changes](https://learn.microsoft.com/en-us/linkedin/consumer/integrations/self-serve/sign-in-with-linkedin-v2?context=linkedin%2Fconsumer%2Fcontext#authenticating-members).

setup.py

@@ -70,7 +70,7 @@
 
 setup(
     name="supertokens_python",
-    version="0.18.2",
+    version="0.18.3",
     author="SuperTokens",
     license="Apache 2.0",
     author_email="[email protected]",

supertokens_python/constants.py

@@ -14,7 +14,7 @@
 from __future__ import annotations
 
 SUPPORTED_CDI_VERSIONS = ["3.0"]
-VERSION = "0.18.2"
+VERSION = "0.18.3"
 TELEMETRY = "/telemetry"
 USER_COUNT = "/users/count"
 USER_DELETE = "/user/remove"

supertokens_python/framework/flask/flask_middleware.py

@@ -73,6 +73,16 @@ def _(response: Response):
 
             return response_.response
 
+        @app.teardown_request
+        def _(_):
+            from flask import g
+
+            if hasattr(g, "supertokens"):
+                # this is to ensure there are no shared objects between requests.
+                # calling any other API with a shared request causes a security issue, resulting in unintentional
+                # sign-ins. More on this here - https://github.com/supertokens/supertokens-python/issues/463
+                g.pop("supertokens")
+
     def set_error_handler(self):
         app = self.app
         from supertokens_python.exceptions import SuperTokensError

tests/Flask/test_flask.py

@@ -848,3 +848,51 @@ def test_that_verify_session_return_401_if_access_token_is_not_sent_and_middlewa
         "/verify", headers={"Authorization": "Bearer " + s.get_access_token()}
     )
     assert res.status_code == 200
+
+
+@fixture(scope="function")
+def flask_app_that_checks_for_supertokens_in_g():
+    app = Flask(__name__)
+
+    app.testing = True
+
+    @app.teardown_request
+    def _(_):
+        assert hasattr(g, "supertokens") is False
+
+    Middleware(app)
+
+    init(
+        supertokens_config=SupertokensConfig("http://localhost:3567"),
+        app_info=InputAppInfo(
+            app_name="SuperTokens Demo",
+            api_domain="http://api.supertokens.io",
+            website_domain="http://supertokens.io",
+            api_base_path="/auth",
+        ),
+        framework="flask",
+        recipe_list=[
+            session.init(
+                anti_csrf="VIA_TOKEN",
+                cookie_domain="supertokens.io",
+                get_token_transfer_method=lambda _, __, ___: "cookie",
+            ),
+        ],
+    )
+
+    @app.route("/create-session")  # type: ignore
+    def create_session_api():  # type: ignore
+        create_new_session(request, "public", "userId", {}, {})
+        return jsonify({})
+
+    return app
+
+
+def test_that_supertokens_is_not_in_g_if_middleware_is_not_added(
+    flask_app_that_checks_for_supertokens_in_g: Any,
+):
+    start_st()
+
+    client = flask_app_that_checks_for_supertokens_in_g.test_client()
+
+    assert client.get("/create-session").status_code == 200