supertokens · rishabhpoddar · Feb 1, 2023 · Dec 5, 2022 · Dec 13, 2022 · Dec 14, 2022
diff --git a/supertokens_python/framework/django/framework.py b/supertokens_python/framework/django/framework.py
@@ -19,11 +19,16 @@
 from supertokens_python.framework.types import Framework
 
 if TYPE_CHECKING:
-    from django.http import HttpRequest
+    from django.http import HttpRequest, HttpResponse
 
 
 class DjangoFramework(Framework):
     def wrap_request(self, unwrapped: HttpRequest):
         from supertokens_python.framework.django.django_request import DjangoRequest
 
         return DjangoRequest(unwrapped)
+
+    def wrap_response(self, unwrapped: HttpResponse):
+        from supertokens_python.framework.django.django_response import DjangoResponse
+
+        return DjangoResponse(unwrapped)
diff --git a/supertokens_python/framework/fastapi/framework.py b/supertokens_python/framework/fastapi/framework.py
@@ -18,11 +18,18 @@
 from supertokens_python.framework.types import Framework
 
 if TYPE_CHECKING:
-    from fastapi import Request
+    from fastapi import Request, Response
 
 
 class FastapiFramework(Framework):
     def wrap_request(self, unwrapped: Request):
         from supertokens_python.framework.fastapi.fastapi_request import FastApiRequest
 
         return FastApiRequest(unwrapped)
+
+    def wrap_response(self, unwrapped: Response):
+        from supertokens_python.framework.fastapi.fastapi_response import (
+            FastApiResponse,
+        )
+
+        return FastApiResponse(unwrapped)
diff --git a/supertokens_python/framework/flask/framework.py b/supertokens_python/framework/flask/framework.py
@@ -18,11 +18,16 @@
 from supertokens_python.framework.types import Framework
 
 if TYPE_CHECKING:
-    from flask.wrappers import Request
+    from flask.wrappers import Request, Response
 
 
 class FlaskFramework(Framework):
     def wrap_request(self, unwrapped: Request):
         from supertokens_python.framework.flask.flask_request import FlaskRequest
 
         return FlaskRequest(unwrapped)
+
+    def wrap_response(self, unwrapped: Response):
+        from supertokens_python.framework.flask.flask_response import FlaskResponse
+
+        return FlaskResponse(unwrapped)
diff --git a/supertokens_python/recipe/emailpassword/api/implementation.py b/supertokens_python/recipe/emailpassword/api/implementation.py
@@ -169,7 +169,10 @@ async def sign_in_post(
 
         user = result.user
         session = await create_new_session(
-            api_options.request, user.user_id, user_context=user_context
+            api_options.request,
+            api_options.response,
+            user.user_id,
+            user_context=user_context,
         )
         return SignInPostOkResult(user, session)
 
@@ -204,6 +207,9 @@ async def sign_up_post(
 
         user = result.user
         session = await create_new_session(
-            api_options.request, user.user_id, user_context=user_context
+            api_options.request,
+            api_options.response,
+            user.user_id,
+            user_context=user_context,
         )
         return SignUpPostOkResult(user, session)
diff --git a/supertokens_python/recipe/emailverification/api/email_verify.py b/supertokens_python/recipe/emailverification/api/email_verify.py
@@ -46,6 +46,7 @@ async def handle_email_verify_api(
 
         session = await get_session(
             api_options.request,
+            api_options.response,
             session_required=False,
             override_global_claim_validators=lambda _, __, ___: [],
             user_context=user_context,
@@ -60,6 +61,7 @@ async def handle_email_verify_api(
 
         session = await get_session(
             api_options.request,
+            api_options.response,
             override_global_claim_validators=lambda _, __, ___: [],
             user_context=user_context,
         )

diff --git a/supertokens_python/recipe/emailverification/api/generate_email_verify_token.py b/supertokens_python/recipe/emailverification/api/generate_email_verify_token.py
@@ -29,6 +29,7 @@ async def handle_generate_email_verify_token_api(
     user_context = default_user_context(api_options.request)
     session = await get_session(
         api_options.request,
+        api_options.response,
         override_global_claim_validators=lambda _, __, ___: [],
         user_context=user_context,
     )

diff --git a/supertokens_python/recipe/passwordless/api/implementation.py b/supertokens_python/recipe/passwordless/api/implementation.py
@@ -288,7 +288,12 @@ async def consume_code_post(
                     )
 
         session = await create_new_session(
-            api_options.request, user.user_id, {}, {}, user_context=user_context
+            api_options.request,
+            api_options.response,
+            user.user_id,
+            {},
+            {},
+            user_context=user_context,
         )
 
         return ConsumeCodePostOkResult(

diff --git a/supertokens_python/recipe/session/__init__.py b/supertokens_python/recipe/session/__init__.py
@@ -13,18 +13,18 @@
 # under the License.
 from __future__ import annotations
 
-from typing import TYPE_CHECKING, Callable, Union
+from typing import TYPE_CHECKING, Any, Callable, Dict, Union
 
 from typing_extensions import Literal
 
 if TYPE_CHECKING:
     from ...recipe_module import RecipeModule
-    from supertokens_python.supertokens import AppInfo
+    from supertokens_python.supertokens import AppInfo, BaseRequest
+    from .utils import TokenTransferMethod
 
 from . import exceptions as ex
+from . import interfaces, utils
 from .recipe import SessionRecipe
-from . import utils
-from . import interfaces
 
 InputErrorHandlers = utils.InputErrorHandlers
 InputOverrideConfig = utils.InputOverrideConfig
@@ -39,6 +39,13 @@ def init(
     cookie_same_site: Union[Literal["lax", "none", "strict"], None] = None,
     session_expired_status_code: Union[int, None] = None,
     anti_csrf: Union[Literal["VIA_TOKEN", "VIA_CUSTOM_HEADER", "NONE"], None] = None,
+    get_token_transfer_method: Union[
+        Callable[
+            [BaseRequest, bool, Dict[str, Any]],
+            Union[TokenTransferMethod, Literal["any"]],
+        ],
+        None,
+    ] = None,
     error_handlers: Union[InputErrorHandlers, None] = None,
     override: Union[InputOverrideConfig, None] = None,
     jwt: Union[JWTConfig, None] = None,
@@ -50,6 +57,7 @@ def init(
         cookie_same_site,
         session_expired_status_code,
         anti_csrf,
+        get_token_transfer_method,
         error_handlers,
         override,
         jwt,

diff --git a/supertokens_python/recipe/session/access_token.py b/supertokens_python/recipe/session/access_token.py
@@ -13,13 +13,13 @@
 # under the License.
 from __future__ import annotations
 
-from typing import Any, Union
+from typing import Any, Dict, Union
 
 from supertokens_python.logger import log_debug_message
 from supertokens_python.utils import get_timestamp_ms
 
 from .exceptions import raise_try_refresh_token_exception
-from .jwt import get_payload
+from .jwt import ParsedJWTInfo, verify_jwt
 
 
 def sanitize_string(s: Any) -> Union[str, None]:
@@ -41,10 +41,15 @@ def sanitize_number(n: Any) -> Union[Union[int, float], None]:
 
 
 def get_info_from_access_token(
-    token: str, jwt_signing_public_key: str, do_anti_csrf_check: bool
+    jwt_info: ParsedJWTInfo, jwt_signing_public_key: str, do_anti_csrf_check: bool
 ):
     try:
-        payload = get_payload(token, jwt_signing_public_key)
+        verify_jwt(jwt_info, jwt_signing_public_key)
+        payload = jwt_info.payload
+
+        validate_access_token_structure(payload)
+        # FIXME: Find equivalent of ! in nodejs that is cleaner than asserts?
+
         session_handle = sanitize_string(payload.get("sessionHandle"))
         user_id = sanitize_string(payload.get("userId"))
         refresh_token_hash_1 = sanitize_string(payload.get("refreshTokenHash1"))
@@ -56,18 +61,11 @@ def get_info_from_access_token(
         expiry_time = sanitize_number(payload.get("expiryTime"))
         time_created = sanitize_number(payload.get("timeCreated"))
 
-        if (
-            (session_handle is None)
-            or (user_data is None)
-            or (refresh_token_hash_1 is None)
-            or (user_data is None)
-            or (anti_csrf_token is None and do_anti_csrf_check)
-            or (expiry_time is None)
-            or (time_created is None)
-        ):
-            raise Exception(
-                "Access token does not contain all the information. Maybe the structure has changed?"
-            )
+        if anti_csrf_token is None and do_anti_csrf_check:
+            raise Exception("Access token does not contain the anti-csrf token")
+
+        # FIXME: Find equivalent of ! from nodejs (cleaner than assert)
+        assert isinstance(expiry_time, int)
 
         if expiry_time < get_timestamp_ms():
             raise Exception("Access token expired")
@@ -87,3 +85,16 @@ def get_info_from_access_token(
             "getSession: Returning TRY_REFRESH_TOKEN because failed to decode access token"
         )
         raise_try_refresh_token_exception(e)
+
+
+def validate_access_token_structure(payload: Dict[str, Any]) -> None:
+    if (
+        not isinstance(payload.get("sessionHandle"), str)
+        or not isinstance(payload.get("userData"), str)
+        or not isinstance(payload.get("refreshTokenHash1"), str)
+        or not isinstance(payload.get("expiryTime"), int)
+        or not isinstance(payload.get("timeCreated"), int)
+    ):
+        raise Exception(
+            "Access token does not contain all the information. Maybe the structure has changed?"
+        )
diff --git a/supertokens_python/recipe/session/api/implementation.py b/supertokens_python/recipe/session/api/implementation.py
@@ -38,7 +38,7 @@ async def refresh_post(
         self, api_options: APIOptions, user_context: Dict[str, Any]
     ) -> SessionContainer:
         return await api_options.recipe_implementation.refresh_session(
-            api_options.request, user_context
+            api_options.request, api_options.response, user_context
         )
 
     async def signout_post(
@@ -71,10 +71,11 @@ async def verify_session(
         refresh_token_path = api_options.config.refresh_token_path
         if incoming_path.equals(refresh_token_path) and method == "post":
             return await api_options.recipe_implementation.refresh_session(
-                api_options.request, user_context
+                api_options.request, api_options.response, user_context
             )
         session = await api_options.recipe_implementation.get_session(
             api_options.request,
+            api_options.response,
             anti_csrf_check,
             session_required,
             user_context,

diff --git a/supertokens_python/recipe/session/api/signout.py b/supertokens_python/recipe/session/api/signout.py
@@ -31,6 +31,7 @@ async def handle_signout_api(api_implementation: APIInterface, api_options: APIO
 
     session = await api_options.recipe_implementation.get_session(
         request=api_options.request,
+        response=api_options.response,
         anti_csrf_check=None,
         session_required=False,
         user_context=user_context,

diff --git a/supertokens_python/recipe/session/asyncio/__init__.py b/supertokens_python/recipe/session/asyncio/__init__.py
@@ -42,6 +42,7 @@
 
 async def create_new_session(
     request: Any,
+    response: Any,
     user_id: str,
     access_token_payload: Union[Dict[str, Any], None] = None,
     session_data: Union[Dict[str, Any], None] = None,
@@ -68,8 +69,14 @@ async def create_new_session(
             SessionRecipe.get_instance().app_info.framework
         ].wrap_request(request)
 
+    if not hasattr(response, "wrapper_used") or not response.wrapper_used:
+        response = FRAMEWORKS[
+            SessionRecipe.get_instance().app_info.framework
+        ].wrap_response(response)
+
     return await SessionRecipe.get_instance().recipe_implementation.create_new_session(
         request,
+        response,
         user_id,
         final_access_token_payload,
         session_data,
@@ -237,6 +244,7 @@ async def remove_claim(
 
 async def get_session(
     request: Any,
+    response: Any,
     anti_csrf_check: Union[bool, None] = None,
     session_required: bool = True,
     override_global_claim_validators: Optional[
@@ -257,6 +265,7 @@ async def get_session(
     session_recipe_impl = SessionRecipe.get_instance().recipe_implementation
     session = await session_recipe_impl.get_session(
         request,
+        response,
         anti_csrf_check,
         session_required,
         user_context,
@@ -272,16 +281,21 @@ async def get_session(
 
 
 async def refresh_session(
-    request: Any, user_context: Union[None, Dict[str, Any]] = None
+    request: Any, response: Any, user_context: Union[None, Dict[str, Any]] = None
 ) -> SessionContainer:
     if user_context is None:
         user_context = {}
     if not hasattr(request, "wrapper_used") or not request.wrapper_used:
         request = FRAMEWORKS[
             SessionRecipe.get_instance().app_info.framework
         ].wrap_request(request)
+    if not hasattr(response, "wrapper_used") or not response.wrapper_used:
+        response = FRAMEWORKS[
+            SessionRecipe.get_instance().app_info.framework
+        ].wrap_response(response)
+
     return await SessionRecipe.get_instance().recipe_implementation.refresh_session(
-        request, user_context
+        request, response, user_context
     )
 
 

diff --git a/supertokens_python/recipe/session/constants.py b/supertokens_python/recipe/session/constants.py
@@ -11,6 +11,7 @@
 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 # License for the specific language governing permissions and limitations
 # under the License.
+
 SESSION_REFRESH = "/session/refresh"
 SIGNOUT = "/signout"
 ACCESS_TOKEN_COOKIE_KEY = "sAccessToken"
@@ -22,3 +23,5 @@
 ID_REFRESH_TOKEN_HEADER_SET_KEY = "id-refresh-token"
 ID_REFRESH_TOKEN_HEADER_GET_KEY = "id-refresh-token"
 ACCESS_CONTROL_EXPOSE_HEADERS = "Access-Control-Expose-Headers"
+
+available_token_transfer_methods = ["cookie", "header"]