def test_basic_usage_of_sessions():
start_st()
session = create_new_session('userId', {}, {})
validate(session, session_with_anti_csrf)
get_session(session['accessToken']['token'], session['antiCsrfToken'],
True)
assert not ProcessState.get_service_called()
refreshed_session_1 = refresh_session(session['refreshToken']['token'],
session['antiCsrfToken'])
validate(refreshed_session_1, session_with_anti_csrf)
updated_session = get_session(refreshed_session_1['accessToken']['token'],
refreshed_session_1['antiCsrfToken'], True)
assert ProcessState.get_service_called()
validate(updated_session, session_verify_with_access_token)
non_updated_session = get_session(updated_session['accessToken']['token'],
refreshed_session_1['antiCsrfToken'],
True)
assert not ProcessState.get_service_called()
validate(non_updated_session, session_verify_without_access_token)
assert revoke_session(non_updated_session['session']['handle'])
def test_anti_csrf_disabled_for_core():
set_key_value_in_config(TEST_ENABLE_ANTI_CSRF_CONFIG_KEY, False)
start_st()
session = create_new_session('userId', {}, {})
session_get_1 = get_session(session['accessToken']['token'], None, False)
validate(session_get_1, session_verify_without_access_token)
session_get_2 = get_session(session['accessToken']['token'], None, True)
validate(session_get_2, session_verify_without_access_token)
def test_session_verify_with_anti_csrf():
start_st()
session = create_new_session('userId', {}, {})
session_get_1 = get_session(session['accessToken']['token'],
session['antiCsrfToken'], True)
validate(session_get_1, session_verify_without_access_token)
session_get_2 = get_session(session['accessToken']['token'],
session['antiCsrfToken'], False)
validate(session_get_2, session_verify_without_access_token)
def test_session_verify_without_anti_csrf():
start_st()
session = create_new_session('userId', {}, {})
session_get_1 = get_session(session['accessToken']['token'], None, False)
validate(session_get_1, session_verify_without_access_token)
try:
get_session(session['accessToken']['token'], None, True)
assert False
except SuperTokensTryRefreshTokenError:
assert True
def test_token_theft_detection():
start_st()
session = create_new_session('userId', {}, {})
refreshed_session = refresh_session(session['refreshToken']['token'],
session['antiCsrfToken'])
get_session(refreshed_session['accessToken']['token'],
refreshed_session['antiCsrfToken'], True)
try:
refresh_session(session['refreshToken']['token'],
session['antiCsrfToken'])
assert False
except SuperTokensTokenTheftError as e:
assert e.user_id == 'userId'
assert e.session_handle == session['session']['handle']
assert True
def test_token_theft_detection_with_api_key():
set_key_value_in_config("api_keys", "asckjsbdalvkjbasdlvjbalskdjvbaldkj")
start_st()
Querier.init_instance(None, "asckjsbdalvkjbasdlvjbalskdjvbaldkj")
session = create_new_session('userId', {}, {})
refreshed_session = refresh_session(session['refreshToken']['token'],
session['antiCsrfToken'])
get_session(refreshed_session['accessToken']['token'],
refreshed_session['antiCsrfToken'], True)
try:
refresh_session(session['refreshToken']['token'],
session['antiCsrfToken'])
assert False
except SuperTokensTokenTheftError as e:
assert e.user_id == 'userId'
assert e.session_handle == session['session']['handle']
assert True
def get_session(response, enable_csrf_protection):
save_frontend_info_from_request(request)
id_refresh_token = get_id_refresh_token_from_cookie(request)
if id_refresh_token is None:
clear_cookies(response)
raise_unauthorised_exception('id refresh token is missing in cookies')
access_token = get_access_token_from_cookie(request)
if access_token is None:
raise_try_refresh_token_exception('access token missing in cookies')
try:
anti_csrf_token = get_anti_csrf_header(request)
new_session = session_helper.get_session(access_token, anti_csrf_token, enable_csrf_protection)
if 'accessToken' in new_session:
access_token = new_session['accessToken']['token']
session = Session(access_token, new_session['session']['handle'], new_session['session']['userId'],
new_session['session']['userDataInJWT'], response)
if 'accessToken' in new_session:
if response is not None:
access_token_info = new_session['accessToken']
attach_access_token_to_cookie(
response,
access_token_info['token'],
access_token_info['expiry'],
access_token_info['domain'] if 'domain' in access_token_info else None,
access_token_info['cookiePath'],
access_token_info['cookieSecure'],
access_token_info['sameSite']
)
else:
session.new_access_token_info = new_session['accessToken']
return session
except SuperTokensUnauthorisedError as e:
clear_cookies(response)
raise e
