def test_basic_usage_of_sessions():
start_st()
session = create_new_session('userId', {}, {})
validate(session, session_with_anti_csrf)
get_session(session['accessToken']['token'], session['antiCsrfToken'],
True)
assert not ProcessState.get_service_called()
refreshed_session_1 = refresh_session(session['refreshToken']['token'],
session['antiCsrfToken'])
validate(refreshed_session_1, session_with_anti_csrf)
updated_session = get_session(refreshed_session_1['accessToken']['token'],
refreshed_session_1['antiCsrfToken'], True)
assert ProcessState.get_service_called()
validate(updated_session, session_verify_with_access_token)
non_updated_session = get_session(updated_session['accessToken']['token'],
refreshed_session_1['antiCsrfToken'],
True)
assert not ProcessState.get_service_called()
validate(non_updated_session, session_verify_without_access_token)
assert revoke_session(non_updated_session['session']['handle'])
def test_revoking_of_session():
start_st()
revoke_all_sessions_for_user('userId')
assert len(get_all_session_handles_for_user('userId')) == 0
session = create_new_session('userId', {}, {})
assert len(get_all_session_handles_for_user('userId')) == 1
assert revoke_session(session['session']['handle'])
assert len(get_all_session_handles_for_user('userId')) == 0
create_new_session('userId', {}, {})
create_new_session('userId', {}, {})
assert len(get_all_session_handles_for_user('userId')) == 2
assert len(revoke_all_sessions_for_user('userId')) == 2
assert len(get_all_session_handles_for_user('userId')) == 0
s_reset()
assert not revoke_session('random')
assert len(revoke_all_sessions_for_user('randomUserId')) == 0
def test_access_token_get_info_without_anti_csrf():
set_key_value_in_config(TEST_ENABLE_ANTI_CSRF_CONFIG_KEY, False)
start_st()
jwt_key = HandshakeInfo.get_instance().jwt_signing_public_key
session_1 = create_new_session('userId', {}, {})
access_token_1 = session_1['accessToken']['token']
get_info_from_access_token(access_token_1, jwt_key, False)
try:
get_info_from_access_token(access_token_1, jwt_key, True)
assert False
except SuperTokensTryRefreshTokenError:
assert True
try:
get_info_from_access_token('random-string', jwt_key, True)
assert False
except SuperTokensTryRefreshTokenError:
assert True
try:
get_info_from_access_token('random-string', jwt_key, False)
assert False
except SuperTokensTryRefreshTokenError:
assert True
try:
get_info_from_access_token(access_token_1, 'random-key', False)
assert False
except SuperTokensTryRefreshTokenError:
assert True
def test_anti_csrf_disabled_for_core():
set_key_value_in_config(TEST_ENABLE_ANTI_CSRF_CONFIG_KEY, False)
start_st()
session = create_new_session('userId', {}, {})
session_get_1 = get_session(session['accessToken']['token'], None, False)
validate(session_get_1, session_verify_without_access_token)
session_get_2 = get_session(session['accessToken']['token'], None, True)
validate(session_get_2, session_verify_without_access_token)
def test_manipulating_jwt_data():
start_st()
session_1 = create_new_session('userId', {}, {})
session_2 = create_new_session('userId', {}, {})
session_data_1_1 = get_jwt_payload(session_1['session']['handle'])
assert session_data_1_1 == {}
session_data_2_1 = get_jwt_payload(session_2['session']['handle'])
assert session_data_2_1 == {}
update_jwt_payload(session_1['session']['handle'], {'key': 'value'})
session_data_1_2 = get_jwt_payload(session_1['session']['handle'])
assert session_data_1_2 == {'key': 'value'}
session_data_2_2 = get_jwt_payload(session_2['session']['handle'])
assert session_data_2_2 == {}
try:
update_jwt_payload('incorrect', {'key': 'value'})
assert False
except SuperTokensUnauthorisedError:
assert True
def test_session_verify_with_anti_csrf():
start_st()
session = create_new_session('userId', {}, {})
session_get_1 = get_session(session['accessToken']['token'],
session['antiCsrfToken'], True)
validate(session_get_1, session_verify_without_access_token)
session_get_2 = get_session(session['accessToken']['token'],
session['antiCsrfToken'], False)
validate(session_get_2, session_verify_without_access_token)
def test_session_verify_without_anti_csrf():
start_st()
session = create_new_session('userId', {}, {})
session_get_1 = get_session(session['accessToken']['token'], None, False)
validate(session_get_1, session_verify_without_access_token)
try:
get_session(session['accessToken']['token'], None, True)
assert False
except SuperTokensTryRefreshTokenError:
assert True
def test_token_theft_detection():
start_st()
session = create_new_session('userId', {}, {})
refreshed_session = refresh_session(session['refreshToken']['token'],
session['antiCsrfToken'])
get_session(refreshed_session['accessToken']['token'],
refreshed_session['antiCsrfToken'], True)
try:
refresh_session(session['refreshToken']['token'],
session['antiCsrfToken'])
assert False
except SuperTokensTokenTheftError as e:
assert e.user_id == 'userId'
assert e.session_handle == session['session']['handle']
assert True
def test_manipulating_session_data():
start_st()
session = create_new_session('userId', {}, {})
session_data_1 = get_session_data(session['session']['handle'])
assert session_data_1 == {}
update_session_data(session['session']['handle'], {'key': 'value'})
session_data_2 = get_session_data(session['session']['handle'])
assert session_data_2 == {'key': 'value'}
update_session_data(session['session']['handle'], {'key': 'new_value'})
session_data_3 = get_session_data(session['session']['handle'])
assert session_data_3 == {'key': 'new_value'}
try:
update_session_data('incorrect', {'key': 'value'})
assert False
except SuperTokensUnauthorisedError:
assert True
def test_token_theft_detection_with_api_key():
set_key_value_in_config("api_keys", "asckjsbdalvkjbasdlvjbalskdjvbaldkj")
start_st()
Querier.init_instance(None, "asckjsbdalvkjbasdlvjbalskdjvbaldkj")
session = create_new_session('userId', {}, {})
refreshed_session = refresh_session(session['refreshToken']['token'],
session['antiCsrfToken'])
get_session(refreshed_session['accessToken']['token'],
refreshed_session['antiCsrfToken'], True)
try:
refresh_session(session['refreshToken']['token'],
session['antiCsrfToken'])
assert False
except SuperTokensTokenTheftError as e:
assert e.user_id == 'userId'
assert e.session_handle == session['session']['handle']
assert True
def create_new_session(response, user_id, jwt_payload=None, session_data=None):
session = session_helper.create_new_session(
user_id, jwt_payload, session_data)
access_token = session['accessToken']
refresh_token = session['refreshToken']
id_refresh_token = session['idRefreshToken']
attach_access_token_to_cookie(
response,
access_token['token'],
access_token['expiry'],
access_token['domain'] if 'domain' in access_token else None,
access_token['cookiePath'],
access_token['cookieSecure'],
access_token['sameSite']
)
attach_refresh_token_to_cookie(
response,
refresh_token['token'],
refresh_token['expiry'],
refresh_token['domain'] if 'domain' in refresh_token else None,
refresh_token['cookiePath'],
refresh_token['cookieSecure'],
refresh_token['sameSite']
)
attach_id_refresh_token_to_cookie_and_header(
response,
id_refresh_token['token'],
id_refresh_token['expiry'],
id_refresh_token['domain'] if 'domain' in id_refresh_token else None,
id_refresh_token['cookiePath'],
id_refresh_token['cookieSecure'],
id_refresh_token['sameSite']
)
if 'antiCsrfToken' in session and session['antiCsrfToken'] is not None:
attach_anti_csrf_header(response, session['antiCsrfToken'])
return Session(access_token['token'], session['session']['handle'], session['session']['userId'],
session['session']['userDataInJWT'], response)