def test_basic_usage_of_sessions(): start_st() session = create_new_session('userId', {}, {}) validate(session, session_with_anti_csrf) get_session(session['accessToken']['token'], session['antiCsrfToken'], True) assert not ProcessState.get_service_called() refreshed_session_1 = refresh_session(session['refreshToken']['token'], session['antiCsrfToken']) validate(refreshed_session_1, session_with_anti_csrf) updated_session = get_session(refreshed_session_1['accessToken']['token'], refreshed_session_1['antiCsrfToken'], True) assert ProcessState.get_service_called() validate(updated_session, session_verify_with_access_token) non_updated_session = get_session(updated_session['accessToken']['token'], refreshed_session_1['antiCsrfToken'], True) assert not ProcessState.get_service_called() validate(non_updated_session, session_verify_without_access_token) assert revoke_session(non_updated_session['session']['handle'])
def test_anti_csrf_disabled_for_core(): set_key_value_in_config(TEST_ENABLE_ANTI_CSRF_CONFIG_KEY, False) start_st() session = create_new_session('userId', {}, {}) session_get_1 = get_session(session['accessToken']['token'], None, False) validate(session_get_1, session_verify_without_access_token) session_get_2 = get_session(session['accessToken']['token'], None, True) validate(session_get_2, session_verify_without_access_token)
def test_session_verify_with_anti_csrf(): start_st() session = create_new_session('userId', {}, {}) session_get_1 = get_session(session['accessToken']['token'], session['antiCsrfToken'], True) validate(session_get_1, session_verify_without_access_token) session_get_2 = get_session(session['accessToken']['token'], session['antiCsrfToken'], False) validate(session_get_2, session_verify_without_access_token)
def test_session_verify_without_anti_csrf(): start_st() session = create_new_session('userId', {}, {}) session_get_1 = get_session(session['accessToken']['token'], None, False) validate(session_get_1, session_verify_without_access_token) try: get_session(session['accessToken']['token'], None, True) assert False except SuperTokensTryRefreshTokenError: assert True
def test_token_theft_detection(): start_st() session = create_new_session('userId', {}, {}) refreshed_session = refresh_session(session['refreshToken']['token'], session['antiCsrfToken']) get_session(refreshed_session['accessToken']['token'], refreshed_session['antiCsrfToken'], True) try: refresh_session(session['refreshToken']['token'], session['antiCsrfToken']) assert False except SuperTokensTokenTheftError as e: assert e.user_id == 'userId' assert e.session_handle == session['session']['handle'] assert True
def test_token_theft_detection_with_api_key(): set_key_value_in_config("api_keys", "asckjsbdalvkjbasdlvjbalskdjvbaldkj") start_st() Querier.init_instance(None, "asckjsbdalvkjbasdlvjbalskdjvbaldkj") session = create_new_session('userId', {}, {}) refreshed_session = refresh_session(session['refreshToken']['token'], session['antiCsrfToken']) get_session(refreshed_session['accessToken']['token'], refreshed_session['antiCsrfToken'], True) try: refresh_session(session['refreshToken']['token'], session['antiCsrfToken']) assert False except SuperTokensTokenTheftError as e: assert e.user_id == 'userId' assert e.session_handle == session['session']['handle'] assert True
def get_session(response, enable_csrf_protection): save_frontend_info_from_request(request) id_refresh_token = get_id_refresh_token_from_cookie(request) if id_refresh_token is None: clear_cookies(response) raise_unauthorised_exception('id refresh token is missing in cookies') access_token = get_access_token_from_cookie(request) if access_token is None: raise_try_refresh_token_exception('access token missing in cookies') try: anti_csrf_token = get_anti_csrf_header(request) new_session = session_helper.get_session(access_token, anti_csrf_token, enable_csrf_protection) if 'accessToken' in new_session: access_token = new_session['accessToken']['token'] session = Session(access_token, new_session['session']['handle'], new_session['session']['userId'], new_session['session']['userDataInJWT'], response) if 'accessToken' in new_session: if response is not None: access_token_info = new_session['accessToken'] attach_access_token_to_cookie( response, access_token_info['token'], access_token_info['expiry'], access_token_info['domain'] if 'domain' in access_token_info else None, access_token_info['cookiePath'], access_token_info['cookieSecure'], access_token_info['sameSite'] ) else: session.new_access_token_info = new_session['accessToken'] return session except SuperTokensUnauthorisedError as e: clear_cookies(response) raise e