def test_basic_usage_of_sessions(): start_st() session = create_new_session('userId', {}, {}) validate(session, session_with_anti_csrf) get_session(session['accessToken']['token'], session['antiCsrfToken'], True) assert not ProcessState.get_service_called() refreshed_session_1 = refresh_session(session['refreshToken']['token'], session['antiCsrfToken']) validate(refreshed_session_1, session_with_anti_csrf) updated_session = get_session(refreshed_session_1['accessToken']['token'], refreshed_session_1['antiCsrfToken'], True) assert ProcessState.get_service_called() validate(updated_session, session_verify_with_access_token) non_updated_session = get_session(updated_session['accessToken']['token'], refreshed_session_1['antiCsrfToken'], True) assert not ProcessState.get_service_called() validate(non_updated_session, session_verify_without_access_token) assert revoke_session(non_updated_session['session']['handle'])
def test_revoking_of_session(): start_st() revoke_all_sessions_for_user('userId') assert len(get_all_session_handles_for_user('userId')) == 0 session = create_new_session('userId', {}, {}) assert len(get_all_session_handles_for_user('userId')) == 1 assert revoke_session(session['session']['handle']) assert len(get_all_session_handles_for_user('userId')) == 0 create_new_session('userId', {}, {}) create_new_session('userId', {}, {}) assert len(get_all_session_handles_for_user('userId')) == 2 assert len(revoke_all_sessions_for_user('userId')) == 2 assert len(get_all_session_handles_for_user('userId')) == 0 s_reset() assert not revoke_session('random') assert len(revoke_all_sessions_for_user('randomUserId')) == 0
def test_access_token_get_info_without_anti_csrf(): set_key_value_in_config(TEST_ENABLE_ANTI_CSRF_CONFIG_KEY, False) start_st() jwt_key = HandshakeInfo.get_instance().jwt_signing_public_key session_1 = create_new_session('userId', {}, {}) access_token_1 = session_1['accessToken']['token'] get_info_from_access_token(access_token_1, jwt_key, False) try: get_info_from_access_token(access_token_1, jwt_key, True) assert False except SuperTokensTryRefreshTokenError: assert True try: get_info_from_access_token('random-string', jwt_key, True) assert False except SuperTokensTryRefreshTokenError: assert True try: get_info_from_access_token('random-string', jwt_key, False) assert False except SuperTokensTryRefreshTokenError: assert True try: get_info_from_access_token(access_token_1, 'random-key', False) assert False except SuperTokensTryRefreshTokenError: assert True
def test_anti_csrf_disabled_for_core(): set_key_value_in_config(TEST_ENABLE_ANTI_CSRF_CONFIG_KEY, False) start_st() session = create_new_session('userId', {}, {}) session_get_1 = get_session(session['accessToken']['token'], None, False) validate(session_get_1, session_verify_without_access_token) session_get_2 = get_session(session['accessToken']['token'], None, True) validate(session_get_2, session_verify_without_access_token)
def test_manipulating_jwt_data(): start_st() session_1 = create_new_session('userId', {}, {}) session_2 = create_new_session('userId', {}, {}) session_data_1_1 = get_jwt_payload(session_1['session']['handle']) assert session_data_1_1 == {} session_data_2_1 = get_jwt_payload(session_2['session']['handle']) assert session_data_2_1 == {} update_jwt_payload(session_1['session']['handle'], {'key': 'value'}) session_data_1_2 = get_jwt_payload(session_1['session']['handle']) assert session_data_1_2 == {'key': 'value'} session_data_2_2 = get_jwt_payload(session_2['session']['handle']) assert session_data_2_2 == {} try: update_jwt_payload('incorrect', {'key': 'value'}) assert False except SuperTokensUnauthorisedError: assert True
def test_session_verify_with_anti_csrf(): start_st() session = create_new_session('userId', {}, {}) session_get_1 = get_session(session['accessToken']['token'], session['antiCsrfToken'], True) validate(session_get_1, session_verify_without_access_token) session_get_2 = get_session(session['accessToken']['token'], session['antiCsrfToken'], False) validate(session_get_2, session_verify_without_access_token)
def test_session_verify_without_anti_csrf(): start_st() session = create_new_session('userId', {}, {}) session_get_1 = get_session(session['accessToken']['token'], None, False) validate(session_get_1, session_verify_without_access_token) try: get_session(session['accessToken']['token'], None, True) assert False except SuperTokensTryRefreshTokenError: assert True
def test_token_theft_detection(): start_st() session = create_new_session('userId', {}, {}) refreshed_session = refresh_session(session['refreshToken']['token'], session['antiCsrfToken']) get_session(refreshed_session['accessToken']['token'], refreshed_session['antiCsrfToken'], True) try: refresh_session(session['refreshToken']['token'], session['antiCsrfToken']) assert False except SuperTokensTokenTheftError as e: assert e.user_id == 'userId' assert e.session_handle == session['session']['handle'] assert True
def test_manipulating_session_data(): start_st() session = create_new_session('userId', {}, {}) session_data_1 = get_session_data(session['session']['handle']) assert session_data_1 == {} update_session_data(session['session']['handle'], {'key': 'value'}) session_data_2 = get_session_data(session['session']['handle']) assert session_data_2 == {'key': 'value'} update_session_data(session['session']['handle'], {'key': 'new_value'}) session_data_3 = get_session_data(session['session']['handle']) assert session_data_3 == {'key': 'new_value'} try: update_session_data('incorrect', {'key': 'value'}) assert False except SuperTokensUnauthorisedError: assert True
def test_token_theft_detection_with_api_key(): set_key_value_in_config("api_keys", "asckjsbdalvkjbasdlvjbalskdjvbaldkj") start_st() Querier.init_instance(None, "asckjsbdalvkjbasdlvjbalskdjvbaldkj") session = create_new_session('userId', {}, {}) refreshed_session = refresh_session(session['refreshToken']['token'], session['antiCsrfToken']) get_session(refreshed_session['accessToken']['token'], refreshed_session['antiCsrfToken'], True) try: refresh_session(session['refreshToken']['token'], session['antiCsrfToken']) assert False except SuperTokensTokenTheftError as e: assert e.user_id == 'userId' assert e.session_handle == session['session']['handle'] assert True
def create_new_session(response, user_id, jwt_payload=None, session_data=None): session = session_helper.create_new_session( user_id, jwt_payload, session_data) access_token = session['accessToken'] refresh_token = session['refreshToken'] id_refresh_token = session['idRefreshToken'] attach_access_token_to_cookie( response, access_token['token'], access_token['expiry'], access_token['domain'] if 'domain' in access_token else None, access_token['cookiePath'], access_token['cookieSecure'], access_token['sameSite'] ) attach_refresh_token_to_cookie( response, refresh_token['token'], refresh_token['expiry'], refresh_token['domain'] if 'domain' in refresh_token else None, refresh_token['cookiePath'], refresh_token['cookieSecure'], refresh_token['sameSite'] ) attach_id_refresh_token_to_cookie_and_header( response, id_refresh_token['token'], id_refresh_token['expiry'], id_refresh_token['domain'] if 'domain' in id_refresh_token else None, id_refresh_token['cookiePath'], id_refresh_token['cookieSecure'], id_refresh_token['sameSite'] ) if 'antiCsrfToken' in session and session['antiCsrfToken'] is not None: attach_anti_csrf_header(response, session['antiCsrfToken']) return Session(access_token['token'], session['session']['handle'], session['session']['userId'], session['session']['userDataInJWT'], response)