Add tests for getSSRSession

Author: bcbogdan

lib/ts/nextjs/middleware.ts

@@ -1,6 +1,6 @@
 import { enableLogging, logDebugMessage } from "../logger";
 
-import type { SuperTokensNextjsConfig, SuperTokensRequestToken } from "./types";
+import type { SuperTokensNextjsConfig } from "./types";
 
 const ACCESS_TOKEN_COOKIE_NAME = "sAccessToken";
 const ACCESS_TOKEN_HEADER_NAME = "st-access-token";
@@ -41,9 +41,8 @@ export async function refreshSession(config: SuperTokensNextjsConfig, request: R
     const redirectTo = requestUrl.searchParams.get(REDIRECT_PATH_PARAM_NAME) || "/";
     try {
         const tokens = await fetchNewTokens(refreshToken);
-        const hasRequiredCookies = tokens.accessToken.cookie && tokens.refreshToken.cookie && tokens.frontToken.cookie;
-        const hasRequiredHeaders = tokens.accessToken.header && tokens.refreshToken.header && tokens.frontToken.header;
-        if (!hasRequiredCookies && !hasRequiredHeaders) {
+        const hasRequiredCookies = tokens.accessToken && tokens.refreshToken && tokens.frontToken;
+        if (!hasRequiredCookies) {
             logDebugMessage("Missing tokens from refresh response");
             return redirectToAuthPage(request);
         }
@@ -54,21 +53,11 @@ export async function refreshSession(config: SuperTokensNextjsConfig, request: R
                 Location: redirectUrl.toString(),
             },
         });
-        finalResponse.headers.append(FRONT_TOKEN_HEADER_NAME, tokens.frontToken.header as string);
-        if (hasRequiredCookies) {
-            finalResponse.headers.append("set-cookie", `${tokens.accessToken.cookie as string}`);
-            finalResponse.headers.append("set-cookie", `${tokens.refreshToken.cookie as string}`);
-            finalResponse.headers.append("set-cookie", `${tokens.frontToken.cookie as string}`);
-        }
-        if (hasRequiredHeaders) {
-            finalResponse.headers.append(REFRESH_TOKEN_HEADER_NAME, tokens.refreshToken.header as string);
-            finalResponse.headers.append(ACCESS_TOKEN_HEADER_NAME, tokens.accessToken.header as string);
-        }
-
-        if (tokens.antiCsrfToken.cookie) {
-            finalResponse.headers.append("set-cookie", `${tokens.antiCsrfToken.cookie as string}`);
-        } else if (tokens.antiCsrfToken.header) {
-            finalResponse.headers.append(ANTI_CSRF_TOKEN_HEADER_NAME, tokens.antiCsrfToken.header);
+        finalResponse.headers.append("set-cookie", tokens.accessToken);
+        finalResponse.headers.append("set-cookie", tokens.refreshToken);
+        finalResponse.headers.append("set-cookie", tokens.frontToken);
+        if (tokens.antiCsrfToken) {
+            finalResponse.headers.append("set-cookie", tokens.antiCsrfToken);
         }
         finalResponse.headers.append(
             "set-cookie",
@@ -137,10 +126,10 @@ function redirectToAuthPage(request: Request): Response {
 }
 
 async function fetchNewTokens(currentRefreshToken: string): Promise<{
-    accessToken: SuperTokensRequestToken;
-    refreshToken: SuperTokensRequestToken;
-    frontToken: SuperTokensRequestToken;
-    antiCsrfToken: SuperTokensRequestToken;
+    accessToken: string;
+    refreshToken: string;
+    frontToken: string;
+    antiCsrfToken: string;
 }> {
     const refreshApiURL = new URL(`${AppInfo.apiBasePath}/session/refresh`, AppInfo.apiDomain);
     const refreshResponse = await fetch(refreshApiURL, {
@@ -153,40 +142,45 @@ async function fetchNewTokens(currentRefreshToken: string): Promise<{
         credentials: "include",
     });
     logDebugMessage("Session refresh request completed");
-    const frontToken: SuperTokensRequestToken = {
-        header: refreshResponse.headers.get("front-token"),
-        cookie: `${FRONT_TOKEN_COOKIE_NAME}=${refreshResponse.headers.get("front-token")}; Path=/`,
-    };
-    const accessToken: SuperTokensRequestToken = {
-        header: refreshResponse.headers.get(ACCESS_TOKEN_HEADER_NAME),
-        cookie: null,
-    };
-    const refreshToken: SuperTokensRequestToken = {
-        header: refreshResponse.headers.get(REFRESH_TOKEN_HEADER_NAME),
-        cookie: null,
-    };
-    const antiCsrfToken: SuperTokensRequestToken = {
-        header: refreshResponse.headers.get(ANTI_CSRF_TOKEN_HEADER_NAME),
-        cookie: null,
-    };
 
+    const frontTokenHeaderValue = refreshResponse.headers.get(FRONT_TOKEN_HEADER_NAME);
+    const cookieTokens = {
+        accessToken: "",
+        refreshToken: "",
+        frontToken: `${FRONT_TOKEN_COOKIE_NAME}=${frontTokenHeaderValue}; HTTPOnly; Path=/`,
+        antiCsrfToken: "",
+    };
+    // TOOD: Review the current build target
     // getSetCookie was added in node 18 and our build target is ES5
     // This should not a problem here since the function runs in the Vercel edge runtime environment
     // @ts-expect-error TS(2339): Property 'getSetCookie' does not exist on type 'Headers'.
     const setCookieHeaders = refreshResponse.headers.getSetCookie();
     for (const header of setCookieHeaders) {
         if (header.includes(ACCESS_TOKEN_COOKIE_NAME)) {
-            accessToken.cookie = header;
+            cookieTokens.accessToken = header;
         }
         if (header.includes(REFRESH_TOKEN_COOKIE_NAME)) {
-            refreshToken.cookie = header;
+            cookieTokens.refreshToken = header;
         }
         if (header.includes(ANTI_CSRF_TOKEN_COOKIE_NAME)) {
-            antiCsrfToken.cookie = header;
+            cookieTokens.antiCsrfToken = header;
         }
     }
 
-    return { accessToken, refreshToken, frontToken, antiCsrfToken };
+    const accessTokenHeaderValue = refreshResponse.headers.get(ACCESS_TOKEN_HEADER_NAME);
+    const refreshTokenHeaderValue = refreshResponse.headers.get(REFRESH_TOKEN_HEADER_NAME);
+    const antiCsrfTokenHeaderValue = refreshResponse.headers.get(ANTI_CSRF_TOKEN_HEADER_NAME);
+    if (!cookieTokens.accessToken) {
+        cookieTokens.accessToken = `${ACCESS_TOKEN_COOKIE_NAME}=${accessTokenHeaderValue}; Path=/; HttpOnly; SameSite=Lax`;
+    }
+    if (!cookieTokens.refreshToken) {
+        cookieTokens.refreshToken = `${REFRESH_TOKEN_COOKIE_NAME}=${refreshTokenHeaderValue}; Path=/api/auth/session/refresh; HttpOnly; SameSite=Lax`;
+    }
+    if (!cookieTokens.antiCsrfToken && antiCsrfTokenHeaderValue) {
+        cookieTokens.antiCsrfToken = `${ANTI_CSRF_TOKEN_COOKIE_NAME}=${antiCsrfTokenHeaderValue}; Path=/; HttpOnly; SameSite=Lax`;
+    }
+
+    return cookieTokens;
 }
 
 function getCookie(request: Request, name: string) {

lib/ts/nextjs/ssr.ts

@@ -185,8 +185,6 @@ function parseFrontToken(
     }
 }
 
-// TODO:
-// - Do we need to check the token version and handle ERR_JWKS_MULTIPLE_MATCHING_KEYS like in the node SDK?
 async function parseAccessToken(
     token: string
 ): Promise<{ isValid: true; payload: AccessTokenPayload["up"] } | { isValid: false }> {

test/unit/nextjs/getSSRSession.test.ts

@@ -0,0 +1,213 @@
+import * as jose from "jose";
+import SuperTokensNextjsSSRAPIWrapper from "../../../lib/ts/nextjs/ssr";
+import type { CookiesStore } from "../../../lib/ts/nextjs/types";
+
+jest.mock("jose", () => ({
+    createRemoteJWKSet: jest.fn(),
+    jwtVerify: jest.fn(),
+}));
+
+describe("nextjs/ssr", () => {
+    describe("getSSRSession", () => {
+        const API_BASE_PATH = "/api/auth";
+        const CURRENT_PATH_COOKIE_NAME = "sCurrentPath";
+        const WEBSITE_BASE_PATH = "/auth";
+        const REFRESH_PATH = `${API_BASE_PATH}/session/refresh`;
+        const AUTH_PATH = WEBSITE_BASE_PATH;
+        const FORCE_LOGOUT_PARAM = "forceLogout=true";
+
+        const buildRedirectUrl = (basePath: string, params: string[]) => {
+            return `${basePath}?${params.join("&")}`;
+        };
+
+        const getRedirectParam = (redirectTo: string) => {
+            return `stRedirectTo=${redirectTo}`;
+        };
+
+        const createFrontToken = (
+            overrides: Partial<{
+                uid: string;
+                ate: number;
+                up: Record<string, any>;
+            }> = {}
+        ) => {
+            const defaultToken = {
+                uid: "user123",
+                ate: Date.now() + 3600000, // 1 hour from now
+                up: { sub: "user123" },
+                ...overrides,
+            };
+            return Buffer.from(JSON.stringify(defaultToken)).toString("base64");
+        };
+
+        const mockRedirect = jest.fn((url: string): never => {
+            throw url;
+        });
+
+        const mockConfig = {
+            appInfo: {
+                apiBasePath: API_BASE_PATH,
+                apiDomain: "http://localhost:3000",
+                websiteBasePath: WEBSITE_BASE_PATH,
+                appName: "SuperTokens Demo",
+                websiteDomain: "http://localhost:3000",
+            },
+        };
+
+        const createMockCookiesStore = (cookies: Record<string, string>): CookiesStore => ({
+            get: (name: string) => {
+                const value = cookies[name];
+                return { value: value || "" };
+            },
+            set: jest.fn(),
+        });
+
+        beforeEach(() => {
+            jest.clearAllMocks();
+            SuperTokensNextjsSSRAPIWrapper.init(mockConfig);
+        });
+
+        it("should redirect to the auth page if the front token is not found", async () => {
+            const currentPath = "/";
+            const cookies = createMockCookiesStore({ [CURRENT_PATH_COOKIE_NAME]: currentPath });
+            await expect(SuperTokensNextjsSSRAPIWrapper.getSSRSession(cookies, mockRedirect)).rejects.toBe(
+                buildRedirectUrl(AUTH_PATH, [FORCE_LOGOUT_PARAM, getRedirectParam(currentPath)])
+            );
+        });
+
+        it("should redirect to the auth page if the front token is invalid", async () => {
+            const currentPath = "/dashboard";
+            const cookies = createMockCookiesStore({
+                sFrontToken: "invalid-token",
+                [CURRENT_PATH_COOKIE_NAME]: currentPath,
+            });
+            await expect(SuperTokensNextjsSSRAPIWrapper.getSSRSession(cookies, mockRedirect)).rejects.toBe(
+                buildRedirectUrl(AUTH_PATH, [FORCE_LOGOUT_PARAM, getRedirectParam(currentPath)])
+            );
+        });
+
+        it("should redirect to the auth page if the access token is invalid", async () => {
+            const currentPath = "/profile";
+            const mockFrontToken = createFrontToken();
+            const cookies = createMockCookiesStore({
+                sFrontToken: mockFrontToken,
+                sAccessToken: "invalid-access-token",
+                [CURRENT_PATH_COOKIE_NAME]: currentPath,
+            });
+
+            (jose.jwtVerify as jest.Mock).mockRejectedValueOnce({ isValid: false });
+
+            await expect(SuperTokensNextjsSSRAPIWrapper.getSSRSession(cookies, mockRedirect)).rejects.toBe(
+                buildRedirectUrl(AUTH_PATH, [FORCE_LOGOUT_PARAM, getRedirectParam(currentPath)])
+            );
+        });
+
+        it("should redirect to the refresh path if the front token is expired", async () => {
+            const currentPath = "/settings";
+            const mockFrontToken = createFrontToken({
+                ate: Date.now() - 1000, // Expired
+            });
+
+            const cookies = createMockCookiesStore({
+                sFrontToken: mockFrontToken,
+                [CURRENT_PATH_COOKIE_NAME]: currentPath,
+            });
+
+            await expect(SuperTokensNextjsSSRAPIWrapper.getSSRSession(cookies, mockRedirect)).rejects.toBe(
+                buildRedirectUrl(REFRESH_PATH, [getRedirectParam(currentPath)])
+            );
+        });
+
+        it("should redirect to the refresh path if the access token was not found", async () => {
+            const currentPath = "/account";
+            const mockFrontToken = createFrontToken();
+            const cookies = createMockCookiesStore({
+                sFrontToken: mockFrontToken,
+                [CURRENT_PATH_COOKIE_NAME]: currentPath,
+            });
+
+            await expect(SuperTokensNextjsSSRAPIWrapper.getSSRSession(cookies, mockRedirect)).rejects.toBe(
+                buildRedirectUrl(REFRESH_PATH, [getRedirectParam(currentPath)])
+            );
+        });
+
+        it("should redirect to the refresh path if token payloads do not match", async () => {
+            const currentPath = "/home";
+            const mockFrontToken = createFrontToken({
+                up: { sub: "user123", someData: "value1" },
+            });
+
+            const cookies = createMockCookiesStore({
+                sFrontToken: mockFrontToken,
+                sAccessToken: "valid-access-token",
+                [CURRENT_PATH_COOKIE_NAME]: currentPath,
+            });
+
+            (jose.jwtVerify as jest.Mock).mockResolvedValueOnce({
+                payload: { sub: "user123", someData: "different-value", exp: Date.now() + 3600000 },
+                isValid: true,
+            });
+
+            await expect(SuperTokensNextjsSSRAPIWrapper.getSSRSession(cookies, mockRedirect)).rejects.toBe(
+                buildRedirectUrl(REFRESH_PATH, [getRedirectParam(currentPath)])
+            );
+        });
+
+        it("should return the session if tokens match", async () => {
+            const mockPayload = { sub: "user123", someData: "value1", exp: Date.now() + 360000 };
+            const mockFrontToken = createFrontToken({
+                up: mockPayload,
+            });
+
+            const cookies = createMockCookiesStore({
+                sFrontToken: mockFrontToken,
+                sAccessToken: "valid-access-token",
+            });
+
+            (jose.jwtVerify as jest.Mock).mockResolvedValueOnce({
+                payload: mockPayload,
+                isValid: true,
+            });
+
+            const result = await SuperTokensNextjsSSRAPIWrapper.getSSRSession(cookies, mockRedirect);
+            expect(result).toEqual({
+                userId: "user123",
+                accessTokenPayload: { isValid: true, payload: mockPayload },
+                doesSessionExist: true,
+                loading: false,
+                invalidClaims: [],
+                accessDeniedValidatorError: undefined,
+            });
+        });
+
+        it("redirects to the correct page based on the sCurrentPath cookie", async () => {
+            // Test with a simple path
+            const authCookies = createMockCookiesStore({
+                [CURRENT_PATH_COOKIE_NAME]: "/dashboard",
+            });
+
+            await expect(SuperTokensNextjsSSRAPIWrapper.getSSRSession(authCookies, mockRedirect)).rejects.toBe(
+                buildRedirectUrl(AUTH_PATH, [FORCE_LOGOUT_PARAM, getRedirectParam("/dashboard")])
+            );
+
+            // Test with a complex path (including query params)
+            const complexPathCookies = createMockCookiesStore({
+                [CURRENT_PATH_COOKIE_NAME]: "/settings/profile?tab=security#password",
+            });
+
+            await expect(SuperTokensNextjsSSRAPIWrapper.getSSRSession(complexPathCookies, mockRedirect)).rejects.toBe(
+                buildRedirectUrl(AUTH_PATH, [
+                    FORCE_LOGOUT_PARAM,
+                    getRedirectParam("/settings/profile?tab=security#password"),
+                ])
+            );
+
+            // Test with no current path cookie (should default to "/")
+            const cookiesWithoutPath = createMockCookiesStore({});
+
+            await expect(SuperTokensNextjsSSRAPIWrapper.getSSRSession(cookiesWithoutPath, mockRedirect)).rejects.toBe(
+                buildRedirectUrl(AUTH_PATH, [FORCE_LOGOUT_PARAM, getRedirectParam("/")])
+            );
+        });
+    });
+});