Add tests for middleware

bcbogdan · bcbogdan · commit f6651e788377 · 2025-02-28T21:02:51.000+02:00
diff --git a/lib/ts/nextjs/constants.ts b/lib/ts/nextjs/constants.ts
@@ -0,0 +1,13 @@
+export const ACCESS_TOKEN_COOKIE_NAME = "sAccessToken";
+export const ACCESS_TOKEN_HEADER_NAME = "st-access-token";
+export const FRONT_TOKEN_COOKIE_NAME = "sFrontToken";
+export const FRONT_TOKEN_HEADER_NAME = "front-token";
+export const REFRESH_TOKEN_COOKIE_NAME = "sRefreshToken";
+export const REFRESH_TOKEN_HEADER_NAME = "st-refresh-token";
+export const ANTI_CSRF_TOKEN_COOKIE_NAME = "sAntiCsrf";
+export const ANTI_CSRF_TOKEN_HEADER_NAME = "anti-csrf";
+export const REDIRECT_ATTEMPT_MAX_COUNT = 5;
+export const REDIRECT_ATTEMPT_COUNT_COOKIE_NAME = "sSsrSessionRefreshAttempt";
+export const CURRENT_PATH_COOKIE_NAME = "sCurrentPath";
+export const FORCE_LOGOUT_PATH_PARAM_NAME = "forceLogout";
+export const REDIRECT_PATH_PARAM_NAME = "stRedirectTo";
diff --git a/lib/ts/nextjs/middleware.ts b/lib/ts/nextjs/middleware.ts
@@ -1,20 +1,21 @@
 import { enableLogging, logDebugMessage } from "../logger";
 
-import type { SuperTokensNextjsConfig } from "./types";
-
-const ACCESS_TOKEN_COOKIE_NAME = "sAccessToken";
-const ACCESS_TOKEN_HEADER_NAME = "st-access-token";
-const FRONT_TOKEN_COOKIE_NAME = "sFrontToken";
-const FRONT_TOKEN_HEADER_NAME = "front-token";
-const REFRESH_TOKEN_COOKIE_NAME = "sRefreshToken";
-const REFRESH_TOKEN_HEADER_NAME = "st-refresh-token";
-const ANTI_CSRF_TOKEN_COOKIE_NAME = "sAntiCsrf";
-const ANTI_CSRF_TOKEN_HEADER_NAME = "anti-csrf";
+import {
+    REDIRECT_ATTEMPT_MAX_COUNT,
+    REFRESH_TOKEN_COOKIE_NAME,
+    REFRESH_TOKEN_HEADER_NAME,
+    REDIRECT_PATH_PARAM_NAME,
+    REDIRECT_ATTEMPT_COUNT_COOKIE_NAME,
+    ACCESS_TOKEN_COOKIE_NAME,
+    ACCESS_TOKEN_HEADER_NAME,
+    FRONT_TOKEN_HEADER_NAME,
+    ANTI_CSRF_TOKEN_HEADER_NAME,
+    FORCE_LOGOUT_PATH_PARAM_NAME,
+    FRONT_TOKEN_COOKIE_NAME,
+    ANTI_CSRF_TOKEN_COOKIE_NAME,
+} from "./constants";
 
-const REDIRECT_ATTEMPT_MAX_COUNT = 5;
-const REDIRECT_PATH_PARAM_NAME = "stRedirectTo";
-const FORCE_LOGOUT_PATH_PARAM_NAME = "forceLogout";
-const REDIRECT_ATTEMPT_COUNT_COOKIE_NAME = "sSsrSessionRefreshAttempt";
+import type { SuperTokensNextjsConfig } from "./types";
 
 let AppInfo: SuperTokensNextjsConfig["appInfo"];
 
@@ -30,17 +31,15 @@ export async function refreshSession(config: SuperTokensNextjsConfig, request: R
         return redirectToAuthPage(request);
     }
 
-    const refreshToken =
-        getCookie(request, REFRESH_TOKEN_COOKIE_NAME) || request.headers.get(REFRESH_TOKEN_HEADER_NAME);
-    if (!refreshToken) {
+    if (!getCookie(request, REFRESH_TOKEN_COOKIE_NAME) && !request.headers.get(REFRESH_TOKEN_HEADER_NAME)) {
         logDebugMessage("Refresh token not found");
         return redirectToAuthPage(request);
     }
 
     const requestUrl = new URL(request.url);
     const redirectTo = requestUrl.searchParams.get(REDIRECT_PATH_PARAM_NAME) || "/";
     try {
-        const tokens = await fetchNewTokens(refreshToken);
+        const tokens = await fetchNewTokens(request);
         const hasRequiredCookies = tokens.accessToken && tokens.refreshToken && tokens.frontToken;
         if (!hasRequiredCookies) {
             logDebugMessage("Missing tokens from refresh response");
@@ -79,7 +78,6 @@ export async function revokeSession(config: SuperTokensNextjsConfig, request: Re
     if (config.enableDebugLogs) {
         enableLogging();
     }
-
     const response = new Response(null, {});
 
     try {
@@ -125,29 +123,36 @@ function redirectToAuthPage(request: Request): Response {
     });
 }
 
-async function fetchNewTokens(currentRefreshToken: string): Promise<{
+async function fetchNewTokens(request: Request): Promise<{
     accessToken: string;
     refreshToken: string;
     frontToken: string;
     antiCsrfToken: string;
 }> {
     const refreshApiURL = new URL(`${AppInfo.apiBasePath}/session/refresh`, AppInfo.apiDomain);
+    const cookieRefreshToken = getCookie(request, REFRESH_TOKEN_COOKIE_NAME);
+    const headerRefreshToken = request.headers.get(REFRESH_TOKEN_HEADER_NAME);
+    const refreshRequestHeaders: Record<string, string> = {
+        "Content-Type": "application/json",
+    };
+    if (cookieRefreshToken) {
+        refreshRequestHeaders.Cookie = `${REFRESH_TOKEN_COOKIE_NAME}=${cookieRefreshToken}`;
+    } else if (headerRefreshToken) {
+        refreshRequestHeaders[REFRESH_TOKEN_HEADER_NAME] = headerRefreshToken;
+    }
+
     const refreshResponse = await fetch(refreshApiURL, {
         method: "POST",
-        headers: {
-            "Content-Type": "application/json",
-            [REFRESH_TOKEN_HEADER_NAME]: currentRefreshToken,
-            Cookie: `${REFRESH_TOKEN_COOKIE_NAME}=${currentRefreshToken}`,
-        },
+        headers: refreshRequestHeaders,
         credentials: "include",
     });
     logDebugMessage("Session refresh request completed");
-
+    logDebugMessage("Session refresh request completed");
     const frontTokenHeaderValue = refreshResponse.headers.get(FRONT_TOKEN_HEADER_NAME);
     const cookieTokens = {
         accessToken: "",
         refreshToken: "",
-        frontToken: `${FRONT_TOKEN_COOKIE_NAME}=${frontTokenHeaderValue}; HTTPOnly; Path=/`,
+        frontToken: `${FRONT_TOKEN_COOKIE_NAME}=${frontTokenHeaderValue}; Path=/`,
         antiCsrfToken: "",
     };
     // TOOD: Review the current build target
diff --git a/lib/ts/nextjs/ssr.ts b/lib/ts/nextjs/ssr.ts
@@ -2,20 +2,20 @@ import * as jose from "jose";
 
 import { enableLogging, logDebugMessage } from "../logger";
 
+import {
+    FRONT_TOKEN_HEADER_NAME,
+    ACCESS_TOKEN_COOKIE_NAME,
+    ACCESS_TOKEN_HEADER_NAME,
+    CURRENT_PATH_COOKIE_NAME,
+    FORCE_LOGOUT_PATH_PARAM_NAME,
+    REDIRECT_PATH_PARAM_NAME,
+    FRONT_TOKEN_COOKIE_NAME,
+} from "./constants";
 import { isCookiesStore } from "./types";
 
 import type { CookiesObject, CookiesStore, GetServerSidePropsReturnValue, SuperTokensNextjsConfig } from "./types";
 import type { AccessTokenPayload, LoadedSessionContext } from "../recipe/session/types";
 
-const ACCESS_TOKEN_COOKIE_NAME = "sAccessToken";
-const ACCESS_TOKEN_HEADER_NAME = "st-access-token";
-const FRONT_TOKEN_NAME = "sFrontToken";
-const FRONT_TOKEN_HEADER_NAME = "front-token";
-
-const CURRENT_PATH_COOKIE_NAME = "sCurrentPath";
-const FORCE_LOGOUT_PATH_PARAM_NAME = "forceLogout";
-const REDIRECT_PATH_PARAM_NAME = "stRedirectTo";
-
 type SSRSessionState =
     | "front-token-not-found"
     | "front-token-invalid"
@@ -128,7 +128,8 @@ function getRefreshLocation(redirectPath: string): string {
 async function getSSRSessionState(
     cookies: CookiesObject | CookiesStore
 ): Promise<{ state: SSRSessionState; session?: LoadedSessionContext }> {
-    const frontToken = getCookieValue(cookies, FRONT_TOKEN_NAME) || getCookieValue(cookies, FRONT_TOKEN_HEADER_NAME);
+    const frontToken =
+        getCookieValue(cookies, FRONT_TOKEN_COOKIE_NAME) || getCookieValue(cookies, FRONT_TOKEN_HEADER_NAME);
     if (!frontToken) {
         return { state: "front-token-not-found" };
     }
diff --git a/test/unit/nextjs/middleware.test.ts b/test/unit/nextjs/middleware.test.ts
