fix: oninvalidclaim handler

Author: sattvikc

recipe/session/claims/claims.go

@@ -50,6 +50,6 @@ type ClaimValidationResult struct {
 }
 
 type ClaimValidationError struct {
-	ID     string
-	Reason interface{} // This can be nil, add checks when used
+	ID     string      `json:"id"`
+	Reason interface{} `json:"reason"` // This can be nil, add checks when used
 }

recipe/session/sessmodels/models.go

@@ -91,6 +91,7 @@ type TypeInput struct {
 	CookieSecure             *bool
 	CookieSameSite           *string
 	SessionExpiredStatusCode *int
+	InvalidClaimStatusCode   *int
 	CookieDomain             *string
 	AntiCsrf                 *string
 	Override                 *OverrideStruct
@@ -113,6 +114,7 @@ type OverrideStruct struct {
 type ErrorHandlers struct {
 	OnUnauthorised       func(message string, req *http.Request, res http.ResponseWriter) error
 	OnTokenTheftDetected func(sessionHandle string, userID string, req *http.Request, res http.ResponseWriter) error
+	OnInvalidClaim       func(validationErrors []claims.ClaimValidationError, req *http.Request, res http.ResponseWriter) error
 }
 
 type TypeNormalisedInput struct {
@@ -121,6 +123,7 @@ type TypeNormalisedInput struct {
 	CookieSameSite           string
 	CookieSecure             bool
 	SessionExpiredStatusCode int
+	InvalidClaimStatusCode   int
 	AntiCsrf                 string
 	Override                 OverrideStruct
 	ErrorHandlers            NormalisedErrorHandlers
@@ -154,6 +157,7 @@ type NormalisedErrorHandlers struct {
 	OnUnauthorised       func(message string, req *http.Request, res http.ResponseWriter) error
 	OnTryRefreshToken    func(message string, req *http.Request, res http.ResponseWriter) error
 	OnTokenTheftDetected func(sessionHandle string, userID string, req *http.Request, res http.ResponseWriter) error
+	OnInvalidClaim       func(validationErrors []claims.ClaimValidationError, req *http.Request, res http.ResponseWriter) error
 }
 
 type SessionContainer struct {

recipe/session/utils.go

@@ -88,6 +88,11 @@ func validateAndNormaliseUserInput(appInfo supertokens.NormalisedAppinfo, config
 		sessionExpiredStatusCode = *config.SessionExpiredStatusCode
 	}
 
+	invalidClaimStatusCode := 403
+	if config != nil && config.InvalidClaimStatusCode != nil {
+		invalidClaimStatusCode = *config.InvalidClaimStatusCode
+	}
+
 	if config != nil && config.AntiCsrf != nil {
 		if *config.AntiCsrf != antiCSRF_NONE && *config.AntiCsrf != antiCSRF_VIA_CUSTOM_HEADER && *config.AntiCsrf != antiCSRF_VIA_TOKEN {
 			return sessmodels.TypeNormalisedInput{}, errors.New("antiCsrf config must be one of 'NONE' or 'VIA_CUSTOM_HEADER' or 'VIA_TOKEN'")
@@ -127,6 +132,13 @@ func validateAndNormaliseUserInput(appInfo supertokens.NormalisedAppinfo, config
 			}
 			return sendUnauthorisedResponse(*recipeInstance, message, req, res)
 		},
+		OnInvalidClaim: func(validationErrors []claims.ClaimValidationError, req *http.Request, res http.ResponseWriter) error {
+			recipeInstance, err := getRecipeInstanceOrThrowError()
+			if err != nil {
+				return err
+			}
+			return sendInvalidClaimResponse(*recipeInstance, validationErrors, req, res)
+		},
 	}
 
 	if config != nil && config.ErrorHandlers != nil {
@@ -136,6 +148,9 @@ func validateAndNormaliseUserInput(appInfo supertokens.NormalisedAppinfo, config
 		if config.ErrorHandlers.OnUnauthorised != nil {
 			errorHandlers.OnUnauthorised = config.ErrorHandlers.OnUnauthorised
 		}
+		if config.ErrorHandlers.OnInvalidClaim != nil {
+			errorHandlers.OnInvalidClaim = config.ErrorHandlers.OnInvalidClaim
+		}
 	}
 
 	IsAnIPAPIDomain, err := supertokens.IsAnIPAddress(topLevelAPIDomain)
@@ -178,6 +193,7 @@ func validateAndNormaliseUserInput(appInfo supertokens.NormalisedAppinfo, config
 		CookieSameSite:           cookieSameSite,
 		CookieSecure:             cookieSecure,
 		SessionExpiredStatusCode: sessionExpiredStatusCode,
+		InvalidClaimStatusCode:   invalidClaimStatusCode,
 		AntiCsrf:                 antiCsrf,
 		ErrorHandlers:            errorHandlers,
 		Jwt:                      Jwt,
@@ -297,6 +313,13 @@ func sendUnauthorisedResponse(recipeInstance Recipe, _ string, _ *http.Request,
 	return supertokens.SendNon200Response(response, "unauthorised", recipeInstance.Config.SessionExpiredStatusCode)
 }
 
+func sendInvalidClaimResponse(recipeInstance Recipe, claimValidationErrors []claims.ClaimValidationError, _ *http.Request, response http.ResponseWriter) error {
+	return supertokens.SendNon200ResponseWithPayload(response, map[string]interface{}{
+		"message":               "invalid claim",
+		"claimValidationErrors": claimValidationErrors,
+	}, recipeInstance.Config.InvalidClaimStatusCode)
+}
+
 func sendTokenTheftDetectedResponse(recipeInstance Recipe, sessionHandle string, _ string, _ *http.Request, response http.ResponseWriter) error {
 	_, err := (*recipeInstance.RecipeImpl.RevokeSession)(sessionHandle, &map[string]interface{}{})
 	if err != nil {

supertokens/utils.go

@@ -181,6 +181,28 @@ func SendNon200Response(res http.ResponseWriter, message string, statusCode int)
 	return nil
 }
 
+func SendNon200ResponseWithPayload(res http.ResponseWriter, payload map[string]interface{}, statusCode int) error {
+	dw := MakeDoneWriter(res)
+	if !dw.IsDone() {
+		if statusCode < 300 {
+			return errors.New("calling SendNon200ResponseWithPayload with status code < 300")
+		}
+
+		LogDebugMessage("Sending response to client with status code: " + strconv.Itoa(statusCode))
+
+		res.Header().Set("Content-Type", "application/json; charset=utf-8")
+		res.WriteHeader(statusCode)
+
+		bytes, err := json.Marshal(payload)
+		if err != nil {
+			return err
+		} else {
+			res.Write(bytes)
+		}
+	}
+	return nil
+}
+
 func ReadFromRequest(r *http.Request) ([]byte, error) {
 	f := r.Body
 	buf, err := ioutil.ReadAll(f)