fix: adds updating of session claims in email verification token generation API

sattvikc · sattvikc · commit 54b97352159f · 2022-11-16T15:49:40.000+05:30
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,6 +8,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [unreleased]
 - Fixes go fiber to handle handler chaining correctly with verifySession.
 - Added test to check JWT contains updated value when MergeIntoAccessTokenPayload is called.
+- Adds updating of session claims in email verification token generation API in case the session claims are outdated.
 
 ## [0.9.7] - 2022-10-20
 - Updated Frontend integration test server for angular tests
diff --git a/recipe/emailpassword/ev_session_claim_test.go b/recipe/emailpassword/ev_session_claim_test.go
@@ -0,0 +1,144 @@
+package emailpassword
+
+import (
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/supertokens/supertokens-golang/recipe/emailverification"
+	"github.com/supertokens/supertokens-golang/recipe/emailverification/evmodels"
+	"github.com/supertokens/supertokens-golang/recipe/session"
+	"github.com/supertokens/supertokens-golang/recipe/session/sessmodels"
+	"github.com/supertokens/supertokens-golang/supertokens"
+	"github.com/supertokens/supertokens-golang/test/unittesting"
+)
+
+func TestEVGenerateUpdatesSessionClaims(t *testing.T) {
+	antiCsrfConf := "VIA_TOKEN"
+	configValue := supertokens.TypeInput{
+		Supertokens: &supertokens.ConnectionInfo{
+			ConnectionURI: "http://localhost:8080",
+		},
+		AppInfo: supertokens.AppInfo{
+			APIDomain:     "api.supertokens.io",
+			AppName:       "SuperTokens",
+			WebsiteDomain: "supertokens.io",
+		},
+		RecipeList: []supertokens.Recipe{
+			Init(nil),
+			emailverification.Init(evmodels.TypeInput{
+				Mode:                     evmodels.ModeOptional,
+				CreateAndSendCustomEmail: func(user evmodels.User, emailVerificationURLWithToken string, userContext supertokens.UserContext) {},
+			}),
+			session.Init(&sessmodels.TypeInput{
+				AntiCsrf: &antiCsrfConf,
+			}),
+		},
+	}
+
+	BeforeEach()
+	unittesting.StartUpST("localhost", "8080")
+	defer AfterEach()
+	err := supertokens.Init(configValue)
+	if err != nil {
+		t.Error(err.Error())
+	}
+
+	mux := http.NewServeMux()
+	testServer := httptest.NewServer(supertokens.Middleware(mux))
+	defer testServer.Close()
+
+	resp, err := unittesting.SignupRequest("test@gmail.com", "testPass123", testServer.URL)
+	assert.NoError(t, err)
+
+	assert.Equal(t, 200, resp.StatusCode)
+	bodyBytes, err := ioutil.ReadAll(resp.Body)
+	assert.NoError(t, err)
+
+	bodyObj := map[string]interface{}{}
+	err = json.Unmarshal(bodyBytes, &bodyObj)
+	assert.NoError(t, err)
+
+	userId := bodyObj["user"].(map[string]interface{})["id"].(string)
+	infoFromResponse := unittesting.ExtractInfoFromResponse(resp)
+	antiCsrf := infoFromResponse["antiCsrf"]
+
+	token, err := emailverification.CreateEmailVerificationToken(userId, nil)
+	assert.NoError(t, err)
+	_, err = emailverification.VerifyEmailUsingToken(token.OK.Token)
+	assert.NoError(t, err)
+
+	resp, err = unittesting.EmailVerifyTokenRequest(
+		testServer.URL,
+		userId,
+		infoFromResponse["sAccessToken"],
+		infoFromResponse["sIdRefreshToken"],
+		antiCsrf,
+	)
+	assert.NoError(t, err)
+	assert.Equal(t, 200, resp.StatusCode)
+
+	infoFromResponse = unittesting.ExtractInfoFromResponse(resp)
+	b64Bytes, err := base64.StdEncoding.DecodeString(infoFromResponse["frontToken"])
+	assert.NoError(t, err)
+	frontendInfo := map[string]interface{}{}
+	err = json.Unmarshal(b64Bytes, &frontendInfo)
+	assert.NoError(t, err)
+
+	val := frontendInfo["up"].(map[string]interface{})["st-ev"].(map[string]interface{})["v"].(bool)
+	fmt.Println(val)
+	assert.True(t, frontendInfo["up"].(map[string]interface{})["st-ev"].(map[string]interface{})["v"].(bool))
+
+	// Calling again should not modify access token
+	resp, err = unittesting.EmailVerifyTokenRequest(
+		testServer.URL,
+		userId,
+		infoFromResponse["sAccessToken"],
+		infoFromResponse["sIdRefreshToken"],
+		antiCsrf,
+	)
+	assert.NoError(t, err)
+	assert.Equal(t, 200, resp.StatusCode)
+
+	infoFromResponse2 := unittesting.ExtractInfoFromResponse(resp)
+	assert.Empty(t, infoFromResponse2["frontToken"])
+
+	// now we mark the email as unverified and try again
+	emailverification.UnverifyEmail(userId, nil)
+	resp, err = unittesting.EmailVerifyTokenRequest(
+		testServer.URL,
+		userId,
+		infoFromResponse["sAccessToken"],
+		infoFromResponse["sIdRefreshToken"],
+		antiCsrf,
+	)
+	assert.NoError(t, err)
+	assert.Equal(t, 200, resp.StatusCode)
+
+	infoFromResponse = unittesting.ExtractInfoFromResponse(resp)
+	b64Bytes, err = base64.StdEncoding.DecodeString(infoFromResponse["frontToken"])
+	assert.NoError(t, err)
+	frontendInfo = map[string]interface{}{}
+	err = json.Unmarshal(b64Bytes, &frontendInfo)
+	assert.NoError(t, err)
+	assert.False(t, frontendInfo["up"].(map[string]interface{})["st-ev"].(map[string]interface{})["v"].(bool))
+
+	// calling the API again should not modify the access token again
+	resp, err = unittesting.EmailVerifyTokenRequest(
+		testServer.URL,
+		userId,
+		infoFromResponse["sAccessToken"],
+		infoFromResponse["sIdRefreshToken"],
+		antiCsrf,
+	)
+	assert.NoError(t, err)
+	assert.Equal(t, 200, resp.StatusCode)
+
+	infoFromResponse2 = unittesting.ExtractInfoFromResponse(resp)
+	assert.Empty(t, infoFromResponse2["frontToken"])
+}
diff --git a/recipe/emailverification/api/implementation.go b/recipe/emailverification/api/implementation.go
@@ -102,12 +102,19 @@ func MakeAPIImplementation() evmodels.APIInterface {
 		}
 
 		if response.EmailAlreadyVerifiedError != nil {
+			if sessionContainer.GetClaimValue(evclaims.EmailVerificationClaim) != true {
+				sessionContainer.FetchAndSetClaimWithContext(evclaims.EmailVerificationClaim, userContext)
+			}
 			supertokens.LogDebugMessage(fmt.Sprintf("Email verification email not sent to %s because it is already verified", email.OK.Email))
 			return evmodels.GenerateEmailVerifyTokenPOSTResponse{
 				EmailAlreadyVerifiedError: &struct{}{},
 			}, nil
 		}
 
+		if sessionContainer.GetClaimValue(evclaims.EmailVerificationClaim) != false {
+			sessionContainer.FetchAndSetClaimWithContext(evclaims.EmailVerificationClaim, userContext)
+		}
+
 		user := evmodels.User{
 			ID:    userID,
 			Email: email.OK.Email,
diff --git a/test/unittesting/testingutils.go b/test/unittesting/testingutils.go
@@ -258,6 +258,8 @@ func ExtractInfoFromResponse(res *http.Response) map[string]string {
 	if len(antiCsrf) > 0 {
 		antiCsrfVal = antiCsrf[0]
 	}
+	frontToken := res.Header.Get("front-token")
+
 	return map[string]string{
 		"antiCsrf":                 antiCsrfVal,
 		"sAccessToken":             accessToken,
@@ -273,6 +275,7 @@ func ExtractInfoFromResponse(res *http.Response) map[string]string {
 		"accessTokenExpiry":        accessTokenExpiry,
 		"accessTokenDomain":        accessTokenDomain,
 		"accessTokenHttpOnly":      accessTokenHttpOnly,
+		"frontToken":               frontToken,
 	}
 }
 

Original file line number	Diff line number	Diff line change
`@@ -258,6 +258,8 @@ func ExtractInfoFromResponse(res *http.Response) map[string]string {`
`258`	`258`	`if len(antiCsrf) > 0 {`
`259`	`259`	`antiCsrfVal = antiCsrf[0]`
`260`	`260`	`}`
	`261`	`+ frontToken := res.Header.Get("front-token")`
	`262`	`+`
`261`	`263`	`return map[string]string{`
`262`	`264`	`"antiCsrf": antiCsrfVal,`
`263`	`265`	`"sAccessToken": accessToken,`
`@@ -273,6 +275,7 @@ func ExtractInfoFromResponse(res *http.Response) map[string]string {`
`273`	`275`	`"accessTokenExpiry": accessTokenExpiry,`
`274`	`276`	`"accessTokenDomain": accessTokenDomain,`
`275`	`277`	`"accessTokenHttpOnly": accessTokenHttpOnly,`
	`278`	`+ "frontToken": frontToken,`
`276`	`279`	`}`
`277`	`280`	`}`
`278`	`281`