Merge pull request #204 from supertokens/ev-session-claims-issue

fix: Adds updating of session claims in email verification token generation API in case the session claims are outdated

Author: rishabhpoddar

CHANGELOG.md

@@ -6,8 +6,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [unreleased]
+
+## [0.9.8] - 2022-11-16
 - Fixes go fiber to handle handler chaining correctly with verifySession.
 - Added test to check JWT contains updated value when MergeIntoAccessTokenPayload is called.
+- Adds updating of session claims in email verification token generation API in case the session claims are outdated.
 
 ## [0.9.7] - 2022-10-20
 - Updated Frontend integration test server for angular tests

recipe/emailpassword/ev_session_claim_test.go

@@ -0,0 +1,155 @@
+package emailpassword
+
+import (
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/supertokens/supertokens-golang/recipe/emailverification"
+	"github.com/supertokens/supertokens-golang/recipe/emailverification/evmodels"
+	"github.com/supertokens/supertokens-golang/recipe/session"
+	"github.com/supertokens/supertokens-golang/recipe/session/sessmodels"
+	"github.com/supertokens/supertokens-golang/supertokens"
+	"github.com/supertokens/supertokens-golang/test/unittesting"
+)
+
+func TestEVGenerateUpdatesSessionClaims(t *testing.T) {
+	antiCsrfConf := "VIA_TOKEN"
+	configValue := supertokens.TypeInput{
+		Supertokens: &supertokens.ConnectionInfo{
+			ConnectionURI: "http://localhost:8080",
+		},
+		AppInfo: supertokens.AppInfo{
+			APIDomain:     "api.supertokens.io",
+			AppName:       "SuperTokens",
+			WebsiteDomain: "supertokens.io",
+		},
+		RecipeList: []supertokens.Recipe{
+			Init(nil),
+			emailverification.Init(evmodels.TypeInput{
+				Mode:                     evmodels.ModeOptional,
+				CreateAndSendCustomEmail: func(user evmodels.User, emailVerificationURLWithToken string, userContext supertokens.UserContext) {},
+			}),
+			session.Init(&sessmodels.TypeInput{
+				AntiCsrf: &antiCsrfConf,
+			}),
+		},
+	}
+
+	BeforeEach()
+	unittesting.StartUpST("localhost", "8080")
+	defer AfterEach()
+	err := supertokens.Init(configValue)
+	if err != nil {
+		t.Error(err.Error())
+	}
+	querier, err := supertokens.GetNewQuerierInstanceOrThrowError("")
+	if err != nil {
+		t.Error(err.Error())
+	}
+	cdiVersion, err := querier.GetQuerierAPIVersion()
+	if err != nil {
+		t.Error(err.Error())
+	}
+	if unittesting.MaxVersion("2.10", cdiVersion) != cdiVersion {
+		return
+	}
+
+	mux := http.NewServeMux()
+	testServer := httptest.NewServer(supertokens.Middleware(mux))
+	defer testServer.Close()
+
+	resp, err := unittesting.SignupRequest("[email protected]", "testPass123", testServer.URL)
+	assert.NoError(t, err)
+
+	assert.Equal(t, 200, resp.StatusCode)
+	bodyBytes, err := ioutil.ReadAll(resp.Body)
+	assert.NoError(t, err)
+
+	bodyObj := map[string]interface{}{}
+	err = json.Unmarshal(bodyBytes, &bodyObj)
+	assert.NoError(t, err)
+
+	userId := bodyObj["user"].(map[string]interface{})["id"].(string)
+	infoFromResponse := unittesting.ExtractInfoFromResponse(resp)
+	antiCsrf := infoFromResponse["antiCsrf"]
+
+	token, err := emailverification.CreateEmailVerificationToken(userId, nil)
+	assert.NoError(t, err)
+	_, err = emailverification.VerifyEmailUsingToken(token.OK.Token)
+	assert.NoError(t, err)
+
+	resp, err = unittesting.EmailVerifyTokenRequest(
+		testServer.URL,
+		userId,
+		infoFromResponse["sAccessToken"],
+		infoFromResponse["sIdRefreshToken"],
+		antiCsrf,
+	)
+	assert.NoError(t, err)
+	assert.Equal(t, 200, resp.StatusCode)
+
+	infoFromResponse = unittesting.ExtractInfoFromResponse(resp)
+	b64Bytes, err := base64.StdEncoding.DecodeString(infoFromResponse["frontToken"])
+	assert.NoError(t, err)
+	frontendInfo := map[string]interface{}{}
+	err = json.Unmarshal(b64Bytes, &frontendInfo)
+	assert.NoError(t, err)
+
+	val := frontendInfo["up"].(map[string]interface{})["st-ev"].(map[string]interface{})["v"].(bool)
+	fmt.Println(val)
+	assert.True(t, frontendInfo["up"].(map[string]interface{})["st-ev"].(map[string]interface{})["v"].(bool))
+
+	// Calling again should not modify access token
+	resp, err = unittesting.EmailVerifyTokenRequest(
+		testServer.URL,
+		userId,
+		infoFromResponse["sAccessToken"],
+		infoFromResponse["sIdRefreshToken"],
+		antiCsrf,
+	)
+	assert.NoError(t, err)
+	assert.Equal(t, 200, resp.StatusCode)
+
+	infoFromResponse2 := unittesting.ExtractInfoFromResponse(resp)
+	assert.Empty(t, infoFromResponse2["frontToken"])
+
+	// now we mark the email as unverified and try again
+	emailverification.UnverifyEmail(userId, nil)
+	resp, err = unittesting.EmailVerifyTokenRequest(
+		testServer.URL,
+		userId,
+		infoFromResponse["sAccessToken"],
+		infoFromResponse["sIdRefreshToken"],
+		antiCsrf,
+	)
+	assert.NoError(t, err)
+	assert.Equal(t, 200, resp.StatusCode)
+
+	infoFromResponse = unittesting.ExtractInfoFromResponse(resp)
+	b64Bytes, err = base64.StdEncoding.DecodeString(infoFromResponse["frontToken"])
+	assert.NoError(t, err)
+	frontendInfo = map[string]interface{}{}
+	err = json.Unmarshal(b64Bytes, &frontendInfo)
+	assert.NoError(t, err)
+	assert.False(t, frontendInfo["up"].(map[string]interface{})["st-ev"].(map[string]interface{})["v"].(bool))
+
+	// calling the API again should not modify the access token again
+	resp, err = unittesting.EmailVerifyTokenRequest(
+		testServer.URL,
+		userId,
+		infoFromResponse["sAccessToken"],
+		infoFromResponse["sIdRefreshToken"],
+		antiCsrf,
+	)
+	assert.NoError(t, err)
+	assert.Equal(t, 200, resp.StatusCode)
+
+	infoFromResponse2 = unittesting.ExtractInfoFromResponse(resp)
+	assert.Empty(t, infoFromResponse2["frontToken"])
+}

recipe/emailverification/api/implementation.go

@@ -102,12 +102,19 @@ func MakeAPIImplementation() evmodels.APIInterface {
 		}
 
 		if response.EmailAlreadyVerifiedError != nil {
+			if sessionContainer.GetClaimValue(evclaims.EmailVerificationClaim) != true {
+				sessionContainer.FetchAndSetClaimWithContext(evclaims.EmailVerificationClaim, userContext)
+			}
 			supertokens.LogDebugMessage(fmt.Sprintf("Email verification email not sent to %s because it is already verified", email.OK.Email))
 			return evmodels.GenerateEmailVerifyTokenPOSTResponse{
 				EmailAlreadyVerifiedError: &struct{}{},
 			}, nil
 		}
 
+		if sessionContainer.GetClaimValue(evclaims.EmailVerificationClaim) != false {
+			sessionContainer.FetchAndSetClaimWithContext(evclaims.EmailVerificationClaim, userContext)
+		}
+
 		user := evmodels.User{
 			ID:    userID,
 			Email: email.OK.Email,

supertokens/constants.go

@@ -21,7 +21,7 @@ const (
 )
 
 // VERSION current version of the lib
-const VERSION = "0.9.7"
+const VERSION = "0.9.8"
 
 var (
 	cdiSupported = []string{"2.8", "2.9", "2.10", "2.11", "2.12", "2.13", "2.14", "2.15"}

test/unittesting/testingutils.go

@@ -258,6 +258,8 @@ func ExtractInfoFromResponse(res *http.Response) map[string]string {
 	if len(antiCsrf) > 0 {
 		antiCsrfVal = antiCsrf[0]
 	}
+	frontToken := res.Header.Get("front-token")
+
 	return map[string]string{
 		"antiCsrf":                 antiCsrfVal,
 		"sAccessToken":             accessToken,
@@ -273,6 +275,7 @@ func ExtractInfoFromResponse(res *http.Response) map[string]string {
 		"accessTokenExpiry":        accessTokenExpiry,
 		"accessTokenDomain":        accessTokenDomain,
 		"accessTokenHttpOnly":      accessTokenHttpOnly,
+		"frontToken":               frontToken,
 	}
 }