Ignore protected props in create new session

Author: nkshah2

CHANGELOG.md

@@ -16,6 +16,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Changes
 
 -   Dashboard APIs now return a status code `403` for all non-GET requests if the currently logged in Dashboard User is not listed in the `admins` array
+-   Now ignoring protected props in the payload in `CreateNewSession` and `CreateNewSessionWithoutRequestResponse`
 
 ## [0.13.2] - 2023-08-28
 

recipe/session/accessTokenVersions_test.go

@@ -184,14 +184,21 @@ func TestShouldThrowErrorWhenUsingProtectedProps(t *testing.T) {
 	}
 	res2, err2 := http.Post(testServer.URL+"/create", "application/json", bytes.NewBuffer(postBody))
 	if err2 != nil {
-		t.Error(err.Error())
+		t.Error(err2.Error())
 	}
 
-	assert.Equal(t, 400, res2.StatusCode)
+	assert.Equal(t, 200, res2.StatusCode)
 	cookies := unittesting.ExtractInfoFromResponse(res2)
-	assert.True(t, cookies["accessTokenFromAny"] == "")
-	assert.True(t, cookies["refreshTokenFromAny"] == "")
-	assert.True(t, cookies["frontToken"] == "")
+	assert.False(t, cookies["accessTokenFromAny"] == "")
+	assert.False(t, cookies["refreshTokenFromAny"] == "")
+	assert.False(t, cookies["frontToken"] == "")
+
+	parsedToken, err := ParseJWTWithoutSignatureVerification(cookies["accessTokenFromAny"])
+	if err != nil {
+		t.Error(err.Error())
+	}
+
+	assert.True(t, parsedToken.Payload["sub"] != "asdf")
 }
 
 func TestMergeIntoATShouldHelpMigratingV2TokenUsingProtectedProps(t *testing.T) {

recipe/session/constants.go

@@ -31,3 +31,17 @@ const (
 	CookieSameSite_LAX    = "lax"
 	CookieSameSite_STRICT = "strict"
 )
+
+var JWKCacheMaxAgeInMs int64 = 60000
+var JWKRefreshRateLimit = 500
+var protectedProps = []string{
+	"sub",
+	"iat",
+	"exp",
+	"sessionHandle",
+	"parentRefreshTokenHash1",
+	"refreshTokenHash1",
+	"antiCsrfToken",
+	"rsub",
+	"tId",
+}

recipe/session/main.go

@@ -64,6 +64,10 @@ func CreateNewSessionWithoutRequestResponse(tenantId string, userID string, acce
 
 	finalAccessTokenPayload["iss"] = issuer
 
+	for _, protectedProp := range protectedProps {
+		delete(finalAccessTokenPayload, protectedProp)
+	}
+
 	for _, claim := range claimsAddedByOtherRecipes {
 		finalAccessTokenPayload, err = claim.Build(userID, tenantId, finalAccessTokenPayload, userContext[0])
 		if err != nil {

recipe/session/recipeImplementation.go

@@ -32,19 +32,6 @@ import (
 	"github.com/supertokens/supertokens-golang/supertokens"
 )
 
-var protectedProps = []string{
-	"sub",
-	"iat",
-	"exp",
-	"sessionHandle",
-	"parentRefreshTokenHash1",
-	"refreshTokenHash1",
-	"antiCsrfToken",
-	"tId",
-}
-
-var JWKCacheMaxAgeInMs int64 = 60000
-var JWKRefreshRateLimit = 500
 var jwksCache *sessmodels.GetJWKSResult = nil
 var mutex sync.RWMutex
 

recipe/session/sessionRequestFunctions.go

@@ -43,6 +43,10 @@ func CreateNewSessionInRequest(req *http.Request, res http.ResponseWriter, tenan
 	issuer := appInfo.APIDomain.GetAsStringDangerous() + appInfo.APIBasePath.GetAsStringDangerous()
 	finalAccessTokenPayload["iss"] = issuer
 
+	for _, protectedProp := range protectedProps {
+		delete(finalAccessTokenPayload, protectedProp)
+	}
+
 	for _, claim := range claimsAddedByOtherRecipes {
 		_finalAccessTokenPayload, err := claim.Build(userID, tenantId, finalAccessTokenPayload, userContext)
 		if err != nil {