header based changes for session

Author: rishabhpoddar

.vscode/settings.json

@@ -2,10 +2,11 @@
     "python.linting.pylintEnabled": true,
     "python.linting.enabled": true,
     "editor.codeActionsOnSave": {
-        "source.organizeImports": true
+        "source.organizeImports": "explicit"
     },
     "python.analysis.typeCheckingMode": "strict",
     "python.testing.unittestEnabled": false,
     "python.testing.pytestEnabled": true,
-    "python.analysis.autoImportCompletions": true
+    "python.analysis.autoImportCompletions": true,
+    "circleci.persistedProjectSelection": []
 }

CHANGELOG.md

@@ -8,6 +8,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [unreleased]
 
+## [0.19.0] - 2024-05-06
+
+-  `create_new_session` now defaults to the value of the `st-auth-mode` header (if available) if the configured `get_token_transfer_method` returns `any`.
+
 ## [0.18.11] - 2024-04-26
 
 - Fixes issues with the propagation of session creation/updates with django-rest-framework because the django-rest-framework wrapped the original request with it's own request object. Updates on that object were not reflecting on the original request object.

supertokens_python/recipe/session/session_request_functions.py

@@ -50,6 +50,7 @@
     SessionConfig,
     TokenTransferMethod,
     get_required_claim_validators,
+    get_auth_mode_from_header,
 )
 from supertokens_python.types import MaybeAwaitable
 from supertokens_python.utils import (
@@ -179,9 +180,11 @@ async def get_session_from_request(
     log_debug_message("getSession: Value of antiCsrfToken is: %s", do_anti_csrf_check)
 
     session = await recipe_interface_impl.get_session(
-        access_token=request_access_token.raw_token_string
-        if request_access_token is not None
-        else None,
+        access_token=(
+            request_access_token.raw_token_string
+            if request_access_token is not None
+            else None
+        ),
         anti_csrf_token=anti_csrf_token,
         anti_csrf_check=do_anti_csrf_check,
         session_required=session_required,
@@ -229,6 +232,7 @@ async def create_new_session_in_request(
 ) -> SessionContainer:
     log_debug_message("createNewSession: Started")
 
+    # Handling framework specific request/response wrapping
     if not hasattr(request, "wrapper_used") or not request.wrapper_used:
         request = FRAMEWORKS[
             Supertokens.get_instance().app_info.framework
@@ -238,7 +242,6 @@ async def create_new_session_in_request(
     user_context = set_request_in_user_context_if_not_defined(user_context, request)
 
     claims_added_by_other_recipes = recipe_instance.get_claims_added_by_other_recipes()
-    app_info = recipe_instance.app_info
     issuer = (
         app_info.api_domain.get_as_string_dangerous()
         + app_info.api_base_path.get_as_string_dangerous()
@@ -252,15 +255,20 @@ async def create_new_session_in_request(
 
     for claim in claims_added_by_other_recipes:
         update = await claim.build(user_id, tenant_id, user_context)
-        final_access_token_payload = {**final_access_token_payload, **update}
+        final_access_token_payload.update(update)
 
     log_debug_message("createNewSession: Access token payload built")
 
     output_transfer_method = config.get_token_transfer_method(
         request, True, user_context
     )
     if output_transfer_method == "any":
-        output_transfer_method = "header"
+        auth_mode_header = get_auth_mode_from_header(request)
+        if auth_mode_header == "cookie":
+            output_transfer_method = auth_mode_header
+        else:
+            output_transfer_method = "header"
+
     log_debug_message(
         "createNewSession: using transfer method %s", output_transfer_method
     )

tests/sessions/test_auth_mode.py

@@ -162,6 +162,91 @@ def check_extracted_info(
         assert False, "Invalid expected_transfer_method"
 
 
+@mark.asyncio
+async def test_use_headers_if_get_token_transfer_method_returns_any_and_no_st_auth_mode_header(
+    app: TestClient,
+):
+    init(
+        **get_st_init_args(
+            [
+                session.init(
+                    anti_csrf="VIA_TOKEN",
+                    get_token_transfer_method=lambda _, __, ___: "any",  # Always return "any"
+                )
+            ]
+        )
+    )
+    start_st()
+
+    # Create session without specifying st-auth-mode
+    res = create_session(app)
+
+    # Assert that no tokens are set in the cookies
+    assert res.get("accessToken") is None
+    assert res.get("refreshToken") is None
+    assert res.get("antiCsrf") is None
+
+    # Assert that tokens are set in the headers
+    assert res.get("accessTokenFromHeader") is not None
+    assert res.get("refreshTokenFromHeader") is not None
+
+
+@mark.asyncio
+async def test_should_use_cookies_if_get_token_transfer_method_returns_any_and_st_auth_mode_is_set_to_cookie(
+    app: TestClient,
+):
+    init(
+        **get_st_init_args(
+            [
+                session.init(
+                    anti_csrf="VIA_TOKEN",
+                    get_token_transfer_method=lambda _, __, ___: "any",  # Always returns "any"
+                )
+            ]
+        )
+    )
+    start_st()
+
+    # Creating session with st-auth-mode set to 'cookie'
+    res = create_session(app, auth_mode_header="cookie")
+
+    # Checking that the tokens are not set in headers
+    assert res.get("accessToken") is not None
+    assert res.get("refreshToken") is not None
+    assert res.get("antiCsrf") is not None
+    assert res.get("accessTokenFromHeader") is None
+    assert res.get("refreshTokenFromHeader") is None
+
+
+@mark.asyncio
+async def test_use_headers_if_get_token_transfer_method_returns_any_and_st_auth_mode_is_set_to_header(
+    app: TestClient,
+):
+    init(
+        **get_st_init_args(
+            [
+                session.init(
+                    anti_csrf="VIA_TOKEN",
+                    get_token_transfer_method=lambda _, __, ___: "any",  # Always returns "any"
+                )
+            ]
+        )
+    )
+    start_st()
+
+    # Creating session with st-auth-mode set to 'header'
+    res = create_session(app, auth_mode_header="header")
+
+    # Assert that no tokens are set in the cookies
+    assert res.get("accessToken") is None
+    assert res.get("refreshToken") is None
+    assert res.get("antiCsrf") is None
+
+    # Assert that tokens are set in the headers
+    assert res.get("accessTokenFromHeader") is not None
+    assert res.get("refreshTokenFromHeader") is not None
+
+
 @mark.parametrize(
     "auth_mode_header, expected_transfer_method",
     [