Merge branch '0.13' into test-cicd/access-token-optional

Author: rishabhpoddar

CHANGELOG.md

@@ -8,6 +8,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [unreleased]
 
+## [0.13.1] - 2023-05-15
 ### Changes
 -   Made the access token string optional in the overrideable `get_session` function
 -   Moved checking if the access token is defined into the overrideable `get_session` function

html/supertokens_python/constants.html

@@ -42,7 +42,7 @@ <h1 class="title">Module <code>supertokens_python.constants</code></h1>
 from __future__ import annotations
 
 SUPPORTED_CDI_VERSIONS = [&#34;2.21&#34;]
-VERSION = &#34;0.13.0&#34;
+VERSION = &#34;0.13.1&#34;
 TELEMETRY = &#34;/telemetry&#34;
 USER_COUNT = &#34;/users/count&#34;
 USER_DELETE = &#34;/user/remove&#34;

html/supertokens_python/recipe/session/interfaces.html

@@ -184,8 +184,8 @@ <h1 class="title">Module <code>supertokens_python.recipe.session.interfaces</cod
     @abstractmethod
     async def get_session(
         self,
-        access_token: str,
-        anti_csrf_token: Optional[str],
+        access_token: Optional[str],
+        anti_csrf_token: Optional[str] = None,
         anti_csrf_check: Optional[bool] = None,
         session_required: Optional[bool] = None,
         check_database: Optional[bool] = None,
@@ -1033,8 +1033,8 @@ <h3>Class variables</h3>
     @abstractmethod
     async def get_session(
         self,
-        access_token: str,
-        anti_csrf_token: Optional[str],
+        access_token: Optional[str],
+        anti_csrf_token: Optional[str] = None,
         anti_csrf_check: Optional[bool] = None,
         session_required: Optional[bool] = None,
         check_database: Optional[bool] = None,
@@ -1284,7 +1284,7 @@ <h3>Methods</h3>
 </details>
 </dd>
 <dt id="supertokens_python.recipe.session.interfaces.RecipeInterface.get_session"><code class="name flex">
-<span>async def <span class="ident">get_session</span></span>(<span>self, access_token: str, anti_csrf_token: Optional[str], anti_csrf_check: Optional[bool] = None, session_required: Optional[bool] = None, check_database: Optional[bool] = None, override_global_claim_validators: Optional[Callable[[List[<a title="supertokens_python.recipe.session.interfaces.SessionClaimValidator" href="#supertokens_python.recipe.session.interfaces.SessionClaimValidator">SessionClaimValidator</a>], <a title="supertokens_python.recipe.session.interfaces.SessionContainer" href="#supertokens_python.recipe.session.interfaces.SessionContainer">SessionContainer</a>, Dict[str, Any]], MaybeAwaitable[List[<a title="supertokens_python.recipe.session.interfaces.SessionClaimValidator" href="#supertokens_python.recipe.session.interfaces.SessionClaimValidator">SessionClaimValidator</a>]]]] = None, user_context: Optional[Dict[str, Any]] = None) ‑> Optional[<a title="supertokens_python.recipe.session.interfaces.SessionContainer" href="#supertokens_python.recipe.session.interfaces.SessionContainer">SessionContainer</a>]</span>
+<span>async def <span class="ident">get_session</span></span>(<span>self, access_token: Optional[str], anti_csrf_token: Optional[str] = None, anti_csrf_check: Optional[bool] = None, session_required: Optional[bool] = None, check_database: Optional[bool] = None, override_global_claim_validators: Optional[Callable[[List[<a title="supertokens_python.recipe.session.interfaces.SessionClaimValidator" href="#supertokens_python.recipe.session.interfaces.SessionClaimValidator">SessionClaimValidator</a>], <a title="supertokens_python.recipe.session.interfaces.SessionContainer" href="#supertokens_python.recipe.session.interfaces.SessionContainer">SessionContainer</a>, Dict[str, Any]], MaybeAwaitable[List[<a title="supertokens_python.recipe.session.interfaces.SessionClaimValidator" href="#supertokens_python.recipe.session.interfaces.SessionClaimValidator">SessionClaimValidator</a>]]]] = None, user_context: Optional[Dict[str, Any]] = None) ‑> Optional[<a title="supertokens_python.recipe.session.interfaces.SessionContainer" href="#supertokens_python.recipe.session.interfaces.SessionContainer">SessionContainer</a>]</span>
 </code></dt>
 <dd>
 <div class="desc"></div>
@@ -1295,8 +1295,8 @@ <h3>Methods</h3>
 <pre><code class="python">@abstractmethod
 async def get_session(
     self,
-    access_token: str,
-    anti_csrf_token: Optional[str],
+    access_token: Optional[str],
+    anti_csrf_token: Optional[str] = None,
     anti_csrf_check: Optional[bool] = None,
     session_required: Optional[bool] = None,
     check_database: Optional[bool] = None,

html/supertokens_python/recipe/session/recipe_implementation.html

@@ -199,8 +199,8 @@ <h1 class="title">Module <code>supertokens_python.recipe.session.recipe_implemen
 
     async def get_session(
         self,
-        access_token: str,
-        anti_csrf_token: Optional[str],
+        access_token: Optional[str],
+        anti_csrf_token: Optional[str] = None,
         anti_csrf_check: Optional[bool] = None,
         session_required: Optional[bool] = None,
         check_database: Optional[bool] = None,
@@ -222,6 +222,23 @@ <h1 class="title">Module <code>supertokens_python.recipe.session.recipe_implemen
 
         log_debug_message(&#34;getSession: Started&#34;)
 
+        if access_token is None:
+            if session_required is False:
+                log_debug_message(
+                    &#34;getSession: returning None because access_token is undefined and session_required is False&#34;
+                )
+                # there is no session that exists here, and the user wants session verification to be optional. So we return None
+                return None
+
+            log_debug_message(
+                &#34;getSession: UNAUTHORISED because accessToken in request is undefined&#34;
+            )
+            # we do not clear the session here because of a race condition mentioned in https://github.com/supertokens/supertokens-node/issues/17
+            raise UnauthorisedError(
+                &#34;Session does not exist. Are you sending the session tokens in the request with the appropriate token transfer method?&#34;,
+                clear_tokens=False,
+            )
+
         access_token_obj: Optional[ParsedJWTInfo] = None
         try:
             access_token_obj = parse_jwt_without_signature_verification(access_token)
@@ -621,8 +638,8 @@ <h2 class="section-title" id="header-classes">Classes</h2>
 
     async def get_session(
         self,
-        access_token: str,
-        anti_csrf_token: Optional[str],
+        access_token: Optional[str],
+        anti_csrf_token: Optional[str] = None,
         anti_csrf_check: Optional[bool] = None,
         session_required: Optional[bool] = None,
         check_database: Optional[bool] = None,
@@ -644,6 +661,23 @@ <h2 class="section-title" id="header-classes">Classes</h2>
 
         log_debug_message(&#34;getSession: Started&#34;)
 
+        if access_token is None:
+            if session_required is False:
+                log_debug_message(
+                    &#34;getSession: returning None because access_token is undefined and session_required is False&#34;
+                )
+                # there is no session that exists here, and the user wants session verification to be optional. So we return None
+                return None
+
+            log_debug_message(
+                &#34;getSession: UNAUTHORISED because accessToken in request is undefined&#34;
+            )
+            # we do not clear the session here because of a race condition mentioned in https://github.com/supertokens/supertokens-node/issues/17
+            raise UnauthorisedError(
+                &#34;Session does not exist. Are you sending the session tokens in the request with the appropriate token transfer method?&#34;,
+                clear_tokens=False,
+            )
+
         access_token_obj: Optional[ParsedJWTInfo] = None
         try:
             access_token_obj = parse_jwt_without_signature_verification(access_token)
@@ -1055,7 +1089,7 @@ <h3>Methods</h3>
 </details>
 </dd>
 <dt id="supertokens_python.recipe.session.recipe_implementation.RecipeImplementation.get_session"><code class="name flex">
-<span>async def <span class="ident">get_session</span></span>(<span>self, access_token: str, anti_csrf_token: Optional[str], anti_csrf_check: Optional[bool] = None, session_required: Optional[bool] = None, check_database: Optional[bool] = None, override_global_claim_validators: Optional[Callable[[List[SessionClaimValidator], SessionContainer, Dict[str, Any]], MaybeAwaitable[List[SessionClaimValidator]]]] = None, user_context: Optional[Dict[str, Any]] = None) ‑> Optional[SessionContainer]</span>
+<span>async def <span class="ident">get_session</span></span>(<span>self, access_token: Optional[str], anti_csrf_token: Optional[str] = None, anti_csrf_check: Optional[bool] = None, session_required: Optional[bool] = None, check_database: Optional[bool] = None, override_global_claim_validators: Optional[Callable[[List[SessionClaimValidator], SessionContainer, Dict[str, Any]], MaybeAwaitable[List[SessionClaimValidator]]]] = None, user_context: Optional[Dict[str, Any]] = None) ‑> Optional[SessionContainer]</span>
 </code></dt>
 <dd>
 <div class="desc"></div>
@@ -1065,8 +1099,8 @@ <h3>Methods</h3>
 </summary>
 <pre><code class="python">async def get_session(
     self,
-    access_token: str,
-    anti_csrf_token: Optional[str],
+    access_token: Optional[str],
+    anti_csrf_token: Optional[str] = None,
     anti_csrf_check: Optional[bool] = None,
     session_required: Optional[bool] = None,
     check_database: Optional[bool] = None,
@@ -1088,6 +1122,23 @@ <h3>Methods</h3>
 
     log_debug_message(&#34;getSession: Started&#34;)
 
+    if access_token is None:
+        if session_required is False:
+            log_debug_message(
+                &#34;getSession: returning None because access_token is undefined and session_required is False&#34;
+            )
+            # there is no session that exists here, and the user wants session verification to be optional. So we return None
+            return None
+
+        log_debug_message(
+            &#34;getSession: UNAUTHORISED because accessToken in request is undefined&#34;
+        )
+        # we do not clear the session here because of a race condition mentioned in https://github.com/supertokens/supertokens-node/issues/17
+        raise UnauthorisedError(
+            &#34;Session does not exist. Are you sending the session tokens in the request with the appropriate token transfer method?&#34;,
+            clear_tokens=False,
+        )
+
     access_token_obj: Optional[ParsedJWTInfo] = None
     try:
         access_token_obj = parse_jwt_without_signature_verification(access_token)

html/supertokens_python/recipe/session/session_request_functions.html

@@ -155,8 +155,8 @@ <h1 class="title">Module <code>supertokens_python.recipe.session.session_request
     allowed_transfer_method = config.get_token_transfer_method(
         request, False, user_context
     )
-    request_transfer_method: TokenTransferMethod
-    request_access_token: Union[ParsedJWTInfo, None]
+    request_transfer_method: Optional[TokenTransferMethod] = None
+    request_access_token: Union[ParsedJWTInfo, None] = None
 
     if (allowed_transfer_method in (&#34;any&#34;, &#34;header&#34;)) and access_tokens.get(
         &#34;header&#34;
@@ -170,25 +170,6 @@ <h1 class="title">Module <code>supertokens_python.recipe.session.session_request
         log_debug_message(&#34;getSession: using cookie transfer method&#34;)
         request_transfer_method = &#34;cookie&#34;
         request_access_token = access_tokens[&#34;cookie&#34;]
-    else:
-        if session_optional:
-            log_debug_message(
-                &#34;getSession: returning None because accessToken is undefined and sessionRequired is false&#34;
-            )
-            # there is no session that exists here, and the user wants session verification
-            # to be optional. So we return None
-            return None
-
-        log_debug_message(
-            &#34;getSession: UNAUTHORISED because access_token in request is None&#34;
-        )
-        # we do not clear the session here because of a race condition mentioned in:
-        # https://github.com/supertokens/supertokens-node/issues/17
-        raise_unauthorised_exception(
-            &#34;Session does not exist. Are you sending the session tokens in the &#34;
-            &#34;request with the appropriate token transfer method?&#34;,
-            clear_tokens=False,
-        )
 
     anti_csrf_token = get_anti_csrf_header(request)
     do_anti_csrf_check = anti_csrf_check
@@ -214,7 +195,9 @@ <h1 class="title">Module <code>supertokens_python.recipe.session.session_request
     log_debug_message(&#34;getSession: Value of antiCsrfToken is: %s&#34;, do_anti_csrf_check)
 
     session = await recipe_interface_impl.get_session(
-        access_token=request_access_token.raw_token_string,
+        access_token=request_access_token.raw_token_string
+        if request_access_token is not None
+        else None,
         anti_csrf_token=anti_csrf_token,
         anti_csrf_check=do_anti_csrf_check,
         check_database=check_database,
@@ -228,9 +211,22 @@ <h1 class="title">Module <code>supertokens_python.recipe.session.session_request
         )
         await session.assert_claims(claim_validators, user_context)
 
+        # request_transfer_method can only be None here if the user overriddes get_session
+        # to load the session by a custom method in that (very niche) case they also need to
+        # override how the session is attached to the response.
+        # In that scenario the transferMethod passed to attachToRequestResponse likely doesn&#39;t
+        # matter, still, we follow the general fallback logic
+
+        if request_transfer_method is not None:
+            final_transfer_method = request_transfer_method
+        elif allowed_transfer_method != &#34;any&#34;:
+            final_transfer_method = allowed_transfer_method
+        else:
+            final_transfer_method = &#34;header&#34;
+
         await session.attach_to_request_response(
             request,
-            request_transfer_method,
+            final_transfer_method,
         )
 
     return session
@@ -665,8 +661,8 @@ <h2 class="section-title" id="header-functions">Functions</h2>
     allowed_transfer_method = config.get_token_transfer_method(
         request, False, user_context
     )
-    request_transfer_method: TokenTransferMethod
-    request_access_token: Union[ParsedJWTInfo, None]
+    request_transfer_method: Optional[TokenTransferMethod] = None
+    request_access_token: Union[ParsedJWTInfo, None] = None
 
     if (allowed_transfer_method in (&#34;any&#34;, &#34;header&#34;)) and access_tokens.get(
         &#34;header&#34;
@@ -680,25 +676,6 @@ <h2 class="section-title" id="header-functions">Functions</h2>
         log_debug_message(&#34;getSession: using cookie transfer method&#34;)
         request_transfer_method = &#34;cookie&#34;
         request_access_token = access_tokens[&#34;cookie&#34;]
-    else:
-        if session_optional:
-            log_debug_message(
-                &#34;getSession: returning None because accessToken is undefined and sessionRequired is false&#34;
-            )
-            # there is no session that exists here, and the user wants session verification
-            # to be optional. So we return None
-            return None
-
-        log_debug_message(
-            &#34;getSession: UNAUTHORISED because access_token in request is None&#34;
-        )
-        # we do not clear the session here because of a race condition mentioned in:
-        # https://github.com/supertokens/supertokens-node/issues/17
-        raise_unauthorised_exception(
-            &#34;Session does not exist. Are you sending the session tokens in the &#34;
-            &#34;request with the appropriate token transfer method?&#34;,
-            clear_tokens=False,
-        )
 
     anti_csrf_token = get_anti_csrf_header(request)
     do_anti_csrf_check = anti_csrf_check
@@ -724,7 +701,9 @@ <h2 class="section-title" id="header-functions">Functions</h2>
     log_debug_message(&#34;getSession: Value of antiCsrfToken is: %s&#34;, do_anti_csrf_check)
 
     session = await recipe_interface_impl.get_session(
-        access_token=request_access_token.raw_token_string,
+        access_token=request_access_token.raw_token_string
+        if request_access_token is not None
+        else None,
         anti_csrf_token=anti_csrf_token,
         anti_csrf_check=do_anti_csrf_check,
         check_database=check_database,
@@ -738,9 +717,22 @@ <h2 class="section-title" id="header-functions">Functions</h2>
         )
         await session.assert_claims(claim_validators, user_context)
 
+        # request_transfer_method can only be None here if the user overriddes get_session
+        # to load the session by a custom method in that (very niche) case they also need to
+        # override how the session is attached to the response.
+        # In that scenario the transferMethod passed to attachToRequestResponse likely doesn&#39;t
+        # matter, still, we follow the general fallback logic
+
+        if request_transfer_method is not None:
+            final_transfer_method = request_transfer_method
+        elif allowed_transfer_method != &#34;any&#34;:
+            final_transfer_method = allowed_transfer_method
+        else:
+            final_transfer_method = &#34;header&#34;
+
         await session.attach_to_request_response(
             request,
-            request_transfer_method,
+            final_transfer_method,
         )
 
     return session</code></pre>