Merge pull request #363 from supertokens/test/verify-session-if-no-middleware

rishabhpoddar · web-flow · commit d37809c7e233 · 2023-07-07T22:43:31.000+05:30
test: Verify session should return 401 if access token isn't sent and middleware isn't added
diff --git a/supertokens_python/recipe/session/framework/fastapi/__init__.py b/supertokens_python/recipe/session/framework/fastapi/__init__.py
@@ -11,11 +11,18 @@
 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 # License for the specific language governing permissions and limitations
 # under the License.
+import json
+
 from typing import Any, Callable, Coroutine, Dict, Union, List, Optional
 
+from supertokens_python import Supertokens
 from supertokens_python.framework.fastapi.fastapi_request import FastApiRequest
+from supertokens_python.framework.fastapi.fastapi_response import FastApiResponse
 from supertokens_python.recipe.session import SessionRecipe
+from supertokens_python.exceptions import SuperTokensError
 from supertokens_python.types import MaybeAwaitable
+from fastapi.responses import JSONResponse
+from fastapi import Request
 
 from ...interfaces import SessionContainer, SessionClaimValidator
 
@@ -34,13 +41,12 @@ def verify_session(
 ) -> Callable[..., Coroutine[Any, Any, Union[SessionContainer, None]]]:
     if user_context is None:
         user_context = {}
-    from fastapi import Request
 
     async def func(request: Request) -> Union[SessionContainer, None]:
-        baseRequest = FastApiRequest(request)
+        base_req = FastApiRequest(request)
         recipe = SessionRecipe.get_instance()
         session = await recipe.verify_session(
-            baseRequest,
+            base_req,
             anti_csrf_check,
             session_required,
             check_database,
@@ -50,9 +56,28 @@ async def func(request: Request) -> Union[SessionContainer, None]:
         if session is None:
             if session_required:
                 raise Exception("Should never come here")
-            baseRequest.set_session_as_none()
+            base_req.set_session_as_none()
         else:
-            baseRequest.set_session(session)
-        return baseRequest.get_session()
+            base_req.set_session(session)
+        return base_req.get_session()
 
     return func
+
+
+async def session_exception_handler(
+    request: Request, exc: SuperTokensError
+) -> JSONResponse:
+    """FastAPI exceptional handler for errors raised by Supertokens SDK when not using middleware
+
+    Usage: `app.add_exception_handler(SuperTokensError, st_exception_handler)`
+    """
+    base_req = FastApiRequest(request)
+    base_res = FastApiResponse(JSONResponse())
+    result = await Supertokens.get_instance().handle_supertokens_error(
+        base_req, exc, base_res
+    )
+    if isinstance(result, FastApiResponse):
+        body = json.loads(result.response.body)
+        return JSONResponse(body, status_code=result.response.status_code)
+
+    raise Exception("Should never come here")
diff --git a/supertokens_python/recipe/session/framework/flask/__init__.py b/supertokens_python/recipe/session/framework/flask/__init__.py
@@ -14,9 +14,12 @@
 from functools import wraps
 from typing import Any, Callable, Dict, TypeVar, Union, cast, List, Optional
 
+from supertokens_python import Supertokens
 from supertokens_python.async_to_sync_wrapper import sync
 from supertokens_python.framework.flask.flask_request import FlaskRequest
+from supertokens_python.framework.flask.flask_response import FlaskResponse
 from supertokens_python.recipe.session import SessionRecipe, SessionContainer
+from supertokens_python.exceptions import SuperTokensError
 from supertokens_python.recipe.session.interfaces import SessionClaimValidator
 from supertokens_python.types import MaybeAwaitable
 
@@ -43,27 +46,39 @@ def session_verify(f: _T) -> _T:
         def wrapped_function(*args: Any, **kwargs: Any):
             from flask import make_response, request
 
-            baseRequest = FlaskRequest(request)
-            recipe = SessionRecipe.get_instance()
-            session = sync(
-                recipe.verify_session(
-                    baseRequest,
-                    anti_csrf_check,
-                    session_required,
-                    check_database,
-                    override_global_claim_validators,
-                    user_context,
+            base_req = FlaskRequest(request)
+
+            try:
+                recipe = SessionRecipe.get_instance()
+                session = sync(
+                    recipe.verify_session(
+                        base_req,
+                        anti_csrf_check,
+                        session_required,
+                        check_database,
+                        override_global_claim_validators,
+                        user_context,
+                    )
                 )
-            )
-            if session is None:
-                if session_required:
-                    raise Exception("Should never come here")
-                baseRequest.set_session_as_none()
-            else:
-                baseRequest.set_session(session)
+                if session is None:
+                    if session_required:
+                        raise Exception("Should never come here")
+                    base_req.set_session_as_none()
+                else:
+                    base_req.set_session(session)
 
-            response = f(*args, **kwargs)
-            return make_response(response) if response is not None else None
+                response = f(*args, **kwargs)
+                return make_response(response) if response is not None else None
+            except SuperTokensError as e:
+                response = FlaskResponse(make_response())
+                result = sync(
+                    Supertokens.get_instance().handle_supertokens_error(
+                        base_req, e, response
+                    )
+                )
+                if isinstance(result, FlaskResponse):
+                    return result.response
+                raise Exception("Should never come here")
 
         return cast(_T, wrapped_function)
 
diff --git a/tests/Django/test_django.py b/tests/Django/test_django.py
@@ -33,11 +33,19 @@
     create_new_session,
     get_session,
     refresh_session,
+    create_new_session_without_request_response,
 )
 from supertokens_python.recipe.session.framework.django.asyncio import verify_session
 
 import pytest
-from tests.utils import clean_st, reset, setup_st, start_st, create_users
+from tests.utils import (
+    clean_st,
+    reset,
+    setup_st,
+    start_st,
+    create_users,
+    get_st_init_args,
+)
 from supertokens_python.recipe.dashboard import DashboardRecipe, InputOverrideConfig
 from supertokens_python.recipe.dashboard.interfaces import RecipeInterface
 from supertokens_python.framework import BaseRequest
@@ -111,6 +119,12 @@ async def optional_session(request: HttpRequest):
     return JsonResponse({"s": session.get_handle()})
 
 
+@verify_session()
+async def verify_view(request: HttpRequest):
+    session: SessionContainer = request.supertokens  # type: ignore
+    return JsonResponse({"handle": session.get_handle()})  # type: ignore
+
+
 class SupertokensTest(TestCase):
     def setUp(self):
         self.factory = RequestFactory()
@@ -874,6 +888,43 @@ async def test_search_with_provider_google_and_phone_one(self):
         data_json = json.loads(response.content)
         self.assertEqual(len(data_json["users"]), 0)
 
+    async def test_that_verify_session_return_401_if_access_token_is_not_sent_and_middleware_is_not_added(
+        self,
+    ):
+        args = get_st_init_args([session.init(get_token_transfer_method=lambda *_: "header")])  # type: ignore
+        args.update({"framework": "django"})
+        init(**args)  # type: ignore
+        start_st()
+
+        # Try with middleware
+        request = self.factory.get("/verify")
+        response: HttpResponse = await middleware(verify_view)(request)  # type: ignore
+        assert response.status_code == 401
+        assert json.loads(response.content) == {"message": "unauthorised"}
+
+        # Try without middleware
+        request = self.factory.get("/verify")
+        response: HttpResponse = await verify_view(request)  # type: ignore
+        assert response.status_code == 401
+        assert json.loads(response.content) == {"message": "unauthorised"}
+
+        # Create a session and get access token
+        s = await create_new_session_without_request_response("userId", {}, {})
+        access_token = s.get_access_token()
+        headers = {"HTTP_AUTHORIZATION": "Bearer " + access_token}
+
+        # Now try with middleware:
+        request = self.factory.get("/verify", {}, **headers)
+        response: JsonResponse = await middleware(verify_view)(request)  # type: ignore
+        assert response.status_code == 200
+        assert list(json.loads(response.content)) == ["handle"]
+
+        # Now try without middleware:
+        request = self.factory.get("/verify", **headers)
+        response: JsonResponse = await verify_view(request)  # type: ignore
+        assert response.status_code == 200
+        assert list(json.loads(response.content)) == ["handle"]
+
 
 def test_remove_header_works():
     response = HttpResponse()
diff --git a/tests/Flask/test_flask.py b/tests/Flask/test_flask.py
@@ -26,6 +26,7 @@
 from supertokens_python.recipe.session.framework.flask import verify_session
 from supertokens_python.recipe.session.syncio import (
     create_new_session,
+    create_new_session_without_request_response,
     get_session,
     refresh_session,
     revoke_session,
@@ -734,6 +735,11 @@ def ping():  # type: ignore
     def options_api():  # type: ignore
         return jsonify({"msg": "Shouldn't come here"})
 
+    @app.get("/verify")  # type: ignore
+    @verify_session()
+    def verify_api():  # type: ignore
+        return {"handle": g.supertokens.get_handle()}
+
     return app
 
 
@@ -767,3 +773,48 @@ def test_verify_session_with_before_request_with_no_response(flask_app: Any):
     assert client.get("/ping").status_code == 200
 
     assert client.get("/stats").json == {"unknown": 3, "userId": 2}
+
+
+@fixture(scope="function")
+def flask_app_without_middleware():
+    app = Flask(__name__)
+
+    app.testing = True
+
+    @app.get("/verify")  # type: ignore
+    @verify_session()
+    def verify_api():  # type: ignore
+        return {"handle": g.supertokens.get_handle()}
+
+    return app
+
+
+def test_that_verify_session_return_401_if_access_token_is_not_sent_and_middleware_is_not_added(
+    flask_app: Any, flask_app_without_middleware: Any
+):
+    init(**{**get_st_init_args([session.init(get_token_transfer_method=lambda *_: "header")]), "framework": "flask"})  # type: ignore
+    start_st()
+
+    client = flask_app.test_client()
+    client_without_middleware = flask_app_without_middleware.test_client()
+
+    res = client.get("/verify")
+    assert res.status_code == 401
+    assert res.json == {"message": "unauthorised"}
+
+    s = create_new_session_without_request_response("userId", {}, {})
+    res = client.get(
+        "/verify", headers={"Authorization": "Bearer " + s.get_access_token()}
+    )
+    assert res.status_code == 200
+    assert list(res.json) == ["handle"]
+
+    # Client without middleware
+    res = client_without_middleware.get("/verify")
+    assert res.status_code == 401
+    assert res.json == {"message": "unauthorised"}
+
+    res = client_without_middleware.get(
+        "/verify", headers={"Authorization": "Bearer " + s.get_access_token()}
+    )
+    assert res.status_code == 200
diff --git a/tests/sessions/claims/test_verify_session.py b/tests/sessions/claims/test_verify_session.py
@@ -14,7 +14,11 @@
     raise_invalid_claims_exception,
     ClaimValidationError,
 )
-from supertokens_python.recipe.session.framework.fastapi import verify_session
+from supertokens_python.recipe.session.framework.fastapi import (
+    verify_session,
+    session_exception_handler,
+)
+from supertokens_python.exceptions import SuperTokensError
 from supertokens_python.recipe.session.interfaces import (
     RecipeInterface,
     SessionClaimValidator,
@@ -221,6 +225,10 @@ async def refetched_claim4(  # type: ignore
     ):
         return {"handle": s.get_handle()}
 
+    @app.post("/verify")
+    async def _verify(s: SessionContainer = Depends(verify_session())):  # type: ignore
+        return {"handle": s.get_handle()}
+
     return TestClient(app)
 
 
@@ -532,3 +540,35 @@ async def test_should_allow_with_custom_claim_returning_true(
     res = fastapi_client.get("/refetched-claim-isvalid-true")
     assert res.status_code == 200
     assert "-" in res.json()["handle"]
+
+
+@fixture(scope="function")
+async def client_without_middleware():
+    app = FastAPI()
+
+    @app.post("/verify")
+    async def _verify(s: Session = Depends(verify_session())):  # type: ignore
+        return {"handle": s.get_handle()}
+
+    app.add_exception_handler(SuperTokensError, session_exception_handler)  # type: ignore
+
+    return TestClient(app)
+
+
+async def test_that_verify_session_return_401_if_access_token_is_not_sent_and_middleware_is_not_added(
+    client_without_middleware: TestClient, fastapi_client: TestClient
+):
+    init(**{**st_init_common_args, "recipe_list": [session.init(get_token_transfer_method=lambda *_: "cookie")]})  # type: ignore
+    start_st()
+
+    res = fastapi_client.post("/verify")
+    assert res.status_code == 401
+    assert res.json() == {"message": "unauthorised"}
+
+    create_session(fastapi_client)
+    res = fastapi_client.post("/verify")
+    assert res.status_code == 200
+
+    res = client_without_middleware.post("/verify")
+    assert res.status_code == 401
+    assert res.json() == {"message": "unauthorised"}
