more changes

Author: rishabhpoddar

CHANGELOG.md

@@ -11,6 +11,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [0.19.0] - 2024-05-06
 
 -  `create_new_session` now defaults to the value of the `st-auth-mode` header (if available) if the configured `get_token_transfer_method` returns `any`.
+- Enable smooth switching between `use_dynamic_access_token_signing_key` settings by allowing refresh calls to change the signing key type of a session.
 
 ## [0.18.11] - 2024-04-26
 

supertokens_python/recipe/session/recipe_implementation.py

@@ -297,6 +297,7 @@ async def refresh_session(
             refresh_token,
             anti_csrf_token,
             disable_anti_csrf,
+            self.config.use_dynamic_access_token_signing_key,
             user_context=user_context,
         )
 

supertokens_python/recipe/session/session_functions.py

@@ -218,7 +218,7 @@ async def get_session(
             )
 
             raise_try_refresh_token_exception(
-                "The access token doesn't match the useDynamicAccessTokenSigningKey setting"
+                "The access token doesn't match the use_dynamic_access_token_signing_key setting"
             )
 
     # If we get here we either have a V2 token that doesn't pass verification or a valid V3> token
@@ -308,13 +308,15 @@ async def get_session(
                 response["session"].get("tenantId")
                 or (access_token_info or {}).get("tenantId"),
             ),
-            GetSessionAPIResponseAccessToken(
-                response["accessToken"]["token"],
-                response["accessToken"]["expiry"],
-                response["accessToken"]["createdTime"],
-            )
-            if "accessToken" in response
-            else None,
+            (
+                GetSessionAPIResponseAccessToken(
+                    response["accessToken"]["token"],
+                    response["accessToken"]["expiry"],
+                    response["accessToken"]["createdTime"],
+                )
+                if "accessToken" in response
+                else None
+            ),
         )
     if response["status"] == "UNAUTHORISED":
         log_debug_message("getSession: Returning UNAUTHORISED because of core response")
@@ -331,6 +333,7 @@ async def refresh_session(
     refresh_token: str,
     anti_csrf_token: Union[str, None],
     disable_anti_csrf: bool,
+    use_dynamic_access_token_signing_key: bool,
     user_context: Optional[Dict[str, Any]],
 ) -> CreateOrRefreshAPIResponse:
     data = {
@@ -339,6 +342,7 @@ async def refresh_session(
             not disable_anti_csrf
             and recipe_implementation.config.anti_csrf_function_or_string == "VIA_TOKEN"
         ),
+        "useDynamicSigningKey": use_dynamic_access_token_signing_key,
     }
 
     if anti_csrf_token is not None:

tests/sessions/test_jwks.py

@@ -698,5 +698,5 @@ async def test_session_verification_of_jwt_with_dynamic_signing_key_mode_works_a
     except TryRefreshTokenError as e:
         assert (
             str(e)
-            == "The access token doesn't match the useDynamicAccessTokenSigningKey setting"
+            == "The access token doesn't match the use_dynamic_access_token_signing_key setting"
         )

tests/sessions/test_use_dynamic_signing_key_switching.py

@@ -0,0 +1,116 @@
+import pytest
+from supertokens_python import init
+from supertokens_python.recipe import session
+from supertokens_python.recipe.session.asyncio import (
+    create_new_session_without_request_response,
+    get_session_without_request_response,
+    refresh_session_without_request_response,
+)
+from supertokens_python.recipe.session.session_class import SessionContainer
+from tests.utils import (
+    get_st_init_args,
+    setup_function,
+    start_st,
+    teardown_function,
+    reset,
+)
+from supertokens_python.recipe.session.jwt import (
+    parse_jwt_without_signature_verification,
+)
+from supertokens_python.recipe.session.interfaces import GetSessionTokensDangerouslyDict
+
+_ = setup_function  # type:ignore
+_ = teardown_function  # type:ignore
+
+pytestmark = pytest.mark.asyncio
+
+
+async def test_dynamic_key_switching():
+    init(**get_st_init_args([session.init(use_dynamic_access_token_signing_key=True)]))
+    start_st()
+
+    # Create a new session without an actual HTTP request-response flow
+    create_res: SessionContainer = await create_new_session_without_request_response(
+        "public", "test-user-id", {"tokenProp": True}, {"dbProp": True}
+    )
+
+    # Extract session tokens for further testing
+    tokens = create_res.get_all_session_tokens_dangerously()
+    check_access_token_signing_key_type(tokens, True)
+
+    # Reset and reinitialize with dynamic signing key disabled
+    reset(stop_core=False)
+    init(**get_st_init_args([session.init(use_dynamic_access_token_signing_key=False)]))
+
+    caught_exception = None
+    try:
+        # Attempt to retrieve the session using previously obtained tokens
+        await get_session_without_request_response(
+            tokens["accessToken"], tokens["antiCsrfToken"]
+        )
+    except Exception as e:
+        caught_exception = e
+
+    # Check for the expected exception due to token signing key mismatch
+    assert (
+        caught_exception is not None
+    ), "Expected an exception to be thrown, but none was."
+    assert (
+        str(caught_exception)
+        == "The access token doesn't match the use_dynamic_access_token_signing_key setting"
+    ), f"Unexpected exception message: {str(caught_exception)}"
+
+
+async def test_refresh_session():
+    init(**get_st_init_args([session.init(use_dynamic_access_token_signing_key=True)]))
+    start_st()
+
+    # Create a new session without an actual HTTP request-response flow
+    create_res: SessionContainer = await create_new_session_without_request_response(
+        "public", "test-user-id", {"tokenProp": True}, {"dbProp": True}
+    )
+
+    # Extract session tokens for further testing
+    tokens = create_res.get_all_session_tokens_dangerously()
+    check_access_token_signing_key_type(tokens, True)
+
+    # Reset and reinitialize with dynamic signing key disabled
+    reset(stop_core=False)
+    init(**get_st_init_args([session.init(use_dynamic_access_token_signing_key=False)]))
+
+    assert tokens["refreshToken"] is not None
+
+    # Refresh session
+    refreshed_session = await refresh_session_without_request_response(
+        tokens["refreshToken"], True, tokens["antiCsrfToken"]
+    )
+    tokens_after_refresh = refreshed_session.get_all_session_tokens_dangerously()
+    assert tokens_after_refresh["accessAndFrontTokenUpdated"] is True
+    check_access_token_signing_key_type(tokens_after_refresh, False)
+
+    # Verify session after refresh
+    verified_session = await get_session_without_request_response(
+        tokens_after_refresh["accessToken"], tokens_after_refresh["antiCsrfToken"]
+    )
+    assert verified_session is not None
+    tokens_after_verify = verified_session.get_all_session_tokens_dangerously()
+    assert tokens_after_verify["accessAndFrontTokenUpdated"] is True
+    check_access_token_signing_key_type(tokens_after_verify, False)
+
+    # Verify session again
+    verified2_session = await get_session_without_request_response(
+        tokens_after_verify["accessToken"], tokens_after_verify["antiCsrfToken"]
+    )
+    assert verified2_session is not None
+    tokens_after_verify2 = verified2_session.get_all_session_tokens_dangerously()
+    assert tokens_after_verify2["accessAndFrontTokenUpdated"] is False
+
+
+def check_access_token_signing_key_type(
+    tokens: GetSessionTokensDangerouslyDict, is_dynamic: bool
+):
+    info = parse_jwt_without_signature_verification(tokens["accessToken"])
+    if is_dynamic:
+        assert info.kid is not None and info.kid.startswith("d-")
+    else:
+        assert info.kid is not None and info.kid.startswith("s-")

tests/test_session.py

@@ -119,6 +119,7 @@ async def test_that_once_the_info_is_loaded_it_doesnt_query_again():
         response.refreshToken.token,
         response.antiCsrfToken,
         False,
+        True,
         None,
     )