supertokens · dependabot · Mar 13, 2023 · Mar 13, 2023 · Mar 13, 2023 · Mar 13, 2023
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [unreleased]
 
+## [16.0.3] - 2023-03-13
+### Changes
+
+- Adding refresh tokens to refresh calls even if access token isn't present to make manual testing easier.
+
 ## [16.0.2] - 2023-03-07
 - Exposed getGlobalClaimValidators function via utils.
 

diff --git a/bundle/bundle.js b/bundle/bundle.js
diff --git a/docs/classes/BooleanClaim.html b/docs/classes/BooleanClaim.html
diff --git a/docs/classes/PrimitiveArrayClaim.html b/docs/classes/PrimitiveArrayClaim.html
diff --git a/docs/classes/PrimitiveClaim.html b/docs/classes/PrimitiveClaim.html
diff --git a/docs/classes/SessionClaimValidator.html b/docs/classes/SessionClaimValidator.html
diff --git a/docs/classes/default.html b/docs/classes/default.html
diff --git a/docs/modules.html b/docs/modules.html
diff --git a/lib/build/fetch.js b/lib/build/fetch.js
diff --git a/lib/build/version.d.ts b/lib/build/version.d.ts
diff --git a/lib/build/version.js b/lib/build/version.js
diff --git a/lib/ts/fetch.ts b/lib/ts/fetch.ts
@@ -520,6 +520,7 @@ export async function onUnauthorisedResponse(
                     // in the first place.
                     return { result: "SESSION_EXPIRED", error };
                 }
+
                 logDebugMessage("onUnauthorisedResponse: sending API_ERROR");
                 return { result: "API_ERROR", error };
             } finally {
@@ -722,9 +723,11 @@ async function setAuthorizationHeaderIfRequired(clonedHeaders: Headers, addRefre
     const refreshToken = await getTokenForHeaderAuth("refresh");
 
     // We don't always need the refresh token because that's only required by the refresh call
-    // Still, we only add the Authorization header if both are present, because we are planning to add an option to expose the
-    // access token to the frontend while using cookie based auth - so that users can get the access token to use
-    if (accessToken !== undefined && refreshToken !== undefined) {
+    // Still, we only add the access token to Authorization header if both are present, because we are planning to add an option to expose the
+    // access token to the frontend while using cookie based auth - so that users can get the access token without using header based auth
+    // We can add the refresh token even if only that one is present, to make manual testing easier - you can then
+    // force a refresh by just deleting the access token.
+    if ((addRefreshToken || accessToken !== undefined) && refreshToken !== undefined) {
         // the Headers class normalizes header names so we don't have to worry about casing
         if (clonedHeaders.has("Authorization")) {
             logDebugMessage("setAuthorizationHeaderIfRequired: Authorization header defined by the user, not adding");

diff --git a/lib/ts/version.ts b/lib/ts/version.ts
@@ -12,6 +12,6 @@
  * License for the specific language governing permissions and limitations
  * under the License.
  */
-export const package_version = "16.0.2";
+export const package_version = "16.0.3";
 
 export const supported_fdi = ["1.16"];