Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: Add tenant id to origin if it is a function #730

Closed
wants to merge 3 commits into from
Closed

chore: Add tenant id to origin if it is a function #730

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
84b7455
Add tenant id to get cookie same site
nkshah2 Oct 25, 2023
6db5e00
Add tenant id to anti csrf function
nkshah2 Oct 25, 2023
bd4cc44
Add tenant id to origin function
nkshah2 Oct 25, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions lib/build/recipe/dashboard/api/analytics.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,7 @@ async function analyticsPost(_, ___, options, __) {
websiteDomain: websiteDomain({
request: undefined,
userContext: {},
tenantId: undefined,
}).getAsStringDangerous(),
apiDomain: apiDomain.getAsStringDangerous(),
appName,
Expand Down
1 change: 1 addition & 0 deletions lib/build/recipe/emailpassword/utils.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -217,6 +217,7 @@ function getPasswordResetLink(input) {
.getOrigin({
request: input.request,
userContext: input.userContext,
tenantId: input.tenantId,
})
.getAsStringDangerous() +
input.appInfo.websiteBasePath.getAsStringDangerous() +
Expand Down
1 change: 1 addition & 0 deletions lib/build/recipe/emailverification/utils.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,7 @@ function getEmailVerifyLink(input) {
.getOrigin({
request: input.request,
userContext: input.userContext,
tenantId: input.tenantId,
})
.getAsStringDangerous() +
input.appInfo.websiteBasePath.getAsStringDangerous() +
Expand Down
2 changes: 2 additions & 0 deletions lib/build/recipe/passwordless/api/implementation.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -228,6 +228,7 @@ function getAPIImplementation() {
.getOrigin({
request: input.options.req,
userContext: input.userContext,
tenantId: input.tenantId,
})
.getAsStringDangerous() +
input.options.appInfo.websiteBasePath.getAsStringDangerous() +
Expand Down Expand Up @@ -363,6 +364,7 @@ function getAPIImplementation() {
.getOrigin({
request: input.options.req,
userContext: input.userContext,
tenantId: input.tenantId,
})
.getAsStringDangerous() +
input.options.appInfo.websiteBasePath.getAsStringDangerous() +
Expand Down
1 change: 1 addition & 0 deletions lib/build/recipe/passwordless/recipe.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -133,6 +133,7 @@ class Recipe extends recipeModule_1.default {
.getOrigin({
request: input.request,
userContext: input.userContext,
tenantId: input.tenantId,
})
.getAsStringDangerous() +
appInfo.websiteBasePath.getAsStringDangerous() +
Expand Down
12 changes: 8 additions & 4 deletions lib/build/recipe/session/cookieAndHeaders.d.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,14 +5,16 @@ export declare function clearSessionFromAllTokenTransferMethods(
config: TypeNormalisedInput,
res: BaseResponse,
request: BaseRequest | undefined,
userContext: any
userContext: any,
tenantId: string | undefined
): void;
export declare function clearSession(
config: TypeNormalisedInput,
res: BaseResponse,
transferMethod: TokenTransferMethod,
request: BaseRequest | undefined,
userContext: any
userContext: any,
tenantId: string | undefined
): void;
export declare function getAntiCsrfTokenFromHeaders(req: BaseRequest): string | undefined;
export declare function setAntiCsrfTokenInHeaders(res: BaseResponse, antiCsrfToken: string): void;
Expand All @@ -32,7 +34,8 @@ export declare function setToken(
expires: number,
transferMethod: TokenTransferMethod,
req: BaseRequest | undefined,
userContext: any
userContext: any,
tenantId: string | undefined
): void;
export declare function setHeader(res: BaseResponse, name: string, value: string): void;
/**
Expand All @@ -54,6 +57,7 @@ export declare function setCookie(
expires: number,
pathType: "refreshTokenPath" | "accessTokenPath",
req: BaseRequest | undefined,
userContext: any
userContext: any,
tenantId: string | undefined
): void;
export declare function getAuthModeFromHeader(req: BaseRequest): string | undefined;
16 changes: 9 additions & 7 deletions lib/build/recipe/session/cookieAndHeaders.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,23 +26,23 @@ const refreshTokenHeaderKey = "st-refresh-token";
const antiCsrfHeaderKey = "anti-csrf";
const frontTokenHeaderKey = "front-token";
const authModeHeaderKey = "st-auth-mode";
function clearSessionFromAllTokenTransferMethods(config, res, request, userContext) {
function clearSessionFromAllTokenTransferMethods(config, res, request, userContext, tenantId) {
// We are clearing the session in all transfermethods to be sure to override cookies in case they have been already added to the response.
// This is done to handle the following use-case:
// If the app overrides signInPOST to check the ban status of the user after the original implementation and throwing an UNAUTHORISED error
// In this case: the SDK has attached cookies to the response, but none was sent with the request
// We can't know which to clear since we can't reliably query or remove the set-cookie header added to the response (causes issues in some frameworks, i.e.: hapi)
// The safe solution in this case is to overwrite all the response cookies/headers with an empty value, which is what we are doing here
for (const transferMethod of constants_2.availableTokenTransferMethods) {
clearSession(config, res, transferMethod, request, userContext);
clearSession(config, res, transferMethod, request, userContext, tenantId);
}
}
exports.clearSessionFromAllTokenTransferMethods = clearSessionFromAllTokenTransferMethods;
function clearSession(config, res, transferMethod, request, userContext) {
function clearSession(config, res, transferMethod, request, userContext, tenantId) {
// If we can be specific about which transferMethod we want to clear, there is no reason to clear the other ones
const tokenTypes = ["access", "refresh"];
for (const token of tokenTypes) {
setToken(config, res, token, "", 0, transferMethod, request, userContext);
setToken(config, res, token, "", 0, transferMethod, request, userContext, tenantId);
}
res.removeHeader(antiCsrfHeaderKey);
// This can be added multiple times in some cases, but that should be OK
Expand Down Expand Up @@ -111,7 +111,7 @@ function getToken(req, tokenType, transferMethod) {
}
}
exports.getToken = getToken;
function setToken(config, res, tokenType, value, expires, transferMethod, req, userContext) {
function setToken(config, res, tokenType, value, expires, transferMethod, req, userContext, tenantId) {
logger_1.logDebugMessage(`setToken: Setting ${tokenType} token as ${transferMethod}`);
if (transferMethod === "cookie") {
setCookie(
Expand All @@ -122,7 +122,8 @@ function setToken(config, res, tokenType, value, expires, transferMethod, req, u
expires,
tokenType === "refresh" ? "refreshTokenPath" : "accessTokenPath",
req,
userContext
userContext,
tenantId
);
} else if (transferMethod === "header") {
setHeader(res, getResponseHeaderNameForTokenType(tokenType), value);
Expand All @@ -145,12 +146,13 @@ exports.setHeader = setHeader;
* @param expires
* @param path
*/
function setCookie(config, res, name, value, expires, pathType, req, userContext) {
function setCookie(config, res, name, value, expires, pathType, req, userContext, tenantId) {
let domain = config.cookieDomain;
let secure = config.cookieSecure;
let sameSite = config.getCookieSameSite({
request: req,
userContext,
tenantId,
});
let path = "";
if (pathType === "refreshTokenPath") {
Expand Down
6 changes: 4 additions & 2 deletions lib/build/recipe/session/recipe.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -107,7 +107,8 @@ class SessionRecipe extends recipeModule_1.default {
this.config,
response,
request,
userContext
userContext,
undefined
);
}
return await this.config.errorHandlers.onUnauthorised(err.message, request, response);
Expand All @@ -121,7 +122,8 @@ class SessionRecipe extends recipeModule_1.default {
this.config,
response,
request,
userContext
userContext,
undefined
);
return await this.config.errorHandlers.onTokenTheftDetected(
err.payload.sessionHandle,
Expand Down
14 changes: 10 additions & 4 deletions lib/build/recipe/session/sessionClass.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,8 @@ class Session {
this.reqResInfo.res,
this.reqResInfo.transferMethod,
this.reqResInfo.req,
userContext === undefined ? utils_2.makeDefaultUserContextFromAPI(this.reqResInfo.req) : userContext
userContext === undefined ? utils_2.makeDefaultUserContextFromAPI(this.reqResInfo.req) : userContext,
this.getTenantId()
);
}
}
Expand Down Expand Up @@ -178,7 +179,10 @@ class Session {
this.helpers.config,
this.reqResInfo.transferMethod,
this.reqResInfo.req,
userContext === undefined ? utils_2.makeDefaultUserContextFromAPI(this.reqResInfo.req) : userContext
userContext === undefined
? utils_2.makeDefaultUserContextFromAPI(this.reqResInfo.req)
: userContext,
this.getTenantId()
);
}
} else {
Expand Down Expand Up @@ -277,7 +281,8 @@ class Session {
this.helpers.config,
transferMethod,
info.req,
userContext !== undefined ? userContext : utils_2.makeDefaultUserContextFromAPI(info.req)
userContext !== undefined ? userContext : utils_2.makeDefaultUserContextFromAPI(info.req),
this.getTenantId()
);
if (this.refreshToken !== undefined) {
cookieAndHeaders_1.setToken(
Expand All @@ -288,7 +293,8 @@ class Session {
this.refreshToken.expiry,
transferMethod,
info.req,
userContext !== undefined ? userContext : utils_2.makeDefaultUserContextFromAPI(info.req)
userContext !== undefined ? userContext : utils_2.makeDefaultUserContextFromAPI(info.req),
this.getTenantId()
);
}
if (this.antiCsrfToken !== undefined) {
Expand Down
16 changes: 11 additions & 5 deletions lib/build/recipe/session/sessionRequestFunctions.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -101,6 +101,7 @@ async function getSessionFromRequest({ req, res, config, recipeInterfaceImpl, op
antiCsrf = antiCsrf({
request: req,
userContext,
tenantId: undefined,
});
}
if (doAntiCsrfCheck && antiCsrf === "VIA_CUSTOM_HEADER") {
Expand Down Expand Up @@ -214,7 +215,8 @@ async function refreshSessionInRequest({ res, req, userContext, config, recipeIn
0,
"accessTokenPath",
req,
userContext
userContext,
undefined
);
}
logger_1.logDebugMessage("refreshSession: UNAUTHORISED because refresh token in request is undefined");
Expand All @@ -233,6 +235,7 @@ async function refreshSessionInRequest({ res, req, userContext, config, recipeIn
antiCsrf = antiCsrf({
request: req,
userContext,
tenantId: undefined,
});
}
if (antiCsrf === "VIA_CUSTOM_HEADER" && !disableAntiCsrf) {
Expand Down Expand Up @@ -277,7 +280,8 @@ async function refreshSessionInRequest({ res, req, userContext, config, recipeIn
0,
"accessTokenPath",
req,
userContext
userContext,
undefined
);
}
}
Expand All @@ -287,7 +291,7 @@ async function refreshSessionInRequest({ res, req, userContext, config, recipeIn
// We clear the tokens in all token transfer methods we are not going to overwrite
for (const transferMethod of constants_1.availableTokenTransferMethods) {
if (transferMethod !== requestTransferMethod && refreshTokens[transferMethod] !== undefined) {
cookieAndHeaders_1.clearSession(config, res, transferMethod, req, userContext);
cookieAndHeaders_1.clearSession(config, res, transferMethod, req, userContext, session.getTenantId());
}
}
await session.attachToRequestResponse(
Expand All @@ -310,7 +314,8 @@ async function refreshSessionInRequest({ res, req, userContext, config, recipeIn
0,
"accessTokenPath",
req,
userContext
userContext,
session.getTenantId()
);
}
return session;
Expand Down Expand Up @@ -362,6 +367,7 @@ async function createNewSessionInRequest({
config.getCookieSameSite({
request: req,
userContext,
tenantId,
}) === "none" &&
!config.cookieSecure &&
!(
Expand Down Expand Up @@ -400,7 +406,7 @@ async function createNewSessionInRequest({
transferMethod !== outputTransferMethod &&
cookieAndHeaders_1.getToken(req, "access", transferMethod) !== undefined
) {
cookieAndHeaders_1.clearSession(config, res, transferMethod, req, userContext);
cookieAndHeaders_1.clearSession(config, res, transferMethod, req, userContext, tenantId);
}
}
logger_1.logDebugMessage("createNewSession: Cleared old tokens");
Expand Down
12 changes: 10 additions & 2 deletions lib/build/recipe/session/types.d.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,15 +86,23 @@ export declare type TypeNormalisedInput = {
refreshTokenPath: NormalisedURLPath;
accessTokenPath: NormalisedURLPath;
cookieDomain: string | undefined;
getCookieSameSite: (input: { request: BaseRequest | undefined; userContext: any }) => "strict" | "lax" | "none";
getCookieSameSite: (input: {
request: BaseRequest | undefined;
userContext: any;
tenantId: string | undefined;
}) => "strict" | "lax" | "none";
cookieSecure: boolean;
sessionExpiredStatusCode: number;
errorHandlers: NormalisedErrorHandlers;
antiCsrfFunctionOrString:
| "VIA_TOKEN"
| "VIA_CUSTOM_HEADER"
| "NONE"
| ((input: { request: BaseRequest | undefined; userContext: any }) => "VIA_CUSTOM_HEADER" | "NONE");
| ((input: {
request: BaseRequest | undefined;
userContext: any;
tenantId: string | undefined;
}) => "VIA_CUSTOM_HEADER" | "NONE");
getTokenTransferMethod: (input: {
req: BaseRequest;
forCreateNewSession: boolean;
Expand Down
3 changes: 2 additions & 1 deletion lib/build/recipe/session/utils.d.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,8 @@ export declare function setAccessTokenInResponse(
config: TypeNormalisedInput,
transferMethod: TokenTransferMethod,
req: BaseRequest | undefined,
userContext: any
userContext: any,
tenantId: string | undefined
): void;
export declare function getRequiredClaimValidators(
session: SessionContainerInterface,
Expand Down
12 changes: 8 additions & 4 deletions lib/build/recipe/session/utils.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -109,6 +109,7 @@ function validateAndNormaliseUserInput(recipeInstance, appInfo, config) {
.getOrigin({
request: input.request,
userContext: input.userContext,
tenantId: input.tenantId,
})
.getAsStringDangerous()
);
Expand Down Expand Up @@ -139,10 +140,11 @@ function validateAndNormaliseUserInput(recipeInstance, appInfo, config) {
throw new Error("antiCsrf config must be one of 'NONE' or 'VIA_CUSTOM_HEADER' or 'VIA_TOKEN'");
}
}
let antiCsrf = ({ request, userContext }) => {
let antiCsrf = ({ request, userContext, tenantId }) => {
const sameSite = cookieSameSite({
request,
userContext,
tenantId,
});
if (sameSite === "none") {
return "VIA_CUSTOM_HEADER";
Expand Down Expand Up @@ -229,7 +231,7 @@ function normaliseSameSiteOrThrowError(sameSite) {
return sameSite;
}
exports.normaliseSameSiteOrThrowError = normaliseSameSiteOrThrowError;
function setAccessTokenInResponse(res, accessToken, frontToken, config, transferMethod, req, userContext) {
function setAccessTokenInResponse(res, accessToken, frontToken, config, transferMethod, req, userContext, tenantId) {
cookieAndHeaders_1.setFrontTokenInHeaders(res, frontToken);
cookieAndHeaders_1.setToken(
config,
Expand All @@ -243,7 +245,8 @@ function setAccessTokenInResponse(res, accessToken, frontToken, config, transfer
Date.now() + constants_1.hundredYearsInMs,
transferMethod,
req,
userContext
userContext,
tenantId
);
if (config.exposeAccessTokenToFrontendInCookieBasedAuth && transferMethod === "cookie") {
cookieAndHeaders_1.setToken(
Expand All @@ -258,7 +261,8 @@ function setAccessTokenInResponse(res, accessToken, frontToken, config, transfer
Date.now() + constants_1.hundredYearsInMs,
"header",
req,
userContext
userContext,
tenantId
);
}
}
Expand Down
6 changes: 5 additions & 1 deletion lib/build/types.d.ts
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions lib/ts/recipe/dashboard/api/analytics.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,7 @@ export default async function analyticsPost(
websiteDomain: websiteDomain({
request: undefined,
userContext: {},
tenantId: undefined,
}).getAsStringDangerous(),
apiDomain: apiDomain.getAsStringDangerous(),
appName,
Expand Down
1 change: 1 addition & 0 deletions lib/ts/recipe/emailpassword/utils.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -262,6 +262,7 @@ export function getPasswordResetLink(input: {
.getOrigin({
request: input.request,
userContext: input.userContext,
tenantId: input.tenantId,
})
.getAsStringDangerous() +
input.appInfo.websiteBasePath.getAsStringDangerous() +
Expand Down
Loading