fix: default to st-auth-mode if getTokenTransferMethod returns any in createNewSession (#784)

porcellus · web-flow · commit 018ebba10f61 · 2024-02-19T15:28:56.000+05:30
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [unreleased]
 
+-   `createNewSession` now defaults to the value of the `st-auth-mode` header (if available) if the configured `getTokenTransferMethod` returns `any`.
+
 ## [16.7.1] - 2024-01-09
 
 -   Fixes type output of `resetPasswordUsingToken` in emailpassword and thirdpartyemailpassword recipe to not include statuses that happen based on email change.
diff --git a/lib/build/recipe/session/sessionRequestFunctions.js b/lib/build/recipe/session/sessionRequestFunctions.js
@@ -354,7 +354,13 @@ async function createNewSessionInRequest({
     logger_1.logDebugMessage("createNewSession: Access token payload built");
     let outputTransferMethod = config.getTokenTransferMethod({ req, forCreateNewSession: true, userContext });
     if (outputTransferMethod === "any") {
-        outputTransferMethod = "header";
+        const authModeHeader = cookieAndHeaders_1.getAuthModeFromHeader(req);
+        // We default to header if we can't "parse" it or if it's undefined
+        if (authModeHeader === "cookie") {
+            outputTransferMethod = authModeHeader;
+        } else {
+            outputTransferMethod = "header";
+        }
     }
     logger_1.logDebugMessage("createNewSession: using transfer method " + outputTransferMethod);
     if (
diff --git a/lib/ts/recipe/session/sessionRequestFunctions.ts b/lib/ts/recipe/session/sessionRequestFunctions.ts
@@ -12,7 +12,13 @@ import { getRequiredClaimValidators } from "./utils";
 import { getRidFromHeader, isAnIpAddress, normaliseHttpMethod, setRequestInUserContextIfNotDefined } from "../../utils";
 import { logDebugMessage } from "../../logger";
 import { availableTokenTransferMethods, protectedProps } from "./constants";
-import { clearSession, getAntiCsrfTokenFromHeaders, getToken, setCookie } from "./cookieAndHeaders";
+import {
+    clearSession,
+    getAntiCsrfTokenFromHeaders,
+    getAuthModeFromHeader,
+    getToken,
+    setCookie,
+} from "./cookieAndHeaders";
 import { ParsedJWTInfo, parseJWTWithoutSignatureVerification } from "./jwt";
 import { validateAccessTokenStructure } from "./accessToken";
 import { NormalisedAppinfo } from "../../types";
@@ -410,7 +416,13 @@ export async function createNewSessionInRequest({
 
     let outputTransferMethod = config.getTokenTransferMethod({ req, forCreateNewSession: true, userContext });
     if (outputTransferMethod === "any") {
-        outputTransferMethod = "header";
+        const authModeHeader = getAuthModeFromHeader(req);
+        // We default to header if we can't "parse" it or if it's undefined
+        if (authModeHeader === "cookie") {
+            outputTransferMethod = authModeHeader;
+        } else {
+            outputTransferMethod = "header";
+        }
     }
     logDebugMessage("createNewSession: using transfer method " + outputTransferMethod);
 
diff --git a/test/auth-modes.test.js b/test/auth-modes.test.js
@@ -156,7 +156,31 @@ describe(`auth-modes: ${printPath("[test/auth-modes.test.js]")}`, function () {
             });
 
             describe("with user provided getTokenTransferMethod", () => {
-                it("should use headers if getTokenTransferMethod returns any", async function () {
+                it("should use headers if getTokenTransferMethod returns any and there is no st-auth-mode header", async function () {
+                    const connectionURI = await startST();
+                    SuperTokens.init({
+                        supertokens: {
+                            connectionURI,
+                        },
+                        appInfo: {
+                            apiDomain: "api.supertokens.io",
+                            appName: "SuperTokens",
+                            websiteDomain: "supertokens.io",
+                        },
+                        recipeList: [Session.init({ antiCsrf: "VIA_TOKEN", getTokenTransferMethod: () => "any" })],
+                    });
+
+                    const app = getTestApp();
+
+                    const resp = await createSession(app, undefined);
+                    assert.strictEqual(resp.accessToken, undefined);
+                    assert.strictEqual(resp.refreshToken, undefined);
+                    assert.strictEqual(resp.antiCsrf, undefined);
+                    assert.notStrictEqual(resp.accessTokenFromHeader, undefined);
+                    assert.notStrictEqual(resp.refreshTokenFromHeader, undefined);
+                });
+
+                it("should use cookies if getTokenTransferMethod returns any and st-auth-mode is set to cookie", async function () {
                     const connectionURI = await startST();
                     SuperTokens.init({
                         supertokens: {
@@ -173,6 +197,30 @@ describe(`auth-modes: ${printPath("[test/auth-modes.test.js]")}`, function () {
                     const app = getTestApp();
 
                     const resp = await createSession(app, "cookie");
+                    assert.notStrictEqual(resp.accessToken, undefined);
+                    assert.notStrictEqual(resp.refreshToken, undefined);
+                    assert.notStrictEqual(resp.antiCsrf, undefined);
+                    assert.strictEqual(resp.accessTokenFromHeader, undefined);
+                    assert.strictEqual(resp.refreshTokenFromHeader, undefined);
+                });
+
+                it("should use headers if getTokenTransferMethod returns any and st-auth-mode is set to header", async function () {
+                    const connectionURI = await startST();
+                    SuperTokens.init({
+                        supertokens: {
+                            connectionURI,
+                        },
+                        appInfo: {
+                            apiDomain: "api.supertokens.io",
+                            appName: "SuperTokens",
+                            websiteDomain: "supertokens.io",
+                        },
+                        recipeList: [Session.init({ antiCsrf: "VIA_TOKEN", getTokenTransferMethod: () => "any" })],
+                    });
+
+                    const app = getTestApp();
+
+                    const resp = await createSession(app, "header");
                     assert.strictEqual(resp.accessToken, undefined);
                     assert.strictEqual(resp.refreshToken, undefined);
                     assert.strictEqual(resp.antiCsrf, undefined);
