supertokens · rishabhpoddar · Feb 1, 2023 · Dec 5, 2022 · Dec 13, 2022 · Dec 14, 2022
diff --git a/examples/with-django/with-thirdpartyemailpassword/project/settings.py b/examples/with-django/with-thirdpartyemailpassword/project/settings.py
@@ -65,7 +65,7 @@ def get_website_domain():
     framework="django",
     mode="wsgi",
     recipe_list=[
-        session.init(),
+        session.init(get_token_transfer_method=lambda _, __, ___: "cookie"),
         emailverification.init("REQUIRED"),
         thirdpartyemailpassword.init(
             providers=[

diff --git a/examples/with-fastapi/with-thirdpartyemailpassword/main.py b/examples/with-fastapi/with-thirdpartyemailpassword/main.py
@@ -55,7 +55,7 @@ def get_website_domain():
     ),
     framework="fastapi",
     recipe_list=[
-        session.init(),
+        session.init(get_token_transfer_method=lambda _, __, ___: "cookie"),
         emailverification.init("REQUIRED"),
         thirdpartyemailpassword.init(
             providers=[

diff --git a/examples/with-flask/with-thirdpartyemailpassword/app.py b/examples/with-flask/with-thirdpartyemailpassword/app.py
@@ -48,7 +48,7 @@ def get_website_domain():
     ),
     framework="flask",
     recipe_list=[
-        session.init(),
+        session.init(get_token_transfer_method=lambda _, __, ___: "cookie"),
         emailverification.init("REQUIRED"),
         thirdpartyemailpassword.init(
             providers=[

diff --git a/supertokens_python/exceptions.py b/supertokens_python/exceptions.py
@@ -13,7 +13,9 @@
 # under the License.
 from __future__ import annotations
 
-from typing import Union, NoReturn
+from typing import Union, NoReturn, Callable, List
+
+from supertokens_python.framework import BaseResponse
 
 
 def raise_general_exception(
@@ -31,7 +33,7 @@ def raise_bad_input_exception(msg: str) -> NoReturn:
 
 
 class SuperTokensError(Exception):
-    pass
+    response_mutators: List[Callable[[BaseResponse], None]] = []
 
 
 class GeneralError(SuperTokensError):

diff --git a/supertokens_python/framework/django/django_middleware.py b/supertokens_python/framework/django/django_middleware.py
@@ -25,7 +25,7 @@ def middleware(get_response: Any):
     from supertokens_python.framework.django.django_request import DjangoRequest
     from supertokens_python.framework.django.django_response import DjangoResponse
     from supertokens_python.recipe.session import SessionContainer
-    from supertokens_python.supertokens import manage_cookies_post_response
+    from supertokens_python.supertokens import manage_session_post_response
 
     from django.http import HttpRequest
 
@@ -45,7 +45,7 @@ async def __asyncMiddleware(request: HttpRequest):
                 if hasattr(request, "supertokens") and isinstance(
                     request.supertokens, SessionContainer  # type: ignore
                 ):
-                    manage_cookies_post_response(
+                    manage_session_post_response(
                         request.supertokens, result  # type: ignore
                     )
                 if isinstance(result, DjangoResponse):
@@ -79,7 +79,7 @@ def __syncMiddleware(request: HttpRequest):
             if hasattr(request, "supertokens") and isinstance(
                 request.supertokens, SessionContainer  # type: ignore
             ):
-                manage_cookies_post_response(
+                manage_session_post_response(
                     request.supertokens, result  # type: ignore
                 )
             return result.response

diff --git a/supertokens_python/framework/fastapi/fastapi_middleware.py b/supertokens_python/framework/fastapi/fastapi_middleware.py
@@ -38,7 +38,7 @@ async def dispatch(self, request: Request, call_next: RequestResponseEndpoint):
                 FastApiResponse,
             )
             from supertokens_python.recipe.session import SessionContainer
-            from supertokens_python.supertokens import manage_cookies_post_response
+            from supertokens_python.supertokens import manage_session_post_response
 
             st = Supertokens.get_instance()
             from fastapi.responses import Response
@@ -56,7 +56,7 @@ async def dispatch(self, request: Request, call_next: RequestResponseEndpoint):
                 if hasattr(request.state, "supertokens") and isinstance(
                     request.state.supertokens, SessionContainer
                 ):
-                    manage_cookies_post_response(request.state.supertokens, result)
+                    manage_session_post_response(request.state.supertokens, result)
                 if isinstance(result, FastApiResponse):
                     return result.response
             except SuperTokensError as e:

diff --git a/supertokens_python/framework/flask/flask_middleware.py b/supertokens_python/framework/flask/flask_middleware.py
@@ -33,7 +33,7 @@ def set_before_after_request(self):
         app = self.app
         from supertokens_python.framework.flask.flask_request import FlaskRequest
         from supertokens_python.framework.flask.flask_response import FlaskResponse
-        from supertokens_python.supertokens import manage_cookies_post_response
+        from supertokens_python.supertokens import manage_session_post_response
 
         from flask.wrappers import Response
 
@@ -65,7 +65,7 @@ def _(response: Response):
 
             response_ = FlaskResponse(response)
             if hasattr(g, "supertokens") and g.supertokens is not None:
-                manage_cookies_post_response(g.supertokens, response_)
+                manage_session_post_response(g.supertokens, response_)
 
             return response_.response
 

diff --git a/supertokens_python/framework/flask/flask_response.py b/supertokens_python/framework/flask/flask_response.py
@@ -82,7 +82,7 @@ def set_header(self, key: str, value: str):
                 )
             self.headers.append((key, value))
         else:
-            self.response.headers.add(key, value)
+            self.response.headers[key] = value
 
     def get_header(self, key: str) -> Union[None, str]:
         if self.response is not None:

diff --git a/supertokens_python/recipe/emailpassword/api/implementation.py b/supertokens_python/recipe/emailpassword/api/implementation.py
@@ -169,7 +169,9 @@ async def sign_in_post(
 
         user = result.user
         session = await create_new_session(
-            api_options.request, user.user_id, user_context=user_context
+            api_options.request,
+            user.user_id,
+            user_context=user_context,
         )
         return SignInPostOkResult(user, session)
 
@@ -204,6 +206,8 @@ async def sign_up_post(
 
         user = result.user
         session = await create_new_session(
-            api_options.request, user.user_id, user_context=user_context
+            api_options.request,
+            user.user_id,
+            user_context=user_context,
         )
         return SignUpPostOkResult(user, session)
diff --git a/supertokens_python/recipe/passwordless/api/implementation.py b/supertokens_python/recipe/passwordless/api/implementation.py
@@ -288,7 +288,11 @@ async def consume_code_post(
                     )
 
         session = await create_new_session(
-            api_options.request, user.user_id, {}, {}, user_context=user_context
+            api_options.request,
+            user.user_id,
+            {},
+            {},
+            user_context=user_context,
         )
 
         return ConsumeCodePostOkResult(

diff --git a/supertokens_python/recipe/session/__init__.py b/supertokens_python/recipe/session/__init__.py
@@ -13,18 +13,18 @@
 # under the License.
 from __future__ import annotations
 
-from typing import TYPE_CHECKING, Callable, Union
+from typing import TYPE_CHECKING, Any, Callable, Dict, Union
 
 from typing_extensions import Literal
 
 if TYPE_CHECKING:
     from ...recipe_module import RecipeModule
-    from supertokens_python.supertokens import AppInfo
+    from supertokens_python.supertokens import AppInfo, BaseRequest
+    from .utils import TokenTransferMethod
 
 from . import exceptions as ex
+from . import interfaces, utils
 from .recipe import SessionRecipe
-from . import utils
-from . import interfaces
 
 InputErrorHandlers = utils.InputErrorHandlers
 InputOverrideConfig = utils.InputOverrideConfig
@@ -39,6 +39,13 @@ def init(
     cookie_same_site: Union[Literal["lax", "none", "strict"], None] = None,
     session_expired_status_code: Union[int, None] = None,
     anti_csrf: Union[Literal["VIA_TOKEN", "VIA_CUSTOM_HEADER", "NONE"], None] = None,
+    get_token_transfer_method: Union[
+        Callable[
+            [BaseRequest, bool, Dict[str, Any]],
+            Union[TokenTransferMethod, Literal["any"]],
+        ],
+        None,
+    ] = None,
     error_handlers: Union[InputErrorHandlers, None] = None,
     override: Union[InputOverrideConfig, None] = None,
     jwt: Union[JWTConfig, None] = None,
@@ -50,6 +57,7 @@ def init(
         cookie_same_site,
         session_expired_status_code,
         anti_csrf,
+        get_token_transfer_method,
         error_handlers,
         override,
         jwt,

diff --git a/supertokens_python/recipe/session/access_token.py b/supertokens_python/recipe/session/access_token.py
@@ -13,13 +13,13 @@
 # under the License.
 from __future__ import annotations
 
-from typing import Any, Union
+from typing import Any, Dict, Union
 
 from supertokens_python.logger import log_debug_message
 from supertokens_python.utils import get_timestamp_ms
 
 from .exceptions import raise_try_refresh_token_exception
-from .jwt import get_payload
+from .jwt import ParsedJWTInfo, verify_jwt
 
 
 def sanitize_string(s: Any) -> Union[str, None]:
@@ -41,10 +41,14 @@ def sanitize_number(n: Any) -> Union[Union[int, float], None]:
 
 
 def get_info_from_access_token(
-    token: str, jwt_signing_public_key: str, do_anti_csrf_check: bool
+    jwt_info: ParsedJWTInfo, jwt_signing_public_key: str, do_anti_csrf_check: bool
 ):
     try:
-        payload = get_payload(token, jwt_signing_public_key)
+        verify_jwt(jwt_info, jwt_signing_public_key)
+        payload = jwt_info.payload
+
+        validate_access_token_structure(payload)
+
         session_handle = sanitize_string(payload.get("sessionHandle"))
         user_id = sanitize_string(payload.get("userId"))
         refresh_token_hash_1 = sanitize_string(payload.get("refreshTokenHash1"))
@@ -56,18 +60,10 @@ def get_info_from_access_token(
         expiry_time = sanitize_number(payload.get("expiryTime"))
         time_created = sanitize_number(payload.get("timeCreated"))
 
-        if (
-            (session_handle is None)
-            or (user_data is None)
-            or (refresh_token_hash_1 is None)
-            or (user_data is None)
-            or (anti_csrf_token is None and do_anti_csrf_check)
-            or (expiry_time is None)
-            or (time_created is None)
-        ):
-            raise Exception(
-                "Access token does not contain all the information. Maybe the structure has changed?"
-            )
+        if anti_csrf_token is None and do_anti_csrf_check:
+            raise Exception("Access token does not contain the anti-csrf token")
+
+        assert isinstance(expiry_time, int)
 
         if expiry_time < get_timestamp_ms():
             raise Exception("Access token expired")
@@ -87,3 +83,16 @@ def get_info_from_access_token(
             "getSession: Returning TRY_REFRESH_TOKEN because failed to decode access token"
         )
         raise_try_refresh_token_exception(e)
+
+
+def validate_access_token_structure(payload: Dict[str, Any]) -> None:
+    if (
+        not isinstance(payload.get("sessionHandle"), str)
+        or payload.get("userData") is None
+        or not isinstance(payload.get("refreshTokenHash1"), str)
+        or not isinstance(payload.get("expiryTime"), int)
+        or not isinstance(payload.get("timeCreated"), int)
+    ):
+        raise Exception(
+            "Access token does not contain all the information. Maybe the structure has changed?"
+        )
diff --git a/supertokens_python/recipe/session/asyncio/__init__.py b/supertokens_python/recipe/session/asyncio/__init__.py
@@ -280,6 +280,7 @@ async def refresh_session(
         request = FRAMEWORKS[
             SessionRecipe.get_instance().app_info.framework
         ].wrap_request(request)
+
     return await SessionRecipe.get_instance().recipe_implementation.refresh_session(
         request, user_context
     )

diff --git a/supertokens_python/recipe/session/constants.py b/supertokens_python/recipe/session/constants.py
@@ -11,14 +11,23 @@
 # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 # License for the specific language governing permissions and limitations
 # under the License.
+from __future__ import annotations
+from typing import TYPE_CHECKING, List
+
+if TYPE_CHECKING:
+    from .utils import TokenTransferMethod
+
 SESSION_REFRESH = "/session/refresh"
 SIGNOUT = "/signout"
 ACCESS_TOKEN_COOKIE_KEY = "sAccessToken"
 REFRESH_TOKEN_COOKIE_KEY = "sRefreshToken"
-ID_REFRESH_TOKEN_COOKIE_KEY = "sIdRefreshToken"
 FRONT_TOKEN_HEADER_SET_KEY = "front-token"
 ANTI_CSRF_HEADER_KEY = "anti-csrf"
 RID_HEADER_KEY = "rid"
-ID_REFRESH_TOKEN_HEADER_SET_KEY = "id-refresh-token"
-ID_REFRESH_TOKEN_HEADER_GET_KEY = "id-refresh-token"
+AUTH_MODE_HEADER_KEY = "st-auth-mode"
+AUTHORIZATION_HEADER_KEY = "authorization"
+ACCESS_TOKEN_HEADER_KEY = "st-access-token"
+REFRESH_TOKEN_HEADER_KEY = "st-refresh-token"
 ACCESS_CONTROL_EXPOSE_HEADERS = "Access-Control-Expose-Headers"
+
+available_token_transfer_methods: List[TokenTransferMethod] = ["cookie", "header"]