search

supertokens / supertokens-python

Python SDK for SuperTokens
https://supertokens.com
Other
128 stars 35 forks source link

signOut not revoking session #397

Closed printMalik closed 1 year ago

printMalik commented 1 year ago

Managed core v5 Frontend: supertokens-auth-react 0.31.5 Backend: supertokens-python 0.13

Description

Backend debug logs when calling signOut & token used in the request sAccessToken=

eyJraWQiOiJkLTE2OTEwMjA3MjgxOTMiLCJ0eXAiOiJKV1QiLCJ2ZXJzaW9uIjoiMyIsImFsZyI6IlJTMjU2In0.eyJpYXQiOjEuNjkxNTA4OTk4RTksImV4cCI6MS42OTE1MTI1OThFOSwiYW50aUNzcmZUb2tlbiI6bnVsbCwic3ViIjoiMGI5NzY2YmEtZjkxMy00M2ZmLWIyOGItZDU1ZTkwNjUwNWI1IiwiSW5fR2FtZSI6eyJSb2xlIjoiR00iLCJHYW1lIjoiMSIsIlBhcnR5IjoiTm9uZSJ9LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwMDEvYXV0aCIsInNlc3Npb25IYW5kbGUiOiI1MjlmMTEzMC1kMjhlLTQxY2QtODBiNC1kNWVhMTZiYWMzOWEiLCJwYXJlbnRSZWZyZXNoVG9rZW5IYXNoMSI6IjVkYmI3NTViY2EzNGE1M2RlM2ZhYmJhMGMyNDZmOWVjMWYyZjU4NTljMDUyNmIxMTNhYzZiMzc1M2YyOWFjZjciLCJlbWFpbCI6ImV4cGxvaXRlckBiYXIuY29tIiwicmVmcmVzaFRva2VuSGFzaDEiOiIzNDEyNjRkNWM2MGZkYmVjYjBlMjFmYmI1NjlkMjIxMjBjZDVhNDcxZTE5N2U3Y2U1ODU2ZjcwY2Q1NjUyYmZhIiwidXNlcm5hbWUiOiJleHBsb2l0QWNjb3VudCJ9.qDeTVElc3JkrkhfjlN6Qxi2nMG0__rhDvkRKABnEVM-g0uZUvxotEy3OrQwqjoaNtoSHjlg71Gth4KfZm33UXu3unYqZ73rRRg-5G8NCMUMb2-RrCaQ5yTai5SK-QFyTOhfeQn4IrD13F78o7ZbZNmTLhvCEtRcEblWebMt3VwabvWDZFl1-LJHBRjgRUeEFX7tdsaI58MHKNqXFhxmbeMketBdvrI6wGVQjGaVBArIzTnMjX5n_Bs6DkggnPPxHWym4uaxVtQyECVP7J8YAexprZsYYPOyL0hbFEntywWq_-n5Ydp2mmUvavQkUHhzXeFxUPPA0tpdYSK0zwY0nnw
2023-08-08 11:52:11 INFO:     172.31.0.1:47748 - "OPTIONS /auth/signout HTTP/1.1" 200 OK
2023-08-08 11:52:11 com.supertokens {"t": "2023-08-08T15:52:11.137Z", "sdkVer": "0.13.0", "message": "middleware: Started", "file": "supertokens.py:458"}
2023-08-08 11:52:11 
2023-08-08 11:52:11 com.supertokens {"t": "2023-08-08T15:52:11.137Z", "sdkVer": "0.13.0", "message": "middleware: requestRID is: session", "file": "supertokens.py:471"}
2023-08-08 11:52:11 
2023-08-08 11:52:11 com.supertokens {"t": "2023-08-08T15:52:11.137Z", "sdkVer": "0.13.0", "message": "middleware: Checking recipe ID for match: jwt", "file": "supertokens.py:482"}
2023-08-08 11:52:11 
2023-08-08 11:52:11 com.supertokens {"t": "2023-08-08T15:52:11.137Z", "sdkVer": "0.13.0", "message": "middleware: Checking recipe ID for match: session", "file": "supertokens.py:482"}
2023-08-08 11:52:11 
2023-08-08 11:52:11 com.supertokens {"t": "2023-08-08T15:52:11.137Z", "sdkVer": "0.13.0", "message": "middleware: Matched with recipe ID: session", "file": "supertokens.py:504"}
2023-08-08 11:52:11 
2023-08-08 11:52:11 com.supertokens {"t": "2023-08-08T15:52:11.137Z", "sdkVer": "0.13.0", "message": "middleware: Request being handled by recipe. ID is: /signout", "file": "supertokens.py:516"}
2023-08-08 11:52:11 
2023-08-08 11:52:11 com.supertokens {"t": "2023-08-08T15:52:11.138Z", "sdkVer": "0.13.0", "message": "getSession: Started", "file": "recipe/session/session_request_functions.py:86"}
2023-08-08 11:52:11 
2023-08-08 11:52:11 com.supertokens {"t": "2023-08-08T15:52:11.138Z", "sdkVer": "0.13.0", "message": "getSession: Wrapping done", "file": "recipe/session/session_request_functions.py:93"}
2023-08-08 11:52:11 
2023-08-08 11:52:11 com.supertokens {"t": "2023-08-08T15:52:11.138Z", "sdkVer": "0.13.0", "message": "getSession: optional validation: True", "file": "recipe/session/session_request_functions.py:105"}
2023-08-08 11:52:11 
2023-08-08 11:52:11 com.supertokens {"t": "2023-08-08T15:52:11.138Z", "sdkVer": "0.13.0", "message": "getSession: ignoring token in cookie, because it doesn't match our access token structure", "file": "recipe/session/session_request_functions.py:122"}
2023-08-08 11:52:11 
2023-08-08 11:52:11 com.supertokens {"t": "2023-08-08T15:52:11.138Z", "sdkVer": "0.13.0", "message": "getSession: returning None because accessToken is undefined and sessionRequired is false", "file": "recipe/session/session_request_functions.py:147"}
2023-08-08 11:52:11 
2023-08-08 11:52:11 com.supertokens {"t": "2023-08-08T15:52:11.138Z", "sdkVer": "0.13.0", "message": "Sending response to client with status code: 200", "file": "utils.py:157"}
2023-08-08 11:52:11 
2023-08-08 11:52:11 com.supertokens {"t": "2023-08-08T15:52:11.138Z", "sdkVer": "0.13.0", "message": "middleware: Ended", "file": "supertokens.py:525"}
2023-08-08 11:52:11 
2023-08-08 11:52:11 INFO:     172.31.0.1:47752 - "POST /auth/signout HTTP/1.1" 200 OK

ST configs

Here are the frontend and backend configs. We aren't using the third party providers yet so we have them commented out. I have removed them for this post to reduce clutter

SuperTokens.init({
  appInfo: {
    appName: 'app_name',
    apiDomain: `${process.env.REACT_APP_USER_SERVICE}`,
    websiteDomain: `${process.env.REACT_APP_PUBLIC_URL}`,
    apiBasePath: '/auth',
    websiteBasePath: '/auth',
  },
  recipeList: [
    ThirdPartyEmailPassword.init({
      signInAndUpFeature: {

        signUpForm: {
          formFields: [
            {
              id: 'username',
              label: 'Username',
              placeholder: 'Username',

              validate: async (value) => {
                const response = await fetch(
                  `${process.env.REACT_APP_USER_SERVICE}/api/userauth/check/${value}`
                );

                if (response.status === 409) {
                  return 'Username already taken';
                }

                return undefined;
              },
            },
          ],
        },
      },
    }),
    Session.init({
      tokenTransferMethod: 'cookie',
    }),
  ],
});
init(
    app_info=InputAppInfo(
        app_name="app_name",
        api_domain=f'{os.environ["USER_SERVICE"]}',
        website_domain=f'{os.environ["WEBSITE_DOMAIN"]}',
        api_base_path="/auth",
        website_base_path="/auth",
    ),
    supertokens_config=SupertokensConfig(
        # TODO: Update to env vars once switching to prod values
        connection_uri="connectionuri",
        api_key="apikey",
    ),
    framework="fastapi",
    recipe_list=[
        jwt.init(),
        session.init(
            override=session.InputOverrideConfig(functions=override_functions),
            expose_access_token_to_frontend_in_cookie_based_auth=True,
        ),  # initializes session features
        dashboard.init(),
        thirdpartyemailpassword.init(
            sign_up_feature=thirdpartyemailpassword.InputSignUpFeature(
                form_fields=[InputFormField(id="username", optional=False)]
            ),
            override=thirdpartyemailpassword.InputOverrideConfig(apis=override_apis),
        ),
    ],
    mode="asgi",  # use wsgi if you are running using gunicorn
)
printMalik commented 1 year ago

Forgot to add, editing the core config is disabled too,

image
printMalik commented 1 year ago

08/09

image

Token used in this request. jwt.io showed the signature was verified.

sAccessToken=eyJraWQiOiJkLTE2OTEwMjA3MjgxOTMiLCJ0eXAiOiJKV1QiLCJ2ZXJzaW9uIjoiMyIsImFsZyI6IlJTMjU2In0.eyJpYXQiOjEuNjkxNjIzMDQ2RTksImV4cCI6MS42OTE2MjY2NDZFOSwiYW50aUNzcmZUb2tlbiI6bnVsbCwic3ViIjoiMGI5NzY2YmEtZjkxMy00M2ZmLWIyOGItZDU1ZTkwNjUwNWI1IiwiSW5fR2FtZSI6eyJSb2xlIjoiR00iLCJHYW1lIjoiMSIsIlBhcnR5IjoiTm9uZSJ9LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwMDEvYXV0aCIsInNlc3Npb25IYW5kbGUiOiI1MjlmMTEzMC1kMjhlLTQxY2QtODBiNC1kNWVhMTZiYWMzOWEiLCJwYXJlbnRSZWZyZXNoVG9rZW5IYXNoMSI6IjE4MjI1MjJjZGNlNTc1YjlmMjJiYzM2YjkyNzNhZjkwZmMyZjFjNjBmNWI1OGYyNjM3NTk4ZjBkYThhMDc3MmMiLCJlbWFpbCI6ImV4cGxvaXRlckBiYXIuY29tIiwicmVmcmVzaFRva2VuSGFzaDEiOiI4NDBiOGFmNmU2MjFmMWU4MDFkNGEzODkzYzliZDQ1ZTY4NWRlYTA4N2Q2MDEzMTYzYjliMWUzMjNjNmNmNDExIiwidXNlcm5hbWUiOiJleHBsb2l0QWNjb3VudCJ9.WFs0XgzwnR065Xh-GEXMbC9f44zCVjtHtpUsOK1xGAVHCQ5UuHGtUZBOJAyHLVMvg_4wjRe_hzJLQugOxlGctAK4ZO_yFFcpIPekl2kvqihvbXAKwMp9UXLd5CqqgkJkeAlRh66BXWk2EjHEZ4LmMS3aK7di9h1SpikNrEeQyWzwSTdnQKYaI0czsh2XVyd8nO9n3RK8I_IdPpsHmjY0y3-bKD_ahre_Y6IHP8zj6RZb9GHpR0-u0O14Ex_Uwuszc2rtjoAzqHUbm8pfYdrRNuwCmqKoudXeRPRChCZTARoRCoEu_5LfpkeDnRuLo76Z9Uarvgf-ZBAd1qZ93Y_KDA
rishabhpoddar commented 1 year ago

This issue has been fixed. There was a bug in the supertokens core which has now been fixed in core version >= 6.0.10