fix: always set sessionHandle appropriately for oauth sessions

supertokens · Oct 26, 2024 · 8f80b8c · 8f80b8c
1 parent f2747a2
commit 8f80b8c
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 16 deletions.
diff --git a/src/main/java/io/supertokens/oauth/OAuthToken.java b/src/main/java/io/supertokens/oauth/OAuthToken.java
@@ -105,6 +105,11 @@ public static String reSignToken(AppIdentifier appIdentifier, Main main, String
         if (tokenType == TokenType.ACCESS_TOKEN) {
             // we need to move rsub, tId and sessionHandle from ext to root
             Transformations.transformExt(payload);
+        } else {
+            if (payload.has("ext")) {
+                JsonObject ext = payload.get("ext").getAsJsonObject();
+                payload.addProperty("sid", ext.get("sessionHandle").getAsString());
+            }
         }
 
         // This should only happen in the authorization code flow during the token exchange. (enforced on the api level)

diff --git a/src/main/java/io/supertokens/webserver/api/oauth/OAuthAcceptAuthConsentRequestAPI.java b/src/main/java/io/supertokens/webserver/api/oauth/OAuthAcceptAuthConsentRequestAPI.java
@@ -47,6 +47,9 @@ protected void doPut(HttpServletRequest req, HttpServletResponse resp) throws IO
         accessToken.add("initialPayload", initialAccessTokenPayload);
 
         JsonObject idToken = new JsonObject();
+        JsonObject idTokenExt = new JsonObject();
+        idTokenExt.addProperty("sessionHandle", sessionHandle);
+        idToken.add("ext", idTokenExt);
         idToken.add("initialPayload", initialIdTokenPayload);
 
         // remove the above from input

diff --git a/src/main/java/io/supertokens/webserver/api/oauth/OAuthTokenAPI.java b/src/main/java/io/supertokens/webserver/api/oauth/OAuthTokenAPI.java
@@ -191,14 +191,18 @@ protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws I
                     String gid = null;
                     String jti = null;
                     String sessionHandle = null;
-                    Long exp = null;
+                    Long accessTokenExp = null;
 
                     if(response.jsonResponse.getAsJsonObject().has("access_token")){
                         try {
                             JsonObject accessTokenPayload = OAuthToken.getPayloadFromJWTToken(appIdentifier, main, response.jsonResponse.getAsJsonObject().get("access_token").getAsString());
                             gid = accessTokenPayload.get("gid").getAsString();
                             jti = accessTokenPayload.get("jti").getAsString();
-                            exp = accessTokenPayload.get("exp").getAsLong();
+                            accessTokenExp = accessTokenPayload.get("exp").getAsLong();
+                            if (accessTokenPayload.has("sessionHandle")) {
+                                sessionHandle = accessTokenPayload.get("sessionHandle").getAsString();
+                                updateLastActive(appIdentifier, sessionHandle);
+                            }
                         } catch (TryRefreshTokenException e) {
                             //ignore, shouldn't happen
                         }
@@ -226,12 +230,7 @@ protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws I
 
                             if (introspectResponse != null) {
                                 JsonObject refreshTokenPayload = introspectResponse.jsonResponse.getAsJsonObject();
-                                Transformations.transformExt(refreshTokenPayload);
                                 refreshTokenExp = refreshTokenPayload.get("exp").getAsLong();
-                                if (refreshTokenPayload.has("sessionHandle")) {
-                                    updateLastActive(appIdentifier, refreshTokenPayload.get("sessionHandle").getAsString());
-                                    sessionHandle = refreshTokenPayload.get("sessionHandle").getAsString();
-                                }
                             } else {
                                 throw new IllegalStateException("Should never come here");
                             }
@@ -250,15 +249,7 @@ protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws I
                             }
                         }
                     } else {
-                        try {
-                            JsonObject accessTokenPayload = OAuthToken.getPayloadFromJWTToken(appIdentifier, main, response.jsonResponse.getAsJsonObject().get("access_token").getAsString());
-                            if (accessTokenPayload.has("sessionHandle")) {
-                                updateLastActive(appIdentifier, accessTokenPayload.get("sessionHandle").getAsString());
-                            }
-                            OAuth.createOrUpdateOauthSession(main, appIdentifier, storage, clientId, gid, null, null, sessionHandle, List.of(jti), exp);
-                        } catch (Exception e) {
-                            // ignore
-                        }
+                        OAuth.createOrUpdateOauthSession(main, appIdentifier, storage, clientId, gid, null, null, sessionHandle, List.of(jti), accessTokenExp);
                     }
 
                 } catch (IOException | InvalidConfigException | TenantOrAppNotFoundException | StorageQueryException