Merge pull request #407 from furkansenharputlu/fix/session-required-signout

fix: session required in signout

Author: rishabhpoddar

CHANGELOG.md

@@ -9,6 +9,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - `session.CreateNewSession` now defaults to the value of the `st-auth-mode` header (if available) if the configured `config.GetTokenTransferMethod` returns `any`.
 - Enable smooth switching between `useDynamicAccessTokenSigningKey` settings by allowing refresh calls to change the signing key type of a session.
+- Make session required during signout.
 
 ## [0.17.5] - 2024-03-14
 - Adds a type uint64 to the `accessTokenCookiesExpiryDurationMillis` local variable in `recipe/session/utils.go`. It also removes the redundant `uint64` type forcing needed because of the untyped variable.

recipe/emailpassword/authFlow_test.go

@@ -1387,7 +1387,7 @@ func TestDefaultSignoutRouteRevokesSession(t *testing.T) {
 	assert.Equal(t, "", cookieData1["refreshTokenDomain"])
 }
 
-func TestCallingTheAPIwithoutSessionShouldReturnOk(t *testing.T) {
+func TestCallingTheAPIwithoutSessionShouldReturnUnauthorized(t *testing.T) {
 	configValue := supertokens.TypeInput{
 		Supertokens: &supertokens.ConnectionInfo{
 			ConnectionURI: "http://localhost:8080",
@@ -1442,8 +1442,8 @@ func TestCallingTheAPIwithoutSessionShouldReturnOk(t *testing.T) {
 		t.Error(err.Error())
 	}
 
-	assert.Equal(t, 200, res.StatusCode)
-	assert.Equal(t, "OK", data["status"])
+	assert.Equal(t, http.StatusUnauthorized, res.StatusCode)
+	assert.Empty(t, data["status"])
 	assert.Nil(t, req.Header["Cookie"])
 }
 

recipe/session/signout.go

@@ -27,9 +27,9 @@ func SignOutAPI(apiImplementation sessmodels.APIInterface, options sessmodels.AP
 		return nil
 	}
 
-	False := false
+	sessionRequired := true
 	sessionContainer, err := GetSessionFromRequest(options.Req, options.Res, options.Config, &sessmodels.VerifySessionOptions{
-		SessionRequired: &False,
+		SessionRequired: &sessionRequired,
 		OverrideGlobalClaimValidators: func(globalClaimValidators []claims.SessionClaimValidator, sessionContainer sessmodels.SessionContainer, userContext supertokens.UserContext) ([]claims.SessionClaimValidator, error) {
 			return []claims.SessionClaimValidator{}, nil
 		},

recipe/thirdparty/signoutFeature_test.go

@@ -35,7 +35,7 @@ import (
 	"gopkg.in/h2non/gock.v1"
 )
 
-func TestThatCallingTheAPIwithoutASessionShouldReturnOk(t *testing.T) {
+func TestThatCallingTheAPIwithoutASessionShouldReturnUnauthorized(t *testing.T) {
 	configValue := supertokens.TypeInput{
 		Supertokens: &supertokens.ConnectionInfo{
 			ConnectionURI: "http://localhost:8080",
@@ -80,7 +80,7 @@ func TestThatCallingTheAPIwithoutASessionShouldReturnOk(t *testing.T) {
 	if err != nil {
 		t.Error(err.Error())
 	}
-	assert.Equal(t, http.StatusOK, resp.StatusCode)
+	assert.Equal(t, http.StatusUnauthorized, resp.StatusCode)
 
 	dataInBytes, err := ioutil.ReadAll(resp.Body)
 	if err != nil {
@@ -94,7 +94,7 @@ func TestThatCallingTheAPIwithoutASessionShouldReturnOk(t *testing.T) {
 		t.Error(err.Error())
 	}
 
-	assert.Equal(t, "OK", response["status"])
+	assert.Empty(t, response["status"])
 
 	assert.Equal(t, 0, len(resp.Cookies()))
 }