Improve session token handling

auth0 · Aug 28, 2020 · d83dc8d · d83dc8d
1 parent fc75fc5
commit d83dc8d
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 13 deletions.
diff --git a/__tests__/doRedirect.test.js b/__tests__/doRedirect.test.js
@@ -44,7 +44,19 @@ describe("doRedirect()", () => {
     util.doRedirect(redirectUrl);
 
     expect(mockContext.redirect.url.split("=")[0]).toEqual(
-      `${redirectUrl}?sessionToken`
+      `${redirectUrl}?session_token`
     );
   });
+
+  it("sets a custom session token", () => {
+    const redirectUrl = faker.internet.url();
+    const util = new Auth0RedirectRuleUtilities(mockUser, mockContext, {
+      SESSION_TOKEN_SECRET: tokenSecret,
+    });
+    const customSessionToken = faker.random.alphaNumeric(12);
+
+    util.doRedirect(redirectUrl, customSessionToken);
+
+    expect(mockContext.redirect.url).toEqual(`${redirectUrl}?session_token=${customSessionToken}`);
+  });
 });
diff --git a/__tests__/validateSessionToken.test.js b/__tests__/validateSessionToken.test.js
@@ -27,7 +27,7 @@ describe("validateSessionToken()", () => {
       request: {
         hostname: faker.random.alphaNumeric(12),
         query: {
-          sessionToken: signedSessionToken,
+          session_token: signedSessionToken,
         },
       },
     };
@@ -51,7 +51,7 @@ describe("validateSessionToken()", () => {
     mockUser.user_id = sessionToken.sub;
     mockContext.request.hostname = issuerHost;
     sessionToken.exp = Date.now() / 1000 - 1;
-    mockContext.request.query.sessionToken = jwt.sign(
+    mockContext.request.query.session_token = jwt.sign(
       sessionToken,
       tokenSecret
     );
@@ -64,7 +64,7 @@ describe("validateSessionToken()", () => {
   it("throws an error if the token sub does not match the user", () => {
     mockContext.request.hostname = issuerHost;
     sessionToken.exp = Date.now() / 1000 + 999;
-    mockContext.request.query.sessionToken = jwt.sign(
+    mockContext.request.query.session_token = jwt.sign(
       sessionToken,
       tokenSecret
     );
@@ -79,7 +79,7 @@ describe("validateSessionToken()", () => {
   it("throws an error if the token iss does not match host", () => {
     mockUser.user_id = sessionToken.sub;
     sessionToken.exp = Date.now() / 1000 + 999;
-    mockContext.request.query.sessionToken = jwt.sign(
+    mockContext.request.query.session_token = jwt.sign(
       sessionToken,
       tokenSecret
     );
@@ -94,7 +94,7 @@ describe("validateSessionToken()", () => {
   it("returns the validated token if checks pass", () => {
     mockContext.request.hostname = issuerHost;
     sessionToken.exp = Date.now() / 1000 + 999;
-    mockContext.request.query.sessionToken = jwt.sign(
+    mockContext.request.query.session_token = jwt.sign(
       sessionToken,
       tokenSecret
     );

diff --git a/examples/redirectRuleExample.js b/examples/redirectRuleExample.js
@@ -19,7 +19,7 @@ function redirectRuleExample(user, context, callback) {
     configuration
   );
 
-  if (ruleUtils.isRedirectCallback && ruleUtils.queryParams.sessionToken) {
+  if (ruleUtils.isRedirectCallback && ruleUtils.queryParams.session_token) {
     // User is back from the redirect and has a session token to validate.
 
     try {
@@ -41,6 +41,8 @@ function redirectRuleExample(user, context, callback) {
     (!user.app_metadata || !user.app_metadata.is_verified)
   ) {
     try {
+      // This method automatically creates a session token.
+      // To add data to this token, use ruleUtils.createSessionToken and pass as second param below.
       ruleUtils.doRedirect(configuration.ID_VERIFICATION_URL);
       callback(null, user, context);
     } catch (error) {

diff --git a/src/index.js b/src/index.js
@@ -105,7 +105,7 @@ class Auth0RedirectRuleUtilities {
    * @param {object} verifyOptions - Additional options for jsonwebtoken.verify
    */
   validateSessionToken(verifyOptions = {}) {
-    const jwt = this.queryParams.sessionToken;
+    const jwt = this.queryParams.session_token;
     const payload = this.verify(jwt, this.tokenSecret, {
       ...verifyOptions,
       subject: this.user.user_id,
@@ -122,16 +122,17 @@ class Auth0RedirectRuleUtilities {
   /**
    * Check if redirect is possible and set the context if so.
    *
-   * @param {sting} url
+   * @param {sting} url - URL to redirect to.
+   * @param {sting} url - Session token to use or omit to create one.
    */
-  doRedirect(url) {
-    if (!this.canRedirect) {
+  doRedirect(url, sessionToken) {
+    if (!this.canRedirect || !url) {
       throw new Error("Cannot redirect");
     }
 
-    const token = this.createSessionToken();
+    const token = sessionToken || this.createSessionToken();
     this.context.redirect = {
-      url: `${url}?sessionToken=${token}`,
+      url: `${url}?session_token=${token}`,
     };
   }
 }