fix: ignore protected props in create_new_session functions

supertokens · Sep 12, 2023 · ddf1a6c · ddf1a6c
1 parent 387077c
commit ddf1a6c
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 1 deletion.
diff --git a/supertokens_python/recipe/session/asyncio/__init__.py b/supertokens_python/recipe/session/asyncio/__init__.py
@@ -41,6 +41,7 @@
     get_session_from_request,
     refresh_session_in_request,
 )
+from ..constants import protected_props
 from ..utils import get_required_claim_validators
 
 from supertokens_python.recipe.multitenancy.constants import DEFAULT_TENANT_ID
@@ -106,6 +107,10 @@ async def create_new_session_without_request_response(
 
     final_access_token_payload = {**access_token_payload, "iss": issuer}
 
+    for prop in protected_props:
+        if prop in final_access_token_payload:
+            del final_access_token_payload[prop]
+
     for claim in claims_added_by_other_recipes:
         update = await claim.build(user_id, tenant_id, user_context)
         final_access_token_payload = {**final_access_token_payload, **update}

diff --git a/supertokens_python/recipe/session/constants.py b/supertokens_python/recipe/session/constants.py
@@ -42,5 +42,6 @@
     "parentRefreshTokenHash1",
     "refreshTokenHash1",
     "antiCsrfToken",
+    "rsub",
     "tId",
 ]
diff --git a/supertokens_python/recipe/session/recipe_implementation.py b/supertokens_python/recipe/session/recipe_implementation.py
@@ -47,6 +47,7 @@
     from supertokens_python import AppInfo
 
 from .interfaces import SessionContainer
+from .constants import protected_props
 from supertokens_python.querier import Querier
 from supertokens_python.recipe.multitenancy.constants import DEFAULT_TENANT_ID
 
@@ -378,8 +379,13 @@ async def merge_into_access_token_payload(
         if session_info is None:
             return False
 
+        new_access_token_payload = session_info.custom_claims_in_access_token_payload
+        for k in protected_props:
+            if k in new_access_token_payload:
+                del new_access_token_payload[k]
+
         new_access_token_payload = {
-            **session_info.custom_claims_in_access_token_payload,
+            **new_access_token_payload,
             **access_token_payload_update,
         }
         for k in access_token_payload_update.keys():

diff --git a/supertokens_python/recipe/session/session_request_functions.py b/supertokens_python/recipe/session/session_request_functions.py
@@ -60,6 +60,7 @@
     set_request_in_user_context_if_not_defined,
 )
 from supertokens_python.supertokens import Supertokens
+from .constants import protected_props
 
 if TYPE_CHECKING:
     from supertokens_python.recipe.session.recipe import SessionRecipe
@@ -240,6 +241,10 @@ async def create_new_session_in_request(
 
     final_access_token_payload = {**access_token_payload, "iss": issuer}
 
+    for prop in protected_props:
+        if prop in final_access_token_payload:
+            del final_access_token_payload[prop]
+
     for claim in claims_added_by_other_recipes:
         update = await claim.build(user_id, tenant_id, user_context)
         final_access_token_payload = {**final_access_token_payload, **update}