From f3a6ea1815317de868aaf620248762d1dc6f5987 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mih=C3=A1ly=20Lengyel?= Date: Wed, 16 Aug 2023 13:58:16 +0200 Subject: [PATCH] fix: fix handling of b64 and b64url encoded access tokens (#767) --- CHANGELOG.md | 4 ++++ build.gradle | 2 +- src/main/java/io/supertokens/utils/Utils.java | 3 ++- .../test/session/AccessTokenTest.java | 21 ++++++++++++------- 4 files changed, 20 insertions(+), 10 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 938ff0e3a..d57e0314b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,10 @@ to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). ## [unreleased] +## [6.0.10] - 2023-08-16 + +- Fixed an encoding/decoding issue for certain access token payloads + ## [6.0.9] - 2023-08-14 - Now using decimal notation to add numbers into the access token payload (instead of scientific notation) diff --git a/build.gradle b/build.gradle index f2a6c9278..05da3a503 100644 --- a/build.gradle +++ b/build.gradle @@ -19,7 +19,7 @@ compileTestJava { options.encoding = "UTF-8" } // } //} -version = "6.0.9" +version = "6.0.10" repositories { diff --git a/src/main/java/io/supertokens/utils/Utils.java b/src/main/java/io/supertokens/utils/Utils.java index 1a0232180..37b5a9e98 100644 --- a/src/main/java/io/supertokens/utils/Utils.java +++ b/src/main/java/io/supertokens/utils/Utils.java @@ -77,8 +77,9 @@ public static String convertToBase64(String str) { return new String(Base64.getEncoder().encode(stringToBytes(str)), StandardCharsets.UTF_8); } + // This function deserializes both B64 and B64URL encodings public static String convertFromBase64(String str) { - return new String(Base64.getDecoder().decode(stringToBytes(str)), StandardCharsets.UTF_8); + return new String(Base64.getDecoder().decode(stringToBytes(str.replace("-", "+").replace("_", "/"))), StandardCharsets.UTF_8); } public static String throwableStacktraceToString(Throwable e) { diff --git a/src/test/java/io/supertokens/test/session/AccessTokenTest.java b/src/test/java/io/supertokens/test/session/AccessTokenTest.java index a15aa20ca..dc2c3ce34 100644 --- a/src/test/java/io/supertokens/test/session/AccessTokenTest.java +++ b/src/test/java/io/supertokens/test/session/AccessTokenTest.java @@ -257,7 +257,8 @@ public void inputOutputTest() throws Exception { EventAndException e = process.checkOrWaitForEvent(PROCESS_STATE.STARTED); assertNotNull(e); JsonObject jsonObj = new JsonObject(); - jsonObj.addProperty("key", "value"); + String testValue = "asdf???123"; + jsonObj.addProperty("key", testValue); // db key long expiryTime = System.currentTimeMillis() + 1000; @@ -269,7 +270,7 @@ public void inputOutputTest() throws Exception { assertEquals("userId", info.userId); assertEquals("refreshTokenHash1", info.refreshTokenHash1); assertEquals("parentRefreshTokenHash1", info.parentRefreshTokenHash1); - assertEquals("value", info.userData.get("key").getAsString()); + assertEquals(testValue, info.userData.get("key").getAsString()); assertEquals("antiCsrfToken", info.antiCsrfToken); assertEquals(expiryTime / 1000 * 1000, info.expiryTime); @@ -292,19 +293,21 @@ public void inputOutputTestStatic() throws Exception { EventAndException e = process.checkOrWaitForEvent(PROCESS_STATE.STARTED); assertNotNull(e); JsonObject jsonObj = new JsonObject(); - jsonObj.addProperty("key", "value"); + String testValue = "asdf???123"; + jsonObj.addProperty("key", testValue); // db key long expiryTime = System.currentTimeMillis() + 1000; TokenInfo newToken = AccessToken.createNewAccessToken(process.getProcess(), "sessionHandle", "userId", "refreshTokenHash1", "parentRefreshTokenHash1", jsonObj, "antiCsrfToken", expiryTime, AccessToken.getLatestVersion(), true); + System.out.println(newToken.token); AccessTokenInfo info = AccessToken.getInfoFromAccessToken(process.getProcess(), newToken.token, true); assertEquals("sessionHandle", info.sessionHandle); assertEquals("userId", info.userId); assertEquals("refreshTokenHash1", info.refreshTokenHash1); assertEquals("parentRefreshTokenHash1", info.parentRefreshTokenHash1); - assertEquals("value", info.userData.get("key").getAsString()); + assertEquals(testValue, info.userData.get("key").getAsString()); assertEquals("antiCsrfToken", info.antiCsrfToken); assertEquals(expiryTime / 1000 * 1000, info.expiryTime); @@ -326,7 +329,8 @@ public void inputOutputTestV2() throws Exception { EventAndException e = process.checkOrWaitForEvent(PROCESS_STATE.STARTED); assertNotNull(e); JsonObject jsonObj = new JsonObject(); - jsonObj.addProperty("key", "value"); + String testValue = "asdf???123"; + jsonObj.addProperty("key", testValue); // db key long expiryTime = System.currentTimeMillis() + 1000; @@ -338,7 +342,7 @@ public void inputOutputTestV2() throws Exception { assertEquals("userId", info.userId); assertEquals("refreshTokenHash1", info.refreshTokenHash1); assertEquals("parentRefreshTokenHash1", info.parentRefreshTokenHash1); - assertEquals("value", info.userData.get("key").getAsString()); + assertEquals(testValue, info.userData.get("key").getAsString()); assertEquals("antiCsrfToken", info.antiCsrfToken); assertEquals(expiryTime, info.expiryTime); @@ -360,7 +364,8 @@ public void inputOutputTestv1() throws InterruptedException, InvalidKeyException EventAndException e = process.checkOrWaitForEvent(PROCESS_STATE.STARTED); assertNotNull(e); JsonObject jsonObj = new JsonObject(); - jsonObj.addProperty("key", "value"); + String testValue = "asdf???123"; + jsonObj.addProperty("key", testValue); // db key TokenInfo newToken = AccessToken.createNewAccessTokenV1(process.getProcess(), "sessionHandle", "userId", @@ -370,7 +375,7 @@ public void inputOutputTestv1() throws InterruptedException, InvalidKeyException assertEquals("userId", info.userId); assertEquals("refreshTokenHash1", info.refreshTokenHash1); assertEquals("parentRefreshTokenHash1", info.parentRefreshTokenHash1); - assertEquals("value", info.userData.get("key").getAsString()); + assertEquals(testValue, info.userData.get("key").getAsString()); assertEquals("antiCsrfToken", info.antiCsrfToken); JsonObject payload = (JsonObject) new JsonParser()