fix: authts#569 if there's no session_state on the response, then tak…

…e it from initial sign-in
kyxyes · Jun 13, 2022 · 06de889 · 06de889
1 parent 74a03cc
commit 06de889
Show file tree

Hide file tree

Showing 6 changed files with 17 additions and 8 deletions.
diff --git a/docs/oidc-client-ts.api.md b/docs/oidc-client-ts.api.md
@@ -672,7 +672,7 @@ export class SigninResponse {
     // (undocumented)
     scope?: string;
     // (undocumented)
-    readonly session_state: string | null;
+    session_state: string | null;
     // (undocumented)
     readonly state: string | null;
     // (undocumented)

diff --git a/src/OidcClient.test.ts b/src/OidcClient.test.ts
@@ -345,6 +345,7 @@ describe("OidcClient", () => {
             const state = new RefreshState({
                 refresh_token: "refresh_token",
                 id_token: "id_token",
+                session_state: "session_state",
                 scope: "openid",
             });
 
@@ -356,7 +357,7 @@ describe("OidcClient", () => {
             expect(response).toMatchObject(tokenResponse);
         });
 
-        it("should preserve the scope", async () => {
+        it("should preserve the session_state and scope", async () => {
             // arrange
             const tokenResponse = {
                 access_token: "new_access_token",
@@ -368,6 +369,7 @@ describe("OidcClient", () => {
             const state = new RefreshState({
                 refresh_token: "refresh_token",
                 id_token: "id_token",
+                session_state: "session_state",
                 scope: "openid",
             });
 
@@ -381,6 +383,7 @@ describe("OidcClient", () => {
             });
             expect(response).toBeInstanceOf(SigninResponse);
             expect(response).toMatchObject(tokenResponse);
+            expect(response).toHaveProperty("session_state", state.session_state);
             expect(response).toHaveProperty("scope", state.scope);
         });
 
@@ -403,6 +406,7 @@ describe("OidcClient", () => {
             const state = new RefreshState({
                 refresh_token: "refresh_token",
                 id_token: "id_token",
+                session_state: "session_state",
                 scope: "openid",
             });
 

diff --git a/src/RefreshState.ts b/src/RefreshState.ts
@@ -11,17 +11,20 @@ export class RefreshState {
     public readonly data: unknown | undefined;
 
     public readonly refresh_token: string;
-    public readonly id_token: string;
-    public readonly scope: string;
+    public readonly id_token?: string;
+    public readonly session_state: string | null;
+    public readonly scope?: string;
 
     constructor(args: {
         refresh_token: string;
-        id_token: string;
-        scope: string;
+        id_token?: string;
+        session_state: string | null;
+        scope?: string;
         state?: unknown;
     }) {
         this.refresh_token = args.refresh_token;
         this.id_token = args.id_token;
+        this.session_state = args.session_state;
         this.scope = args.scope;
         this.data = args.state;
     }

diff --git a/src/ResponseValidator.ts b/src/ResponseValidator.ts
@@ -75,6 +75,8 @@ export class ResponseValidator {
         const logger = this._logger.create("validateRefreshResponse");
 
         response.userState = state.data;
+        // if there's no session_state on the response, copy over session_state from original request
+        response.session_state ??= state.session_state;
         // if there's no scope on the response, then assume all scopes granted (per-spec) and copy over scopes from original request
         response.scope ??= state.scope;
 

diff --git a/src/SigninResponse.ts b/src/SigninResponse.ts
@@ -13,7 +13,7 @@ export class SigninResponse {
     // props present in the initial callback response regardless of success
     public readonly state: string | null;
     /** @see {@link User.session_state} */
-    public readonly session_state: string | null;
+    public session_state: string | null;
 
     // error props
     /** @see {@link ErrorResponse.error} */

diff --git a/src/UserManager.test.ts b/src/UserManager.test.ts
@@ -454,7 +454,7 @@ describe("UserManager", () => {
             expect(refreshedUser!.profile).toHaveProperty("nickname", "Nicholas");
             expect(useRefreshTokenSpy).toBeCalledWith(
                 expect.objectContaining({
-                    state: { refresh_token: user.refresh_token },
+                    state: { refresh_token: user.refresh_token, session_state: null },
                 }),
             );
         });