fix: Fix jwt refresh errors when using jwts in cookies RELEASE (#535)

* update ts-node to tsx to support all node versions
add refresh route to es6 example
fix missing cookies in refresh response
fix session jwt empty causes error
add tests

* update deps

Author: Bars92

examples/es6/package-lock.json

@@ -10,7 +10,7 @@
   },
   "scripts": {
     "build": "rollup -c",
-    "start": "ts-node --esm src/index.ts",
+    "start": "npx tsx src/index.ts",
     "generateCerts": "test -f ./server.key && test -f ./server.crt || openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -subj '/C=US/ST=California/L=San Francisco/O=Descope/CN=localhost' -keyout ./server.key -out ./server.crt"
   },
   "author": "descope",
@@ -31,6 +31,6 @@
     "@types/express": "^4.17.13",
     "dotenv": "^16.4.5",
     "rollup-plugin-delete": "^2.0.0",
-    "ts-node": "^10.8.2"
+    "tsx": "^4.20.3"
   }
 }

examples/es6/package.json

@@ -337,10 +337,24 @@ app.post('/api/private', authMiddleware, (_unused: Request, res: Response) => {
   res.sendStatus(200);
 });
 
+app.post('/refresh', authMiddleware, async (req: Request, res: Response) => {
+  try {
+    const cookies = parseCookies(req);
+    const out = await clientAuth.auth.refreshSession(cookies[DescopeClient.RefreshTokenCookieName]);
+    if (out?.cookies) {
+      res.set('Set-Cookie', out.cookies);
+    }
+    res.status(200).send(out);
+  } catch (error) {
+    console.log(error);
+    res.sendStatus(401);
+  }
+});
+
 app.post('/logout', authMiddleware, async (req: Request, res: Response) => {
   try {
     const cookies = parseCookies(req);
-    const out = await clientAuth.auth.logout(cookies.DS);
+    const out = await clientAuth.auth.logout(cookies[DescopeClient.SessionTokenCookieName]);
     returnCookies(res, out);
   } catch (error) {
     console.log(error);

examples/es6/src/index.ts

@@ -3,6 +3,7 @@ import DescopeClient, { SdkResponse } from '@descope/node-sdk';
 import { config } from 'dotenv';
 import { writeFileSync, readFileSync } from 'fs';
 import { Command } from 'commander';
+import { UserResponse } from '@descope/core-js-sdk';
 
 config();
 

examples/managementCli/package-lock.json

@@ -20,7 +20,7 @@ const generateCookie = (name: string, value: string, options?: Record<string, st
  * @param name the name of the cookie to get value for
  * @returns the value of the given cookie
  */
-const getCookieValue = (cookie: string | null | undefined, name: string) => {
+export const getCookieValue = (cookie: string | null | undefined, name: string) => {
   const match = cookie?.match(RegExp(`(?:^|;\\s*)${name}=([^;]*)`));
   return match ? match[1] : null;
 };

examples/managementCli/src/index.ts

@@ -7,6 +7,7 @@ import {
   authorizedTenantsClaimName,
   permissionsClaimName,
   rolesClaimName,
+  sessionTokenCookieName,
 } from './constants';
 
 let validToken: string;
@@ -195,6 +196,36 @@ describe('sdk', () => {
       const res = await sdk.refreshSession(validToken);
       expect(res.jwt).toBe(validToken);
       expect(res.refreshJwt).toBe('refresh-jwt');
+      expect(res.cookies).toStrictEqual([]);
+      expect(spyRefresh).toHaveBeenCalledWith(validToken);
+    });
+    it('should return only cookies when refresh call returns it', async () => {
+      const expectedCookies = [
+        `${sessionTokenCookieName}=${validToken}; Domain=; Max-Age=; Path=/; HttpOnly; SameSite=Strict`,
+        `${refreshTokenCookieName}=${validToken}; Domain=; Max-Age=; Path=/; HttpOnly; SameSite=Strict`,
+      ];
+      const spyRefresh = jest.spyOn(sdk, 'refresh').mockResolvedValueOnce({
+        ok: true,
+        data: { sessionJwt: '', refreshJwt: null, cookies: expectedCookies },
+      } as unknown as SdkResponse<JWTResponse>);
+
+      const res = await sdk.refreshSession(validToken);
+      expect(res.jwt).toBe(validToken);
+      expect(res.cookies).toBe(expectedCookies);
+      expect(spyRefresh).toHaveBeenCalledWith(validToken);
+    });
+    it('should return refrehs in cookie when refresh call returns it', async () => {
+      const expectedCookies = [
+        `${refreshTokenCookieName}=${validToken}; Domain=; Max-Age=; Path=/; HttpOnly; SameSite=Strict`,
+      ];
+      const spyRefresh = jest.spyOn(sdk, 'refresh').mockResolvedValueOnce({
+        ok: true,
+        data: { sessionJwt: validToken, refreshJwt: null, cookies: expectedCookies },
+      } as unknown as SdkResponse<JWTResponse>);
+
+      const res = await sdk.refreshSession(validToken);
+      expect(res.jwt).toBe(validToken);
+      expect(res.cookies).toBe(expectedCookies);
       expect(spyRefresh).toHaveBeenCalledWith(validToken);
     });
     it('should fail when refresh returns an error', async () => {

lib/helpers.ts

@@ -2,6 +2,7 @@ import createSdk, {
   AccessKeyLoginOptions,
   ExchangeAccessKeyResponse,
   SdkResponse,
+  JWTResponse as CoreJWTResponse,
   wrapWith,
 } from '@descope/core-js-sdk';
 import { JWK, JWTHeaderParameters, KeyLike, errors, importJWK, jwtVerify } from 'jose';
@@ -12,13 +13,23 @@ import {
   sessionTokenCookieName,
 } from './constants';
 import fetch from './fetch-polyfill';
-import { getAuthorizationClaimItems, isUserAssociatedWithTenant, withCookie } from './helpers';
+import {
+  getAuthorizationClaimItems,
+  getCookieValue,
+  isUserAssociatedWithTenant,
+  withCookie,
+} from './helpers';
 import withManagement from './management';
 import { AuthenticationInfo, RefreshAuthenticationInfo } from './types';
 import descopeErrors from './errors';
 
 declare const BUILD_VERSION: string;
 
+// Extend the type wrapped by withCookie
+type JWTResponseWithCookies = CoreJWTResponse & {
+  cookies: string[];
+};
+
 /** Configuration arguments which include the Descope core SDK args and an optional management key */
 type NodeSdkArgs = Parameters<typeof createSdk>[0] & {
   managementKey?: string;
@@ -155,8 +166,16 @@ const nodeSdk = ({ managementKey, publicKey, ...config }: NodeSdkArgs) => {
         await sdk.validateJwt(refreshToken);
         const jwtResp = await sdk.refresh(refreshToken);
         if (jwtResp.ok) {
-          const token = await sdk.validateJwt(jwtResp.data?.sessionJwt);
-          if (jwtResp.data.refreshJwt) {
+          // if refresh was successful, validate the new session JWT
+          const seesionJwt =
+            getCookieValue(
+              (jwtResp.data as JWTResponseWithCookies)?.cookies?.join(';'),
+              sessionTokenCookieName,
+            ) || jwtResp.data?.sessionJwt;
+          const token = await sdk.validateJwt(seesionJwt);
+          // add cookies to the token response if they exist
+          token.cookies = (jwtResp.data as JWTResponseWithCookies)?.cookies || [];
+          if (jwtResp.data?.refreshJwt) {
             // if refresh returned a refresh JWT, add it to the response
             (token as RefreshAuthenticationInfo).refreshJwt = jwtResp.data.refreshJwt;
           }