Merge pull request #1 from thomasconner/fix/refresh-token-optional

thomasconner · web-flow · commit d8a35f0506de · 2024-06-17T11:16:31.000-04:00
fix: don't refresh access token if autoRefreshToken is disabled
diff --git a/src/GoTrueClient.ts b/src/GoTrueClient.ts
@@ -1111,7 +1111,16 @@ export default class GoTrueClient {
         return { data: { session: currentSession }, error: null }
       }
 
+      if (!currentSession.refresh_token) {
+        this._debug(
+          '#__loadSession()',
+          'session has no refresh token to refresh session'
+        )
+        return { data: { session: null }, error: null };
+      }
+
       const { session, error } = await this._callRefreshToken(currentSession.refresh_token)
+
       if (error) {
         return { data: { session: null }, error }
       }
@@ -1258,13 +1267,14 @@ export default class GoTrueClient {
   }
 
   /**
-   * Sets the session data from the current session. If the current session is expired, setSession will take care of refreshing it to obtain a new session.
+   * Sets the session data from the current session. If the current session is expired,
+   * setSession will take care of refreshing it to obtain a new session when a refresh token is provided and autoRefreshToken is not disabled.
    * If the refresh token or access token in the current session is invalid, an error will be thrown.
-   * @param currentSession The current session that minimally contains an access token and refresh token.
+   * @param currentSession The current session that minimally contains an access token.
    */
   async setSession(currentSession: {
     access_token: string
-    refresh_token: string
+    refresh_token?: string
   }): Promise<AuthResponse> {
     await this.initializePromise
 
@@ -1275,10 +1285,10 @@ export default class GoTrueClient {
 
   protected async _setSession(currentSession: {
     access_token: string
-    refresh_token: string
+    refresh_token?: string
   }): Promise<AuthResponse> {
     try {
-      if (!currentSession.access_token || !currentSession.refresh_token) {
+      if (!currentSession.access_token) {
         throw new AuthSessionMissingError()
       }
 
@@ -1293,6 +1303,10 @@ export default class GoTrueClient {
       }
 
       if (hasExpired) {
+        if (!this.autoRefreshToken || !currentSession.refresh_token) {
+          return { data: { user: null, session: null }, error: null }
+        }
+
         const { session: refreshedSession, error } = await this._callRefreshToken(
           currentSession.refresh_token
         )
@@ -1303,12 +1317,15 @@ export default class GoTrueClient {
         if (!refreshedSession) {
           return { data: { user: null, session: null }, error: null }
         }
+
         session = refreshedSession
       } else {
         const { data, error } = await this._getUser(currentSession.access_token)
+
         if (error) {
           throw error
         }
+
         session = {
           access_token: currentSession.access_token,
           refresh_token: currentSession.refresh_token,
@@ -1337,11 +1354,11 @@ export default class GoTrueClient {
    * If the current session's refresh token is invalid, an error will be thrown.
    * @param currentSession The current session. If passed in, it must contain a refresh token.
    */
-  async refreshSession(currentSession?: { refresh_token: string }): Promise<AuthResponse> {
+  async refreshSession(session?: { refresh_token: string }): Promise<AuthResponse> {
     await this.initializePromise
 
     return await this._acquireLock(-1, async () => {
-      return await this._refreshSession(currentSession)
+      return await this._refreshSession(session)
     })
   }
 
@@ -1350,20 +1367,22 @@ export default class GoTrueClient {
   }): Promise<AuthResponse> {
     try {
       return await this._useSession(async (result) => {
-        if (!currentSession) {
+        let oldSession: Pick<Session, 'refresh_token'> | null = currentSession ? { ...currentSession } : null;
+
+        if (!oldSession) {
           const { data, error } = result
           if (error) {
             throw error
           }
 
-          currentSession = data.session ?? undefined
+          oldSession = data.session;
         }
 
-        if (!currentSession?.refresh_token) {
+        if (!oldSession?.refresh_token) {
           throw new AuthSessionMissingError()
         }
 
-        const { session, error } = await this._callRefreshToken(currentSession.refresh_token)
+        const { session, error } = await this._callRefreshToken(oldSession.refresh_token)
         if (error) {
           return { data: { user: null, session: null }, error: error }
         }
@@ -1822,7 +1841,6 @@ export default class GoTrueClient {
       typeof maybeSession === 'object' &&
       maybeSession !== null &&
       'access_token' in maybeSession &&
-      'refresh_token' in maybeSession &&
       'expires_at' in maybeSession
 
     return isValidSession
diff --git a/src/lib/types.ts b/src/lib/types.ts
@@ -241,7 +241,7 @@ export interface Session {
   /**
    * A one-time used refresh token that never expires.
    */
-  refresh_token: string
+  refresh_token?: string
   /**
    * The number of seconds until the token expires (since it was issued). Returned when a login is confirmed.
    */
diff --git a/test/GoTrueClient.test.ts b/test/GoTrueClient.test.ts
@@ -139,6 +139,50 @@ describe('GoTrueClient', () => {
       expect(user?.user_metadata).toMatchObject({ hello: 'world' })
     })
 
+    test('setSession should return no error without a passed-in refresh token', async () => {
+      const { email, password } = mockUserCredentials()
+
+      const { error, data } = await authWithSession.signUp({
+        email,
+        password,
+      })
+      expect(error).toBeNull()
+      expect(data.session).not.toBeNull()
+
+      const {
+        data: { session },
+        error: setSessionError,
+      } = await authWithSession.setSession({
+        // @ts-expect-error 'data.session should not be null because of the assertion above'
+        access_token: data.session.access_token
+      })
+      expect(setSessionError).toBeNull()
+      expect(session).not.toBeNull()
+      expect(session!.user).not.toBeNull()
+      expect(session!.expires_in).not.toBeNull()
+      expect(session!.expires_at).not.toBeNull()
+      expect(session!.access_token).not.toBeNull()
+      expect(session!.refresh_token).not.toBeNull()
+      expect(session!.token_type).toStrictEqual('bearer')
+
+      /**
+       * getSession has been added to verify setSession is also saving
+       * the session, not just returning it.
+       */
+      const { data: getSessionData, error: getSessionError } = await authWithSession.getSession()
+      expect(getSessionError).toBeNull()
+      expect(getSessionData).not.toBeNull()
+
+      const {
+        data: { user },
+        error: updateError,
+      } = await authWithSession.updateUser({ data: { hello: 'world' } })
+
+      expect(updateError).toBeNull()
+      expect(user).not.toBeNull()
+      expect(user?.user_metadata).toMatchObject({ hello: 'world' })
+    })
+
     test('getSession() should return the currentUser session', async () => {
       const { email, password } = mockUserCredentials()
 
@@ -265,7 +309,7 @@ describe('GoTrueClient', () => {
       // verify the deferred has been reset and successive calls can be made
       // @ts-expect-error 'Allow access to private _callRefreshToken()'
       const { session: session3, error: error3 } = await authWithSession._callRefreshToken(
-        data.session!.refresh_token
+        data.session!.refresh_token!
       )
 
       expect(error3).toBeNull()
@@ -307,7 +351,7 @@ describe('GoTrueClient', () => {
       // vreify the deferred has been reset and successive calls can be made
       // @ts-expect-error 'Allow access to private _callRefreshToken()'
       const { session: session3, error: error3 } = await authWithSession._callRefreshToken(
-        data.session!.refresh_token
+        data.session!.refresh_token!
       )
 
       expect(error3).toBeNull()
