chore: switch api to cookie based sessions - skip e2e (#2854)

* chore: switch api to cookie based sessions - skip e2e * chore: fix legacy http service to include api version in requests - skip e2e
2024-03-05 09:25:53 +01:00
parent f3f5c63185
commit 1d0e8cfc7f
7 changed files with 42 additions and 13 deletions
--- a/packages/snjs/lib/Services/Api/ApiService.ts
+++ b/packages/snjs/lib/Services/Api/ApiService.ts
@@ -81,7 +81,7 @@ import { Strings } from '@Lib/Strings'
 import { AnyFeatureDescription } from '@standardnotes/features'

 /** Legacy api version field to be specified in params when calling v0 APIs. */
-const V0_API_VERSION = '20200115'
+const V0_API_VERSION = '20240226'

 type InvalidSessionObserver = (revoked: boolean) => void

--- a/packages/snjs/mocha/session.test.js
+++ b/packages/snjs/mocha/session.test.js
@@ -96,8 +96,15 @@ describe('server session', function () {
    // After the above sync request is completed, we obtain the session information.
    const sessionAfterSync = application.legacyApi.getSession()

-    expect(sessionBeforeSync.accessToken.value).to.not.equal(sessionAfterSync.accessToken.value)
-    expect(sessionBeforeSync.refreshToken.value).to.not.equal(sessionAfterSync.refreshToken.value)
+    /**
+     * Access token and refresh token values in the new API version (20240226) represent the session uuid.
+     * So they should stay the same as they were since we are operating on the same session.
+     *
+     * The actual token values are stored in cookies indexed by the session uuid and are not accessible to the client.
+     */
+    expect(sessionBeforeSync.accessToken.value).to.equal(sessionAfterSync.accessToken.value)
+    expect(sessionBeforeSync.refreshToken.value).to.equal(sessionAfterSync.refreshToken.value)
+
    expect(sessionBeforeSync.accessToken.expiresAt).to.be.lessThan(sessionAfterSync.accessToken.expiresAt)
    // New token should expire in the future.
    expect(sessionAfterSync.accessToken.expiresAt).to.be.greaterThan(Date.now())
@@ -397,8 +404,8 @@ describe('server session', function () {
    const refreshSessionResponse = await application.legacyApi.refreshSession()

    expect(refreshSessionResponse.status).to.equal(400)
-    expect(refreshSessionResponse.data.error.tag).to.equal('expired-refresh-token')
-    expect(refreshSessionResponse.data.error.message).to.equal('The refresh token has expired.')
+    expect(refreshSessionResponse.data.error.tag).to.equal('invalid-parameters')
+    expect(refreshSessionResponse.data.error.message).to.equal('The provided parameters are not valid.')

    /*
      The access token and refresh token should be expired up to this point.
@@ -411,7 +418,11 @@ describe('server session', function () {
    expect(syncResponse.data.error.message).to.equal('Invalid login credentials.')
  }).timeout(Factory.TwentySecondTimeout)

-  it('should fail when renewing a session with an invalid refresh token', async function () {
+  /**
+   * This test is skipped due to the fact that tokens reside now in cookies and are not accessible to the client.
+   * Thus it is not possible to tamper with the refresh token.
+   */
+  it.skip('should fail when renewing a session with an invalid refresh token', async function () {
    await Factory.registerUserToApplication({
      application: application,
      email: email,