fix: add cryptographic validation to getUserFromSession for security and update JSDocs

Author: Koosha-Owji

lib/__tests__/sdk/utilities/token-utils.spec.ts

@@ -117,7 +117,7 @@ describe('token-utils', () => {
         validationDetails
       );
 
-      const storedUser = await getUserFromSession(sessionManager);
+      const storedUser = await getUserFromSession(sessionManager, validationDetails);
       const expectedUser = {
         family_name: idTokenPayload.family_name,
         given_name: idTokenPayload.given_name,

lib/sdk/clients/browser/authcode-with-pkce.ts

@@ -114,7 +114,7 @@ const createAuthCodeWithPKCEClient = (options: BrowserPKCEClientOptions) => {
     if (!(await isAuthenticated())) {
       throw new Error('Cannot get user details, no authentication credential found');
     }
-    return (await utilities.getUserFromSession(sessionManager))!;
+    return (await utilities.getUserFromSession(sessionManager, client.tokenValidationDetails))!;
   };
 
   /**

lib/sdk/clients/server/authorization-code.ts

@@ -139,7 +139,7 @@ const createAuthorizationCodeClient = (
     if (!(await isAuthenticated(sessionManager))) {
       throw new Error('Cannot get user details, no authentication credential found');
     }
-    return (await utilities.getUserFromSession(sessionManager))!;
+    return (await utilities.getUserFromSession(sessionManager, client.tokenValidationDetails))!;
   };
 
   /**

lib/sdk/utilities/token-claims.ts

@@ -5,6 +5,11 @@ import { jwtDecoder } from '@kinde/jwt-decoder';
 /**
  * Method extracts the provided claim from the provided token type in the
  * current session.
+ * 
+ * Security Model: This function assumes tokens have been cryptographically
+ * validated during session commit via commitTokensToSession. It performs
+ * decoding only on pre-validated tokens without re-validation by design.
+ * 
  * @param {SessionManager} sessionManager
  * @param {string} claim
  * @param {ClaimTokenType} type
@@ -24,6 +29,11 @@ export const getClaimValue = async (
 /**
  * Method extracts the provided claim from the provided token type in the
  * current session, the returned object includes the provided claim.
+ * 
+ * Security Model: This function assumes tokens have been cryptographically
+ * validated during session commit via commitTokensToSession. It performs
+ * decoding only on pre-validated tokens without re-validation by design.
+ * 
  * @param {SessionManager} sessionManager
  * @param {string} claim
  * @param {ClaimTokenType} type
@@ -44,6 +54,11 @@ export const getClaim = async (
  * Method returns the organization code from the current session and returns
  * a boolean in the returned object indicating if the provided permission is
  * present in the session.
+ * 
+ * Security Model: This function assumes tokens have been cryptographically
+ * validated during session commit via commitTokensToSession. It performs
+ * decoding only on pre-validated tokens without re-validation by design.
+ * 
  * @param {SessionManager} sessionManager
  * @param {string} name
  * @returns {{ orgCode: string | null, isGranted: boolean }}
@@ -68,6 +83,11 @@ export const getPermission = async (
 
 /**
  * Method extracts the organization code from the current session.
+ * 
+ * Security Model: This function assumes tokens have been cryptographically
+ * validated during session commit via commitTokensToSession. It performs
+ * decoding only on pre-validated tokens without re-validation by design.
+ * 
  * @param {SessionManager} sessionManager
  * @returns {{ orgCode: string | null }}
  */
@@ -82,6 +102,11 @@ export const getOrganization = async (
 /**
  * Method extracts all the permission and the organization code in the access
  * token in the current session.
+ * 
+ * Security Model: This function assumes tokens have been cryptographically
+ * validated during session commit via commitTokensToSession. It performs
+ * decoding only on pre-validated tokens without re-validation by design.
+ * 
  * @param {SessionManager} sessionManager
  * @returns {{ permissions: string[], orgCode: string | null }}
  */
@@ -105,6 +130,11 @@ export const getPermissions = async (
 /**
  * Method extracts all organization codes from the id token in the current
  * session.
+ * 
+ * Security Model: This function assumes tokens have been cryptographically
+ * validated during session commit via commitTokensToSession. It performs
+ * decoding only on pre-validated tokens without re-validation by design.
+ * 
  * @param {SessionManager} sessionManager
  * @returns {{ orgCodes: string[] }}
  */

lib/sdk/utilities/token-utils.ts

@@ -111,12 +111,22 @@ export const getAccessToken = async (
  * Extracts the user information from the current session returns null if
  * the token is not found.
  * @param {SessionManager} sessionManager
- * @returns {string | null}
+ * @param {TokenValidationDetailsType} validationDetails
+ * @returns {UserType | null}
  */
 export const getUserFromSession = async (
-  sessionManager: SessionManager
+  sessionManager: SessionManager,
+  validationDetails: TokenValidationDetailsType
 ): Promise<UserType | null> => {
   const idTokenString = (await sessionManager.getSessionItem('id_token')) as string;
+  const validation = await validateToken({
+    token: idTokenString,
+    domain: validationDetails.issuer,
+  });
+  if (!validation.valid) {
+    throw new Error('Invalid ID token');
+  }
+
   const payload: Record<string, unknown> = jwtDecoder(idTokenString) ?? {};
   if (Object.keys(payload).length === 0) {
     throw new Error('Invalid ID token');