chore(deps): update dependency supertokens-node to v14 - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
supertokens-node	13.6.0 -> 14.1.3

---

Release Notes

supertokens/supertokens-node (supertokens-node)

v14.1.3

Compare Source

Changes

• Updated/replaced dependencies & refactored to be compatible with vercel edge runtimes.

Fixes

• Now properly ignoring missing anti-csrf tokens in optional session validation

v14.1.2

Compare Source

Fixes

• Fixed email templates to fix an issue with styling on some email clients

Changes

• Minor internal refactors & additional tests
• Now assuming latest token version if the claim is missing from the header
• Make verifySession send the appropriate response instead of throwing (and sending 500) if session validation fails in koa, hapi and loopback (already happening in other frameworks).

v14.1.1

Compare Source

Added

• Adds additional debug logs whenever the SDK throws a TRY_REFRESH_TOKEN or UNAUTHORISED error to make debugging easier

v14.1.0

Compare Source

Changes

• Added a new getRequestFromUserContext function that can be used to read the original network request from the user context in overridden APIs and recipe functions

v14.0.2

Compare Source

Changes

• Made the access token string optional in the overrideable getSession function
• Moved checking if the access token is defined into the overrideable getSession function

v14.0.1

Compare Source

• Fixes an issue where API key based login with dashboard would return invalid API key even if the entered API key was valid

v14.0.0

Compare Source

Breaking Changes

• Added support for CDI version 2.21
• Dropped support for CDI version 2.8-2.20
• Changed the interface and configuration of the Session recipe, see below for details. If you do not use the Session recipe directly and do not provide custom configuration, then no migration is necessary.
• getAccessTokenPayload will now return standard (sub, iat, exp) claims and some SuperTokens specific claims along the user defined ones in getAccessTokenPayload.
• Some claim names are now prohibited in the root level of the access token payload
  • They are: sub, iat, exp, sessionHandle, parentRefreshTokenHash1, refreshTokenHash1, antiCsrfToken
  • If you used these in the root level of the access token payload, then you'll need to migrate your sessions or they will be logged out during the next refresh
  • These props should be renamed (e.g., by adding a prefix) or moved inside an object in the access token payload
  • You can migrate these sessions by updating their payload to match your new structure, by calling mergeIntoAccessTokenPayload
• New access tokens are valid JWTs now
  • They can be used directly (i.e.: by calling getAccessToken on the session) if you need a JWT
  • The jwt prop in the access token payload is removed
• Changed the Session recipe interface - createNewSession, getSession and refreshSession overrides now do not take response and request and return status instead of throwing
• Renamed accessTokenPayload to customClaimsInAccessTokenPayload in SessionInformation (the return value of getSessionInformation). This reflects the fact that it doesn't contain some default claims (sub, iat, etc.)

Configuration changes

• Added useDynamicAccessTokenSigningKey (defaults to true) option to the Session recipe config
• Added exposeAccessTokenToFrontendInCookieBasedAuth (defaults to false) option to the Session recipe config
• JWT and OpenId related configuration has been removed from the Session recipe config. If necessary, they can be added by initializing the OpenId recipe before the Session recipe.

Interface changes

• Renamed getSessionData to getSessionDataFromDatabase to clarify that it always hits the DB
• Renamed updateSessionData to updateSessionDataInDatabase
• Renamed sessionData to sessionDataInDatabase in SessionInformation and the input to createNewSession
• Added new checkDatabase param to verifySession and getSession
• Removed status from getJWKS output (function & API)
• Added new optional useStaticSigningKey param to createJWT
• Removed deprecated updateAccessTokenPayload and regenerateAccessToken from the Session recipe interface
• Removed getAccessTokenLifeTimeMS and getRefreshTokenLifeTimeMS functions

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[replay-io]

3 replays were recorded for e4199ec.

0 Failed

3 Passed

• useAuth hook, auth redirects checks

  locator.waitFor: Target closed
  =========================== logs ===========================
  waiting for locator('text=Username `testuser@bazinga.com` already in use') to be visible
  ============================================================

• RBAC: Admin user should be able to delete contacts

  locator.waitFor: Target closed
  =========================== logs ===========================
  waiting for locator('text=Username `admin@bazinga.com` already in use') to be visible
  ============================================================

• RBAC: Should not be able to delete contact as non-admin user

  locator.waitFor: Target closed
  =========================== logs ===========================
  waiting for locator('text=Username `testuser@bazinga.com` already in use') to be visible
  ============================================================

View test run on Replay ↗︎

[jtoar]

Not sure if this is actually breaking yet but don't want renovate to merge it automatically.