fix: session creation - checking tenant for user

CHANGELOG.md

@@ -5,6 +5,12 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres
 to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [9.2.4] 
+
+- Adds support for CDI 5.2
+- In CDI 5.2, when creating a new session for a known user, checks if the user is a member of that tenant.
+  If not, returns UNAUTHORISED.
+
 ## [9.2.3] - 2024-10-09
 
 - Adds support for `--with-temp-dir` in CLI and `tempDirLocation=` in Core

build.gradle

@@ -19,7 +19,7 @@ compileTestJava { options.encoding = "UTF-8" }
 //    }
 //}
 
-version = "9.2.3"
+version = "9.2.4"
 
 
 repositories {

coreDriverInterfaceSupported.json

@@ -20,6 +20,7 @@
     "3.1",
     "4.0",
     "5.0",
-    "5.1"
+    "5.1",
+    "5.2"
   ]
 }

src/main/java/io/supertokens/session/Session.java

@@ -19,6 +19,7 @@
 import com.google.gson.JsonObject;
 import io.supertokens.Main;
 import io.supertokens.ProcessState;
+import io.supertokens.authRecipe.AuthRecipe;
 import io.supertokens.config.Config;
 import io.supertokens.config.CoreConfig;
 import io.supertokens.exceptions.AccessTokenPayloadError;
@@ -53,6 +54,7 @@
 import io.supertokens.storageLayer.StorageLayer;
 import io.supertokens.useridmapping.UserIdMapping;
 import io.supertokens.useridmapping.UserIdType;
+import io.supertokens.utils.SemVer;
 import io.supertokens.utils.Utils;
 import org.jetbrains.annotations.TestOnly;
 
@@ -82,7 +84,7 @@ public static SessionInformationHolder createNewSession(TenantIdentifier tenantI
             JWT.JWTException, UnsupportedJWTSigningAlgorithmException, AccessTokenPayloadError {
         try {
             return createNewSession(tenantIdentifier, storage, main, recipeUserId, userDataInJWT, userDataInDatabase,
-                    false, AccessToken.getLatestVersion(), false);
+                    false, AccessToken.getLatestVersion(), false, null);
         } catch (TenantOrAppNotFoundException e) {
             throw new IllegalStateException(e);
         }
@@ -101,8 +103,9 @@ public static SessionInformationHolder createNewSession(Main main,
         try {
             return createNewSession(
                     new TenantIdentifier(null, null, null), storage, main,
-                    recipeUserId, userDataInJWT, userDataInDatabase, false, AccessToken.getLatestVersion(), false);
-        } catch (TenantOrAppNotFoundException e) {
+                    recipeUserId, userDataInJWT, userDataInDatabase, false,
+                    AccessToken.getLatestVersion(), false, null);
+        } catch (TenantOrAppNotFoundException | UnauthorisedException e) {
             throw new IllegalStateException(e);
         }
     }
@@ -121,8 +124,8 @@ public static SessionInformationHolder createNewSession(Main main, @Nonnull Stri
         try {
             return createNewSession(
                     new TenantIdentifier(null, null, null), storage, main,
-                    recipeUserId, userDataInJWT, userDataInDatabase, enableAntiCsrf, version, useStaticKey);
-        } catch (TenantOrAppNotFoundException e) {
+                    recipeUserId, userDataInJWT, userDataInDatabase, enableAntiCsrf, version, useStaticKey, null);
+        } catch (TenantOrAppNotFoundException | UnauthorisedException e) {
             throw new IllegalStateException(e);
         }
     }
@@ -132,11 +135,11 @@ public static SessionInformationHolder createNewSession(TenantIdentifier tenantI
                                                             @Nonnull JsonObject userDataInJWT,
                                                             @Nonnull JsonObject userDataInDatabase,
                                                             boolean enableAntiCsrf, AccessToken.VERSION version,
-                                                            boolean useStaticKey)
+                                                            boolean useStaticKey, SemVer semVer)
             throws NoSuchAlgorithmException, StorageQueryException, InvalidKeyException,
             InvalidKeySpecException, StorageTransactionLogicException, SignatureException, IllegalBlockSizeException,
             BadPaddingException, InvalidAlgorithmParameterException, NoSuchPaddingException, AccessTokenPayloadError,
-            UnsupportedJWTSigningAlgorithmException, TenantOrAppNotFoundException {
+            UnsupportedJWTSigningAlgorithmException, TenantOrAppNotFoundException, UnauthorisedException {
         String sessionHandle = UUID.randomUUID().toString();
         if (!tenantIdentifier.getTenantId().equals(TenantIdentifier.DEFAULT_TENANT_ID)) {
             sessionHandle += "_" + tenantIdentifier.getTenantId();
@@ -151,6 +154,7 @@ public static SessionInformationHolder createNewSession(TenantIdentifier tenantI
                 recipeUserId = userIdMapping.superTokensUserId;
             }
 
+
             primaryUserId = StorageUtils.getAuthRecipeStorage(storage)
                     .getPrimaryUserIdStrForUserId(tenantIdentifier.toAppIdentifier(), recipeUserId);
             if (primaryUserId == null) {
@@ -166,6 +170,16 @@ public static SessionInformationHolder createNewSession(TenantIdentifier tenantI
             if (userIdMappings.containsKey(recipeUserId)) {
                 recipeUserId = userIdMappings.get(recipeUserId);
             }
+
+            if(semVer!= null && semVer.greaterThanOrEqualTo(SemVer.v5_2)) {
+                AuthRecipeUserInfo authRecipeUserInfo = AuthRecipe.getUserById(tenantIdentifier.toAppIdentifier(),
+                        storage, recipeUserId);
+                if (authRecipeUserInfo != null) {
+                    if (!authRecipeUserInfo.tenantIds.contains(tenantIdentifier.getTenantId())) {
+                        throw new UnauthorisedException("User is not part of requested tenant!");
+                    }
+                }
+            }
         }
 
         String antiCsrfToken = enableAntiCsrf ? UUID.randomUUID().toString() : null;

src/main/java/io/supertokens/utils/SemVer.java

@@ -37,6 +37,7 @@ public class SemVer implements Comparable<SemVer> {
     public static final SemVer v4_0 = new SemVer("4.0");
     public static final SemVer v5_0 = new SemVer("5.0");
     public static final SemVer v5_1 = new SemVer("5.1");
+    public static final SemVer v5_2 = new SemVer("5.2");
 
     final private String version;
 

src/main/java/io/supertokens/webserver/WebserverAPI.java

@@ -29,7 +29,8 @@
 import io.supertokens.pluginInterface.Storage;
 import io.supertokens.pluginInterface.emailpassword.exceptions.UnknownUserIdException;
 import io.supertokens.pluginInterface.exceptions.StorageQueryException;
-import io.supertokens.pluginInterface.multitenancy.*;
+import io.supertokens.pluginInterface.multitenancy.AppIdentifier;
+import io.supertokens.pluginInterface.multitenancy.TenantIdentifier;
 import io.supertokens.pluginInterface.multitenancy.exceptions.TenantOrAppNotFoundException;
 import io.supertokens.storageLayer.StorageLayer;
 import io.supertokens.useridmapping.UserIdType;
@@ -76,10 +77,11 @@ public abstract class WebserverAPI extends HttpServlet {
         supportedVersions.add(SemVer.v4_0);
         supportedVersions.add(SemVer.v5_0);
         supportedVersions.add(SemVer.v5_1);
+        supportedVersions.add(SemVer.v5_2);
     }
 
     public static SemVer getLatestCDIVersion() {
-        return SemVer.v5_1;
+        return SemVer.v5_2;
     }
 
     public SemVer getLatestCDIVersionForRequest(HttpServletRequest req)

src/main/java/io/supertokens/webserver/api/session/SessionAPI.java

@@ -103,7 +103,7 @@ protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws I
             SessionInformationHolder sessionInfo = Session.createNewSession(
                     tenantIdentifier, storage, main, userId, userDataInJWT,
                     userDataInDatabase, enableAntiCsrf, accessTokenVersion,
-                    useStaticSigningKey);
+                    useStaticSigningKey, version);
 
             if (storage.getType() == STORAGE_TYPE.SQL) {
                 try {
@@ -143,6 +143,11 @@ protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws I
             super.sendJsonResponse(200, result, resp);
         } catch (AccessTokenPayloadError e) {
             throw new ServletException(new BadRequestException(e.getMessage()));
+        } catch (UnauthorisedException e) {
+                JsonObject reply = new JsonObject();
+                reply.addProperty("status", "UNAUTHORISED");
+                reply.addProperty("message", e.getMessage());
+                super.sendJsonResponse(200, reply, resp);
         } catch (NoSuchAlgorithmException | StorageQueryException | InvalidKeyException | InvalidKeySpecException |
                  StorageTransactionLogicException | SignatureException | IllegalBlockSizeException |
                  BadPaddingException | InvalidAlgorithmParameterException | NoSuchPaddingException |

src/test/java/io/supertokens/test/accountlinking/SessionTests.java

@@ -386,7 +386,7 @@ public void testSessionBehaviourWhenUserBelongsTo2TenantsAndThenLinkedToSomeOthe
 
         AuthRecipe.createPrimaryUser(process.getProcess(), t1.toAppIdentifier(), t1Storage,
                 user2.getSupertokensUserId());
-        AuthRecipe.linkAccounts(process.getProcess(), t1.toAppIdentifier(), t1Storage, user1.getSupertokensUserId(),
+        AuthRecipe.linkAccounts(process.getProcess(), t2.toAppIdentifier(), t2Storage, user1.getSupertokensUserId(),
                 user2.getSupertokensUserId());
 
         SessionInformationHolder session1 = Session.createNewSession(t2, t2Storage, process.getProcess(),