Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: fixes storage handling for non-auth recipes #942

Merged
merged 31 commits into from
Mar 5, 2024
Merged

fix: fixes storage handling for non-auth recipes #942

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
31 commits
Select commit Hold shift + click to select a range
eb4496b
fix: non auth recipe stuff
sattvikc Feb 29, 2024
d267312
fix: user roles
sattvikc Feb 29, 2024
6b2a45c
fix: half done
sattvikc Mar 1, 2024
fadf205
fix: thirdparty changes
sattvikc Mar 1, 2024
9a0ff85
fix: passwordless changes
sattvikc Mar 1, 2024
89fd936
fix: active users
sattvikc Mar 1, 2024
458c3b6
fix: session changes
sattvikc Mar 1, 2024
9eb76a1
fix: user metadata
sattvikc Mar 1, 2024
4843083
fix: user roles
sattvikc Mar 1, 2024
69a2466
fix: totp
sattvikc Mar 1, 2024
6728665
fix: email verification
sattvikc Mar 1, 2024
c61c7d7
fix: multitenancy and other minor fixes
sattvikc Mar 1, 2024
c1edaba
fix: compile errors
sattvikc Mar 1, 2024
dd688da
fix: bugs and tests
sattvikc Mar 1, 2024
c5fc6a3
fix: bugs and tests
sattvikc Mar 1, 2024
5f00b5e
fix: func rename
sattvikc Mar 1, 2024
311b9b0
fix: PR comments
sattvikc Mar 4, 2024
75b5a14
fix: pr comments
sattvikc Mar 4, 2024
38c11fd
fix: pr comments
sattvikc Mar 4, 2024
06569c0
fix: pr comments
sattvikc Mar 4, 2024
d94a381
fix: user role multitenant tests
sattvikc Mar 4, 2024
83b802c
fix: email verification tests
sattvikc Mar 4, 2024
3d93ab5
fix: user role deletion
sattvikc Mar 4, 2024
d7cbcfa
fix: user roles
sattvikc Mar 4, 2024
fb2234c
fix: user roles
sattvikc Mar 4, 2024
8945be1
fix: get tenant identifier refactor
sattvikc Mar 4, 2024
a5d7aad
fix: pr comments
sattvikc Mar 4, 2024
88539e5
fix: query
sattvikc Mar 4, 2024
8a31166
fix: tests version and changelog
sattvikc Mar 5, 2024
644b5d6
Update CHANGELOG.md
sattvikc Mar 5, 2024
0bfad8b
fix: pr comments
sattvikc Mar 5, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 26 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,32 @@ All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres
to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

## [8.0.0] - 2024-03-04

### Breaking changes

- The following app specific APIs return a 403 when not called using `public` tenant
sattvikc marked this conversation as resolved.
Show resolved Hide resolved
- GET `/recipe/accountlinking/user/primary/check`
- GET `/recipe/accountlinking/user/link/check`
- POST `/recipe/accountlinking/user/primary`
- POST `/recipe/accountlinking/user/link`
- POST `/recipe/accountlinking/user/unlink`
- GET `/users/count/active`
- POST `/user/remove`
- GET `/ee/featureflag`
- GET `/user/id`
- PUT `/ee/license`
- DELETE `/ee/license`
- GET `/ee/license`
- GET `/requests/stats`
- GET `/recipe/user` when querying by `userId`
- GET `/recipe/jwt/jwks`
- POST `/recipe/jwt`

### Fixes

- Fixes issue with non-auth recipe related storage handling

## [7.0.18] - 2024-02-19

- Fixes vulnerabilities in dependencies
Expand Down
2 changes: 1 addition & 1 deletion build.gradle
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ compileTestJava { options.encoding = "UTF-8" }
// }
//}

version = "7.0.18"
version = "8.0.0"


repositories {
Expand Down
14 changes: 0 additions & 14 deletions src/main/java/io/supertokens/webserver/WebserverAPI.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -378,20 +378,6 @@ protected StorageAndUserIdMapping enforcePublicTenantAndGetStorageAndUserIdMappi
}
}

protected StorageAndUserIdMapping getStorageAndUserIdMappingForAppSpecificApiWithoutEnforcingPublicTenant(
HttpServletRequest req, String userId, UserIdType userIdType)
throws StorageQueryException, TenantOrAppNotFoundException, ServletException,
BadPermissionException {
AppIdentifier appIdentifier = getAppIdentifierWithoutVerifying(req);
Storage[] storages = StorageLayer.getStoragesForApp(main, appIdentifier);
try {
return StorageLayer.findStorageAndUserIdMappingForUser(
appIdentifier, storages, userId, userIdType);
} catch (UnknownUserIdException e) {
return new StorageAndUserIdMapping(getTenantStorage(req), null);
}
}

protected boolean checkIPAccess(HttpServletRequest req, HttpServletResponse resp)
throws TenantOrAppNotFoundException, ServletException, IOException {
CoreConfig config = Config.getConfig(getTenantIdentifierWithoutVerifying(req), main);
Expand Down
16 changes: 12 additions & 4 deletions src/main/java/io/supertokens/webserver/api/session/SessionRemoveAPI.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -113,10 +113,18 @@ protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws I
String[] sessionHandlesRevoked;

if (revokeAcrossAllTenants) {
// when revokeAcrossAllTenants is true, and given that the backend SDK might pass tenant id
// we do not want to enfore public tenant here but behave as if this is an app specific API
AppIdentifier appIdentifier = getAppIdentifier(req);
rishabhpoddar marked this conversation as resolved.
Show resolved Hide resolved
StorageAndUserIdMapping storageAndUserIdMapping = getStorageAndUserIdMappingForAppSpecificApiWithoutEnforcingPublicTenant(
req, userId, UserIdType.ANY);

Storage[] storages = StorageLayer.getStoragesForApp(main, appIdentifier);
rishabhpoddar marked this conversation as resolved.
Show resolved Hide resolved
StorageAndUserIdMapping storageAndUserIdMapping = null;
try {
storageAndUserIdMapping = StorageLayer.findStorageAndUserIdMappingForUser(
appIdentifier, storages, userId, UserIdType.ANY);
} catch (UnknownUserIdException e) {
storageAndUserIdMapping = new StorageAndUserIdMapping(getTenantStorage(req), null);
}
storage = storageAndUserIdMapping.storage;
sessionHandlesRevoked = Session.revokeAllSessionsForUser(
main, appIdentifier, storageAndUserIdMapping.storage, userId, revokeSessionsForLinkedAccounts);
} else {
Expand Down Expand Up @@ -149,7 +157,7 @@ protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws I
}
result.add("sessionHandlesRevoked", sessionHandlesRevokedJSON);
super.sendJsonResponse(200, result, resp);
} catch (StorageQueryException | TenantOrAppNotFoundException | BadPermissionException e) {
} catch (StorageQueryException | TenantOrAppNotFoundException e) {
throw new ServletException(e);
}
} else {
Expand Down
17 changes: 13 additions & 4 deletions src/main/java/io/supertokens/webserver/api/session/SessionUserAPI.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,11 +24,13 @@
import io.supertokens.multitenancy.exception.BadPermissionException;
import io.supertokens.pluginInterface.RECIPE_ID;
import io.supertokens.pluginInterface.Storage;
import io.supertokens.pluginInterface.emailpassword.exceptions.UnknownUserIdException;
import io.supertokens.pluginInterface.exceptions.StorageQueryException;
import io.supertokens.pluginInterface.multitenancy.AppIdentifier;
import io.supertokens.pluginInterface.multitenancy.TenantIdentifier;
import io.supertokens.pluginInterface.multitenancy.exceptions.TenantOrAppNotFoundException;
import io.supertokens.session.Session;
import io.supertokens.storageLayer.StorageLayer;
import io.supertokens.useridmapping.UserIdType;
import io.supertokens.webserver.InputParser;
import io.supertokens.webserver.WebserverAPI;
Expand Down Expand Up @@ -75,10 +77,17 @@ protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IO
String[] sessionHandles;

if (fetchAcrossAllTenants) {
// when fetchAcrossAllTenants is true, and given that the backend SDK might pass tenant id
// we do not want to enfore public tenant here but behave as if this is an app specific API
AppIdentifier appIdentifier = getAppIdentifier(req);
rishabhpoddar marked this conversation as resolved.
Show resolved Hide resolved
StorageAndUserIdMapping storageAndUserIdMapping =
getStorageAndUserIdMappingForAppSpecificApiWithoutEnforcingPublicTenant(req, userId,
UserIdType.ANY);
Storage[] storages = StorageLayer.getStoragesForApp(main, appIdentifier);
rishabhpoddar marked this conversation as resolved.
Show resolved Hide resolved
StorageAndUserIdMapping storageAndUserIdMapping = null;
try {
storageAndUserIdMapping = StorageLayer.findStorageAndUserIdMappingForUser(
appIdentifier, storages, userId, UserIdType.ANY);
} catch (UnknownUserIdException e) {
storageAndUserIdMapping = new StorageAndUserIdMapping(getTenantStorage(req), null);
}
sessionHandles = Session.getAllNonExpiredSessionHandlesForUser(
main, appIdentifier, storageAndUserIdMapping.storage, userId,
fetchSessionsForAllLinkedAccounts);
Expand All @@ -98,7 +107,7 @@ protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IO
result.add("sessionHandles", arr);
super.sendJsonResponse(200, result, resp);

} catch (StorageQueryException | TenantOrAppNotFoundException | BadPermissionException e) {
} catch (StorageQueryException | TenantOrAppNotFoundException e) {
throw new ServletException(e);
}
}
Expand Down
12 changes: 6 additions & 6 deletions src/test/java/io/supertokens/test/multitenant/api/TestPermissionChecks.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1022,32 +1022,32 @@ public void testPermissionsForDeleteTenant() throws Exception {
new TestCase(
new TenantIdentifier(null, null, "t1"),
new TenantIdentifier(null, null, "t2"),
"Only the public tenantId is allowed to delete a tenant"
"Only public tenantId can call this app specific API"
),
new TestCase(
new TenantIdentifier(null, null, "t1"),
new TenantIdentifier(null, null, "t1"),
"Only the public tenantId is allowed to delete a tenant"
"Only public tenantId can call this app specific API"
),
new TestCase(
new TenantIdentifier(null, "a1", "t1"),
new TenantIdentifier(null, "a1", "t2"),
"Only the public tenantId is allowed to delete a tenant"
"Only public tenantId can call this app specific API"
),
new TestCase(
new TenantIdentifier(null, "a1", "t1"),
new TenantIdentifier(null, "a1", "t1"),
"Only the public tenantId is allowed to delete a tenant"
"Only public tenantId can call this app specific API"
),
new TestCase(
new TenantIdentifier("127.0.0.1", "a1", "t1"),
new TenantIdentifier("127.0.0.1", "a1", "t2"),
"Only the public tenantId is allowed to delete a tenant"
"Only public tenantId can call this app specific API"
),
new TestCase(
new TenantIdentifier("127.0.0.1", "a1", "t1"),
new TenantIdentifier("127.0.0.1", "a1", "t1"),
"Only the public tenantId is allowed to delete a tenant"
"Only public tenantId can call this app specific API"
),
new TestCase(
new TenantIdentifier(null, null, null),
Expand Down
3 changes: 1 addition & 2 deletions src/test/java/io/supertokens/test/userRoles/UserRolesStorageTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -119,8 +119,7 @@ public void testDeletingARoleWhileItIsBeingRemovedFromAUser() throws Exception {
}
// delete the role
try {
boolean wasRoleDeleted = storage.deleteAllUserRoleAssociationsForRole(new AppIdentifier(null, null), role);
wasRoleDeleted = storage.deleteRole(new AppIdentifier(null, null), role) || wasRoleDeleted;
boolean wasRoleDeleted = storage.deleteRole(new AppIdentifier(null, null), role);
r2_success.set(wasRoleDeleted);
} catch (StorageQueryException e) {
// should not come here
Expand Down
Loading