feat: Add userInfoGET endpoint

lib/build/recipe/oauth2/api/implementation.js

@@ -190,11 +190,12 @@ function getAPIImplementation() {
                 },
             };
         },
-        userInfoGET: async ({ accessTokenPayload, user, scopes, options, userContext }) => {
+        userInfoGET: async ({ accessTokenPayload, user, scopes, tenantId, options, userContext }) => {
             const userInfo = await options.recipeImplementation.buildUserInfo({
                 user,
                 accessTokenPayload,
                 scopes,
+                tenantId,
                 userContext,
             });
             return {

lib/build/recipe/oauth2/api/userInfo.d.ts

@@ -3,6 +3,7 @@ import { APIInterface, APIOptions } from "..";
 import { UserContext } from "../../../types";
 export default function userInfoGET(
     apiImplementation: APIInterface,
+    tenantId: string,
     options: APIOptions,
     userContext: UserContext
 ): Promise<boolean>;

lib/build/recipe/oauth2/api/userInfo.js

@@ -27,38 +27,52 @@ async function validateOAuth2AccessToken(accessToken) {
     });
     return await resp.json();
 }
-async function userInfoGET(apiImplementation, options, userContext) {
-    var _a;
+async function userInfoGET(apiImplementation, tenantId, options, userContext) {
     if (apiImplementation.userInfoGET === undefined) {
         return false;
     }
     const authHeader = options.req.getHeaderValue("authorization") || options.req.getHeaderValue("Authorization");
     if (authHeader === undefined || !authHeader.startsWith("Bearer ")) {
-        utils_1.sendNon200ResponseWithMessage(options.res, "Missing or invalid Authorization header", 401);
+        // TODO: Returning a 400 instead of a 401 to prevent a potential refresh loop in the client SDK.
+        // When addressing this TODO, review other response codes in this function as well.
+        utils_1.sendNon200ResponseWithMessage(options.res, "Missing or invalid Authorization header", 400);
         return true;
     }
     const accessToken = authHeader.replace(/^Bearer /, "").trim();
     let accessTokenPayload;
     try {
         accessTokenPayload = await validateOAuth2AccessToken(accessToken);
     } catch (error) {
-        utils_1.sendNon200ResponseWithMessage(options.res, "Invalid or expired OAuth2 access token!", 401);
+        options.res.setHeader("WWW-Authenticate", 'Bearer error="invalid_token"', false);
+        utils_1.sendNon200ResponseWithMessage(options.res, "Invalid or expired OAuth2 access token", 400);
+        return true;
+    }
+    if (
+        accessTokenPayload === null ||
+        typeof accessTokenPayload !== "object" ||
+        typeof accessTokenPayload.sub !== "string" ||
+        typeof accessTokenPayload.scope !== "string"
+    ) {
+        options.res.setHeader("WWW-Authenticate", 'Bearer error="invalid_token"', false);
+        utils_1.sendNon200ResponseWithMessage(options.res, "Malformed access token payload", 400);
         return true;
     }
     const userId = accessTokenPayload.sub;
     const user = await __1.getUser(userId, userContext);
     if (user === undefined) {
+        options.res.setHeader("WWW-Authenticate", 'Bearer error="invalid_token"', false);
         utils_1.sendNon200ResponseWithMessage(
             options.res,
             "Couldn't find any user associated with the access token",
-            401
+            400
         );
         return true;
     }
     const response = await apiImplementation.userInfoGET({
         accessTokenPayload,
         user,
-        scopes: ((_a = accessTokenPayload.scope) !== null && _a !== void 0 ? _a : "").split(" "),
+        tenantId,
+        scopes: accessTokenPayload.scope.split(" "),
         options,
         userContext,
     });

lib/build/recipe/oauth2/recipe.d.ts

@@ -31,7 +31,7 @@ export default class Recipe extends RecipeModule {
     getAPIsHandled(): APIHandled[];
     handleAPIRequest: (
         id: string,
-        _tenantId: string | undefined,
+        tenantId: string,
         req: BaseRequest,
         res: BaseResponse,
         _path: NormalisedURLPath,
@@ -46,6 +46,7 @@ export default class Recipe extends RecipeModule {
         user: User,
         accessTokenPayload: JSONObject,
         scopes: string[],
+        tenantId: string,
         userContext: UserContext
     ): Promise<UserInfo>;
 }

lib/build/recipe/oauth2/recipe.js

@@ -43,7 +43,7 @@ class Recipe extends recipeModule_1.default {
         this.addUserInfoBuilderFromOtherRecipe = (userInfoBuilderFn) => {
             this.userInfoBuilders.push(userInfoBuilderFn);
         };
-        this.handleAPIRequest = async (id, _tenantId, req, res, _path, _method, userContext) => {
+        this.handleAPIRequest = async (id, tenantId, req, res, _path, _method, userContext) => {
             let options = {
                 config: this.config,
                 recipeId: this.getRecipeId(),
@@ -71,7 +71,7 @@ class Recipe extends recipeModule_1.default {
                 return loginInfo_1.default(this.apiImpl, options, userContext);
             }
             if (id === constants_1.USER_INFO_PATH) {
-                return userInfo_1.default(this.apiImpl, options, userContext);
+                return userInfo_1.default(this.apiImpl, tenantId, options, userContext);
             }
             throw new Error("Should never come here: handleAPIRequest called with unknown id");
         };
@@ -215,7 +215,7 @@ class Recipe extends recipeModule_1.default {
         }
         return payload;
     }
-    async getDefaultUserInfoPayload(user, accessTokenPayload, scopes, userContext) {
+    async getDefaultUserInfoPayload(user, accessTokenPayload, scopes, tenantId, userContext) {
         let payload = {
             sub: accessTokenPayload.sub,
         };
@@ -236,7 +236,7 @@ class Recipe extends recipeModule_1.default {
         for (const fn of this.userInfoBuilders) {
             payload = Object.assign(
                 Object.assign({}, payload),
-                await fn(user, accessTokenPayload, scopes, userContext)
+                await fn(user, accessTokenPayload, scopes, tenantId, userContext)
             );
         }
         return payload;

lib/build/recipe/oauth2/recipeImplementation.js

@@ -394,8 +394,8 @@ function getRecipeInterface(querier, _config, _appInfo, getDefaultIdTokenPayload
         buildIdTokenPayload: async function (input) {
             return input.defaultPayload;
         },
-        buildUserInfo: async function ({ user, accessTokenPayload, scopes, userContext }) {
-            return getDefaultUserInfoPayload(user, accessTokenPayload, scopes, userContext);
+        buildUserInfo: async function ({ user, accessTokenPayload, scopes, tenantId, userContext }) {
+            return getDefaultUserInfoPayload(user, accessTokenPayload, scopes, tenantId, userContext);
         },
     };
 }

lib/build/recipe/oauth2/types.d.ts

@@ -1,7 +1,7 @@
 // @ts-nocheck
 import type { BaseRequest, BaseResponse } from "../../framework";
 import OverrideableBuilder from "supertokens-js-override";
-import { GeneralErrorResponse, JSONObject, NonNullableProperties, UserContext } from "../../types";
+import { GeneralErrorResponse, JSONObject, JSONValue, NonNullableProperties, UserContext } from "../../types";
 import { SessionContainerInterface } from "../session/types";
 import { OAuth2Client } from "./OAuth2Client";
 import { User } from "../../user";
@@ -93,7 +93,7 @@ export declare type UserInfo = {
     email_verified?: boolean;
     phoneNumber?: string;
     phoneNumber_verified?: boolean;
-    [key: string]: any;
+    [key: string]: JSONValue;
 };
 export declare type RecipeInterface = {
     authorization(input: {
@@ -232,6 +232,7 @@ export declare type RecipeInterface = {
         user: User;
         accessTokenPayload: JSONObject;
         scopes: string[];
+        tenantId: string;
         userContext: UserContext;
     }): Promise<JSONObject>;
 };
@@ -357,6 +358,7 @@ export declare type APIInterface = {
               accessTokenPayload: JSONObject;
               user: User;
               scopes: string[];
+              tenantId: string;
               options: APIOptions;
               userContext: UserContext;
           }) => Promise<
@@ -471,5 +473,6 @@ export declare type UserInfoBuilderFunction = (
     user: User,
     accessTokenPayload: JSONObject,
     scopes: string[],
+    tenantId: string,
     userContext: UserContext
-) => Promise<UserInfo>;
+) => Promise<JSONObject>;

lib/build/recipe/oauth2client/index.d.ts

@@ -1,12 +1,11 @@
 // @ts-nocheck
-import { UserContext } from "../../types";
 import Recipe from "./recipe";
 import { RecipeInterface, APIInterface, APIOptions, OAuthTokens } from "./types";
 export default class Wrapper {
     static init: typeof Recipe.init;
     static getAuthorisationRedirectURL(
         redirectURIOnProviderDashboard: string,
-        userContext: UserContext
+        userContext?: Record<string, any>
     ): Promise<{
         urlWithQueryParams: string;
         pkceCodeVerifier?: string | undefined;
@@ -17,9 +16,12 @@ export default class Wrapper {
             redirectURIQueryParams: any;
             pkceCodeVerifier?: string | undefined;
         },
-        userContext: UserContext
+        userContext?: Record<string, any>
     ): Promise<import("./types").OAuthTokenResponse>;
-    static getUserInfo(oAuthTokens: OAuthTokens, userContext: UserContext): Promise<import("./types").UserInfo>;
+    static getUserInfo(
+        oAuthTokens: OAuthTokens,
+        userContext?: Record<string, any>
+    ): Promise<import("./types").UserInfo>;
 }
 export declare let init: typeof Recipe.init;
 export declare let getAuthorisationRedirectURL: typeof Wrapper.getAuthorisationRedirectURL;

lib/build/recipe/oauth2client/index.js

@@ -20,33 +20,40 @@ var __importDefault =
     };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.getUserInfo = exports.exchangeAuthCodeForOAuthTokens = exports.getAuthorisationRedirectURL = exports.init = void 0;
+const utils_1 = require("../../utils");
 const recipe_1 = __importDefault(require("./recipe"));
 class Wrapper {
     static async getAuthorisationRedirectURL(redirectURIOnProviderDashboard, userContext) {
         const recipeInterfaceImpl = recipe_1.default.getInstanceOrThrowError().recipeInterfaceImpl;
-        const providerConfig = await recipeInterfaceImpl.getProviderConfig({ userContext });
+        const providerConfig = await recipeInterfaceImpl.getProviderConfig({
+            userContext: utils_1.getUserContext(userContext),
+        });
         return await recipeInterfaceImpl.getAuthorisationRedirectURL({
             providerConfig,
             redirectURIOnProviderDashboard,
-            userContext,
+            userContext: utils_1.getUserContext(userContext),
         });
     }
     static async exchangeAuthCodeForOAuthTokens(redirectURIInfo, userContext) {
         const recipeInterfaceImpl = recipe_1.default.getInstanceOrThrowError().recipeInterfaceImpl;
-        const providerConfig = await recipeInterfaceImpl.getProviderConfig({ userContext });
+        const providerConfig = await recipeInterfaceImpl.getProviderConfig({
+            userContext: utils_1.getUserContext(userContext),
+        });
         return await recipeInterfaceImpl.exchangeAuthCodeForOAuthTokens({
             providerConfig,
             redirectURIInfo,
-            userContext,
+            userContext: utils_1.getUserContext(userContext),
         });
     }
     static async getUserInfo(oAuthTokens, userContext) {
         const recipeInterfaceImpl = recipe_1.default.getInstanceOrThrowError().recipeInterfaceImpl;
-        const providerConfig = await recipeInterfaceImpl.getProviderConfig({ userContext });
+        const providerConfig = await recipeInterfaceImpl.getProviderConfig({
+            userContext: utils_1.getUserContext(userContext),
+        });
         return await recipe_1.default.getInstanceOrThrowError().recipeInterfaceImpl.getUserInfo({
             providerConfig,
             oAuthTokens,
-            userContext,
+            userContext: utils_1.getUserContext(userContext),
         });
     }
 }

lib/build/recipe/oauth2client/recipeImplementation.js

@@ -63,10 +63,9 @@ function getRecipeImplementation(_querier, config) {
             if (oidcInfo.token_endpoint === undefined) {
                 throw new Error("Failed to token_endpoint from the oidcDiscoveryEndpoint.");
             }
-            // TODO: We currently don't have this
-            // if (oidcInfo.userinfo_endpoint === undefined) {
-            //     throw new Error("Failed to userinfo_endpoint from the oidcDiscoveryEndpoint.");
-            // }
+            if (oidcInfo.userinfo_endpoint === undefined) {
+                throw new Error("Failed to userinfo_endpoint from the oidcDiscoveryEndpoint.");
+            }
             if (oidcInfo.jwks_uri === undefined) {
                 throw new Error("Failed to jwks_uri from the oidcDiscoveryEndpoint.");
             }

lib/build/recipe/openid/recipeImplementation.js

@@ -24,6 +24,7 @@ function getRecipeInterface(config, jwtRecipeImplementation, appInfo) {
                 jwks_uri,
                 authorization_endpoint: apiBasePath + constants_2.AUTH_PATH,
                 token_endpoint: apiBasePath + constants_2.TOKEN_PATH,
+                userinfo_endpoint: apiBasePath + constants_2.USER_INFO_PATH,
                 subject_types_supported: ["public"],
                 id_token_signing_alg_values_supported: ["RS256"],
                 response_types_supported: ["code", "id_token", "id_token token"],

lib/build/recipe/userroles/recipe.js

@@ -27,6 +27,7 @@ const utils_1 = require("./utils");
 const supertokens_js_override_1 = __importDefault(require("supertokens-js-override"));
 const postSuperTokensInitCallbacks_1 = require("../../postSuperTokensInitCallbacks");
 const recipe_1 = __importDefault(require("../session/recipe"));
+const recipe_2 = __importDefault(require("../oauth2/recipe"));
 const userRoleClaim_1 = require("./userRoleClaim");
 const permissionClaim_1 = require("./permissionClaim");
 class Recipe extends recipeModule_1.default {
@@ -51,6 +52,39 @@ class Recipe extends recipeModule_1.default {
             if (!this.config.skipAddingPermissionsToAccessToken) {
                 recipe_1.default.getInstanceOrThrowError().addClaimFromOtherRecipe(permissionClaim_1.PermissionClaim);
             }
+            recipe_2.default
+                .getInstanceOrThrowError()
+                .addUserInfoBuilderFromOtherRecipe(async (user, _accessTokenPayload, scopes, tenantId, userContext) => {
+                    let userInfo = {};
+                    if (scopes.includes("roles")) {
+                        const res = await this.recipeInterfaceImpl.getRolesForUser({
+                            userId: user.id,
+                            tenantId,
+                            userContext,
+                        });
+                        if (res.status !== "OK") {
+                            throw new Error("Failed to fetch roles for the user");
+                        }
+                        userInfo.roles = res.roles;
+                        if (scopes.includes("permissions")) {
+                            const userPermissions = new Set();
+                            for (const role of userInfo.roles) {
+                                const rolePermissions = await this.recipeInterfaceImpl.getPermissionsForRole({
+                                    role,
+                                    userContext,
+                                });
+                                if (rolePermissions.status !== "OK") {
+                                    throw new Error("Failed to fetch permissions for the role");
+                                }
+                                for (const perm of rolePermissions.permissions) {
+                                    userPermissions.add(perm);
+                                }
+                            }
+                            userInfo.permissons = Array.from(userPermissions);
+                        }
+                    }
+                    return userInfo;
+                });
         });
     }
     /* Init functions */

lib/ts/recipe/oauth2/api/implementation.ts

@@ -188,11 +188,12 @@ export default function getAPIImplementation(): APIInterface {
                 },
             };
         },
-        userInfoGET: async ({ accessTokenPayload, user, scopes, options, userContext }) => {
+        userInfoGET: async ({ accessTokenPayload, user, scopes, tenantId, options, userContext }) => {
             const userInfo = await options.recipeImplementation.buildUserInfo({
                 user,
                 accessTokenPayload,
                 scopes,
+                tenantId,
                 userContext,
             });