fix: session creation - checking tenant for user #1063
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sattvikc
requested changes
Nov 5, 2024
build.gradle
Outdated
| @@ -19,7 +19,7 @@ compileTestJava { options.encoding = "UTF-8" } | |||
| // } | |||
| //} | |||
|
|
|||
| version = "9.2.3" | |||
| version = "9.2.4" | |||
coreDriverInterfaceSupported.json
Outdated
| @@ -20,6 +20,7 @@ | |||
| "3.1", | |||
| "4.0", | |||
| "5.0", | |||
| "5.1" | |||
| "5.1", | |||
| "5.2" | |||
CHANGELOG.md
Outdated
Comment on lines
10
to
11
| - Adds support for CDI 5.2 | ||
| - In CDI 5.2, when creating a new session for a known user, checks if the user is a member of that tenant. |
| @@ -53,6 +54,7 @@ | |||
| import io.supertokens.storageLayer.StorageLayer; | |||
| import io.supertokens.useridmapping.UserIdMapping; | |||
| import io.supertokens.useridmapping.UserIdType; | |||
| import io.supertokens.utils.SemVer; | |||
There was a problem hiding this comment.
we avoid using SemVer in this layer
| @@ -132,11 +135,11 @@ public static SessionInformationHolder createNewSession(TenantIdentifier tenantI | |||
| @Nonnull JsonObject userDataInJWT, | |||
| @Nonnull JsonObject userDataInDatabase, | |||
| boolean enableAntiCsrf, AccessToken.VERSION version, | |||
| boolean useStaticKey) | |||
| boolean useStaticKey, SemVer semVer) | |||
There was a problem hiding this comment.
Instead of passing semVer here, pass a boolean that indicates whether to check the user tenant or not.
| @@ -166,6 +170,16 @@ public static SessionInformationHolder createNewSession(TenantIdentifier tenantI | |||
| if (userIdMappings.containsKey(recipeUserId)) { | |||
| recipeUserId = userIdMappings.get(recipeUserId); | |||
| } | |||
|
|
|||
| if(semVer!= null && semVer.greaterThanOrEqualTo(SemVer.v5_2)) { | |||
There was a problem hiding this comment.
simply use a boolean whether to do this check or not
CHANGELOG.md
Outdated
|
|
||
| - Adds support for CDI 5.2 | ||
| - In CDI 5.2, when creating a new session for a known user, checks if the user is a member of that tenant. | ||
| If not, returns UNAUTHORISED. |
There was a problem hiding this comment.
I don't think UNAUTHORISED is the right thing to return here. You may want to add a different status like USER_DOES_NOT_BELONG_TO_TENANT_ERROR.
sattvikc
requested changes
Nov 5, 2024
CHANGELOG.md
Outdated
| @@ -149,6 +156,7 @@ CREATE TABLE IF NOT EXISTS oauth_logout_challenges ( | |||
|
|
|||
| CREATE INDEX oauth_logout_challenges_time_created_index ON oauth_logout_challenges(time_created ASC, app_id ASC); | |||
| ``` | |||
| >>>>>>> origin/master | |||
There was a problem hiding this comment.
it is. Sorry I missed this
| @@ -143,6 +144,11 @@ protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws I | |||
| super.sendJsonResponse(200, result, resp); | |||
| } catch (AccessTokenPayloadError e) { | |||
| throw new ServletException(new BadRequestException(e.getMessage())); | |||
| } catch (UnauthorisedException e) { | |||
There was a problem hiding this comment.
catching Unauthorised and returning a different status could get confusing. Create a new exception type for this.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary of change
When creating a session for a userId which is known by ST, check if the user is part of that tenant.
Related issues
Test Plan
(Write your test plan here. If you changed any code, please provide us with clear instructions on how you verified your
changes work. Bonus points for screenshots and videos!)
Documentation changes
(If relevant, please create a PR in our docs repo, or create a checklist here
highlighting the necessary changes)
Checklist for important updates
coreDriverInterfaceSupported.jsonfile has been updated (if needed)pluginInterfaceSupported.jsonfile has been updated (if needed)build.gradlegetPaidFeatureStatsfunction in FeatureFlag.java filebuild.gradle, please make sure to add themin
implementationDependencies.json.getValidFieldsinio/supertokens/config/CoreConfig.javaif new aliases were added for any coreconfig (similar to the
access_token_signing_key_update_intervalconfig alias).git tag) in the formatvX.Y.Z, and then find thelatest branch (
git branch --all) whoseX.Yis greater than the latest released tag.app_id_to_user_idtable, make sure to delete from this table when deletingthe user as well if
deleteUserIdMappingToois false.