-
Notifications
You must be signed in to change notification settings - Fork 549
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: session creation - checking tenant for user #1063
base: 9.3
Are you sure you want to change the base?
Conversation
build.gradle
Outdated
@@ -19,7 +19,7 @@ compileTestJava { options.encoding = "UTF-8" } | |||
// } | |||
//} | |||
|
|||
version = "9.2.3" | |||
version = "9.2.4" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should be 9.3.1 ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
coreDriverInterfaceSupported.json
Outdated
@@ -20,6 +20,7 @@ | |||
"3.1", | |||
"4.0", | |||
"5.0", | |||
"5.1" | |||
"5.1", | |||
"5.2" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Needs updating ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
CHANGELOG.md
Outdated
- Adds support for CDI 5.2 | ||
- In CDI 5.2, when creating a new session for a known user, checks if the user is a member of that tenant. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should be 5.3 ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
@@ -53,6 +54,7 @@ | |||
import io.supertokens.storageLayer.StorageLayer; | |||
import io.supertokens.useridmapping.UserIdMapping; | |||
import io.supertokens.useridmapping.UserIdType; | |||
import io.supertokens.utils.SemVer; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we avoid using SemVer in this layer
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
@@ -132,11 +135,11 @@ public static SessionInformationHolder createNewSession(TenantIdentifier tenantI | |||
@Nonnull JsonObject userDataInJWT, | |||
@Nonnull JsonObject userDataInDatabase, | |||
boolean enableAntiCsrf, AccessToken.VERSION version, | |||
boolean useStaticKey) | |||
boolean useStaticKey, SemVer semVer) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Instead of passing semVer here, pass a boolean that indicates whether to check the user tenant or not.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
@@ -166,6 +170,16 @@ public static SessionInformationHolder createNewSession(TenantIdentifier tenantI | |||
if (userIdMappings.containsKey(recipeUserId)) { | |||
recipeUserId = userIdMappings.get(recipeUserId); | |||
} | |||
|
|||
if(semVer!= null && semVer.greaterThanOrEqualTo(SemVer.v5_2)) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
simply use a boolean whether to do this check or not
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
CHANGELOG.md
Outdated
|
||
- Adds support for CDI 5.2 | ||
- In CDI 5.2, when creating a new session for a known user, checks if the user is a member of that tenant. | ||
If not, returns UNAUTHORISED. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think UNAUTHORISED is the right thing to return here. You may want to add a different status like USER_DOES_NOT_BELONG_TO_TENANT_ERROR.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
CHANGELOG.md
Outdated
@@ -149,6 +156,7 @@ CREATE TABLE IF NOT EXISTS oauth_logout_challenges ( | |||
|
|||
CREATE INDEX oauth_logout_challenges_time_created_index ON oauth_logout_challenges(time_created ASC, app_id ASC); | |||
``` | |||
>>>>>>> origin/master |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
merge error?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it is. Sorry I missed this
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
@@ -143,6 +144,11 @@ protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws I | |||
super.sendJsonResponse(200, result, resp); | |||
} catch (AccessTokenPayloadError e) { | |||
throw new ServletException(new BadRequestException(e.getMessage())); | |||
} catch (UnauthorisedException e) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
catching Unauthorised and returning a different status could get confusing. Create a new exception type for this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sure, okay
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
Summary of change
When creating a session for a userId which is known by ST, check if the user is part of that tenant.
Related issues
Test Plan
(Write your test plan here. If you changed any code, please provide us with clear instructions on how you verified your
changes work. Bonus points for screenshots and videos!)
Documentation changes
(If relevant, please create a PR in our docs repo, or create a checklist here
highlighting the necessary changes)
Checklist for important updates
coreDriverInterfaceSupported.json
file has been updated (if needed)pluginInterfaceSupported.json
file has been updated (if needed)build.gradle
getPaidFeatureStats
function in FeatureFlag.java filebuild.gradle
, please make sure to add themin
implementationDependencies.json
.getValidFields
inio/supertokens/config/CoreConfig.java
if new aliases were added for any coreconfig (similar to the
access_token_signing_key_update_interval
config alias).git tag
) in the formatvX.Y.Z
, and then find thelatest branch (
git branch --all
) whoseX.Y
is greater than the latest released tag.app_id_to_user_id
table, make sure to delete from this table when deletingthe user as well if
deleteUserIdMappingToo
is false.