Add validateAccessToken for third party providers that allows validat…

…ion of access tokens issues by the provider during sign in or up

lib/build/recipe/thirdparty/api/implementation.js

@@ -63,6 +63,13 @@ function getAPIInterface() {
                 } else {
                     throw Error("should never come here");
                 }
+                if (provider.config.validateAccessToken !== undefined) {
+                    yield provider.config.validateAccessToken({
+                        accessToken: oAuthTokensToUse.access_token,
+                        clientConfig: provider.config,
+                        userContext,
+                    });
+                }
                 const userInfo = yield provider.getUserInfo({ oAuthTokens: oAuthTokensToUse, userContext });
                 if (userInfo.email === undefined && provider.config.requireEmail === false) {
                     userInfo.email = {

lib/build/recipe/thirdparty/types.d.ts

@@ -69,6 +69,21 @@ declare type CommonProviderConfig = {
         clientConfig: ProviderConfigForClientType;
         userContext: any;
     }) => Promise<void>;
+    /**
+     * This function is responsible for validating the access token received from the third party provider.
+     * This check can include checking the expiry of the access token, checking the audience of the access token, etc.
+     *
+     * This function should throw an error if the access token should be considered invalid, or return nothing if it is valid
+     *
+     * @param input.accessToken The access token to be validated
+     * @param input.clientConfig The configuration provided for the third party provider when initialising SuperTokens
+     * @param input.userContext Refer to https://supertokens.com/docs/thirdparty/advanced-customizations/user-context
+     */
+    validateAccessToken?: (input: {
+        accessToken: string;
+        clientConfig: ProviderConfigForClientType;
+        userContext: any;
+    }) => Promise<void>;
     requireEmail?: boolean;
     generateFakeEmail?: (input: { thirdPartyUserId: string; tenantId: string; userContext: any }) => Promise<string>;
 };

lib/ts/recipe/thirdparty/api/implementation.ts

@@ -31,6 +31,14 @@ export default function getAPIInterface(): APIInterface {
                 throw Error("should never come here");
             }
 
+            if (provider.config.validateAccessToken !== undefined) {
+                await provider.config.validateAccessToken({
+                    accessToken: oAuthTokensToUse.access_token,
+                    clientConfig: provider.config,
+                    userContext,
+                });
+            }
+
             const userInfo = await provider.getUserInfo({ oAuthTokens: oAuthTokensToUse, userContext });
 
             if (userInfo.email === undefined && provider.config.requireEmail === false) {

lib/ts/recipe/thirdparty/types.ts

@@ -66,6 +66,21 @@ type CommonProviderConfig = {
         clientConfig: ProviderConfigForClientType;
         userContext: any;
     }) => Promise<void>;
+    /**
+     * This function is responsible for validating the access token received from the third party provider.
+     * This check can include checking the expiry of the access token, checking the audience of the access token, etc.
+     *
+     * This function should throw an error if the access token should be considered invalid, or return nothing if it is valid
+     *
+     * @param input.accessToken The access token to be validated
+     * @param input.clientConfig The configuration provided for the third party provider when initialising SuperTokens
+     * @param input.userContext Refer to https://supertokens.com/docs/thirdparty/advanced-customizations/user-context
+     */
+    validateAccessToken?: (input: {
+        accessToken: string;
+        clientConfig: ProviderConfigForClientType;
+        userContext: any;
+    }) => Promise<void>;
     requireEmail?: boolean;
     generateFakeEmail?: (input: { thirdPartyUserId: string; tenantId: string; userContext: any }) => Promise<string>;
 };