feat(sessiongrants): add support for session grants (#278)

* feat(sessiongrants): define types and add some implementation for session grants

* refactor(sessiongrants): implement interface related feedback

* refactor(sesssiongrants): renamed to claims

* refactor(sessionclaims): implementing review feedback + cleanup

* feat(sessiongrants): updated claims interface & fixes

* refactor(sessiongrants): updating the interface WIP

* refactor: review feedback + merge updates

* feat: implementing review feedback

* feat(sessionclaims): implementing interface feedback + initial tests

* feat(sessionclaims): add claim management funcs to session

* feat(sessionclaims): remove separate session claims field from AT

* fix(sessionclaims): add missing await to fix applyClaimBuilder

* feat(sessionclaims): implementing review feedback

* feat(sessionclaims): implementing review feedback

* feat(sessionclaims): implementing review feedback

* refactor(sessionclaims): review feedback

* feat(sessionclaims): review changes + exporting missing functions

* feat: review feedback

* feat: clarifications/minor improvements + further testing

* refactor: change getLastRefetchTime to return raw number instead of Date

* feat(sessionclaims): review feedback

* test(sessionclaims): add removeClaim and fetchAndSetClaim tests

* refactor(sessionclaims): added debug log after session claims assertion

* feat: move claim assertion out of getSession

* feat: add isTrue and isFalse validators

* feat: review feedback

* feat: initial (untested) implementation for email verification claims

* fix(sessionclaims): fix circular dep error

* fix(sessionclaims): add missing initializer for bootstrap callback list

* test(sessionclaims): remove test of deleted module

* refactor(sessionclaims): renamed parameter to fit existing terminology

* feat: review feedback (#350)

* refactor(sessionclaims): further review feedback

* test(sessionclaims): add tests for session handle methods + extend tests

* refactor: rename removeFromPayload + fix value type of PrimitiveClaim

* feat(sessionclaims): implement review feedback

* refactor(sessionclaims): finished renaming EmailVerifiedClaim

* feat(sessionclaims): implement review feedback

* feat(sessionclaims): mark passwordless users as validated

* fix(sessionclaims): add missing await

* test(sessionclaims): remove unused test code

* fix(sessionclaims): self-review fix

* feat(sessionclaims): review feedback

* feat(sessionclaims): review feedback (#352)

* feat(sessionclaims): make validators return only promises

* refactor(sessionclaims): check expiration first in primitive claims

* refactor(sessionclaims): throw on duplicate claims added by recipes

* test(sessionclaims): update tests for async validators

* feat(sessionclaims): make getClaimValue non-throwing

* feat(sessionclaims): adding claim validation functions to session recipe

* feat(sessionclaims): implement review feedback

* feat(sessionclaims): review feedback

* test(sessionclaims): update tests (#356)

* fix(sessionclaims): fix updating claims

* feat(sessionclaims): make the email param optional in user facing emailverification methods

* test(sessionclaims): update/fix tests

* refactor(sessionclaims): removed unnecessary if + console log

* feat(sessionclaims): remove console log

* feat(sessionclaims): add roles claim and primitive array claim (#357)

* feat(sessionclaims): add roles claim and primitive array claim to support

* feat(sessionclaims): removed strictEquals

* chore: update changelog (#358)

* chore(sessionclaims): update changelog

* chore: add update instruction to changelog

* Update CHANGELOG.md

* Update CHANGELOG.md

Co-authored-by: Rishabh Poddar <[email protected]>

* feat(sessionclaims): add request to default usercontext of verifySession (#361)

* refactor to session recipe to remove extra assertClaims (#366)

* refactor to session recipe to remove extra assertClaims

* feat: review feedback + test fixing

* test: updated test after the merge

* feat: fix updateAccessTokenPayload param type

Co-authored-by: Mihaly Lengyel <[email protected]>

* Fixes to session grants base branch (#369)

* fixes to emaildelivery import from emailverification reicpe

* fixes issue with emailverification function TS

* fixes typo in SMTP service

* feat(sessionclaims): review feedback (#370)

* feat(sessionclaims): review feedback

* refactor: added missing id override to boolean claim validators

* adds session object as input / output to some of the api functions in session recipe (#371)

* fix: fix the returned status of revokeEmailVerificationTokens for pwless users (#372)

* fix: fix the returned status of revokeEmailVerificationTokens for pwless users

* test: test revokeEmailVerificationTokens when getEmailForUserId returns an error

* Signinup function cleanup (#373)

* removes unnecessary param in signInUp function

* fixes tests

* fixes more tests

* fix: passing changelog in emailverification api + added migration for passwordless-emailverification into changelog

* feat: refetch email verified claim based on maxAgeInSeconds (5 min default) (#378)

* fix: check and throw if sessionExpiredStatusCode == invalidClaimStatusCode

* chore: update changelog to mention changed integration and role guides

* fix: fix type issues from review comments

* fix: make userContext non-optional in recipe interface method inputs

* chore: updated supported fdi version

* test: fix tests

Co-authored-by: Mihaly Lengyel <[email protected]>
Co-authored-by: Rishabh Poddar <[email protected]>

Author: 3 people

CHANGELOG.md

@@ -7,6 +7,182 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [unreleased]
 
+### Changed
+
+-   Made the `email` parameter option in `unverifyEmail`, `revokeEmailVerificationTokens`, `isEmailVerified`, `verifyEmailUsingToken`, `createEmailVerificationToken` of the `EmailVerification` recipe.
+
+### Added
+
+-   Added support for session claims with related interfaces and classes.
+-   Added `onInvalidClaim` optional error handler to send InvalidClaim error responses.
+-   Added `INVALID_CLAIMS` to `SessionErrors`.
+-   Added `invalidClaimStatusCode` optional config to set the status code of InvalidClaim errors.
+-   Added `overrideGlobalClaimValidators` to options of `getSession` and `verifySession`.
+-   Added `mergeIntoAccessTokenPayload` to the Session recipe and session objects which should be preferred to the now deprecated `updateAccessTokenPayload`.
+-   Added `EmailVerificationClaim`, `UserRoleClaim` and `PermissionClaim`. These claims are now added to the access token payload by default by their respective recipes.
+-   Added `assertClaims`, `validateClaimsForSessionHandle`, `validateClaimsInJWTPayload` to the Session recipe to support validation of the newly added claims.
+-   Added `fetchAndSetClaim`, `getClaimValue`, `setClaimValue` and `removeClaim` to the Session recipe to manage claims.
+-   Added `assertClaims`, `fetchAndSetClaim`, `getClaimValue`, `setClaimValue` and `removeClaim` to session objects to manage claims.
+-   Added session to the input of `generateEmailVerifyTokenPOST`, `verifyEmailPOST`, `isEmailVerifiedGET`.
+-   Adds default userContext for verifySession calls that contains the request object.
+
+### Breaking changes
+
+-   Changed `signInUp` third party recipe function to accept an email string instead of an object that takes `{id: string, isVerified: boolean}`.
+-   Renames `STMP` to `SMTP` everywhere (typo).
+-   The frontend SDK should be updated to a version supporting session claims!
+    -   supertokens-auth-react: >= 0.25.0
+    -   supertokens-web-js: >= 0.2.0
+-   `EmailVerification` recipe is now not initialized as part of auth recipes, it should be added to the `recipeList` directly instead.
+-   Email verification related overrides (`emailVerificationFeature` prop of `override`) moved from auth recipes into the `EmailVerification` recipe config.
+-   Email verificitaion related configs (`emailVerificationFeature` props) moved from auth recipes into the `EmailVerification` config object root.
+-   ThirdParty recipe no longer takes emailDelivery config -> use emailverification recipe's emailDelivery instead.
+-   Moved email verification related configs from the `emailDelivery` config of auth recipes into a separate `EmailVerification` email delivery config.
+-   Updated return type of `getEmailForUserId` in the `EmailVerification` recipe config. It should now return an object with status.
+-   Removed `getResetPasswordURL`, `getEmailVerificationURL`, `getLinkDomainAndPath`. Changing these urls can be done in the email delivery configs instead.
+-   Removed `unverifyEmail`, `revokeEmailVerificationTokens`, `isEmailVerified`, `verifyEmailUsingToken` and `createEmailVerificationToken` from auth recipes. These should be called on the `EmailVerification` recipe instead.
+-   Changed function signature for email verification APIs to accept a session as an input.
+-   Changed Session API interface functions:
+    -   `refreshPOST` now returns a Session container object.
+    -   `signOutPOST` now takes in an optional session object as a parameter.
+
+### Migration
+
+Before:
+
+```
+SuperTokens.init({
+    appInfo: {
+        apiDomain: "...",
+        appName: "...",
+        websiteDomain: "...",
+    },
+    recipeList: [
+        EmailPassword.init({
+            emailVerificationFeature: {
+                // these options should be moved into the config of the EmailVerification recipe
+            },
+            override: {
+                emailVerificationFeature: {
+                    // these overrides should be moved into the overrides of the EmailVerification recipe
+                }
+            }
+        })
+    ]
+})
+```
+
+After the update:
+
+```
+SuperTokens.init({
+    appInfo: {
+        apiDomain: "...",
+        appName: "...",
+        websiteDomain: "...",
+    },
+    recipeList: [
+        EmailVerification.init({
+            // all config should be moved here from the emailVerificationFeature prop of the EmailPassword recipe config
+            override: {
+                // move the overrides from the emailVerificationFeature prop of the override config in the EmailPassword init here
+            }
+        }),
+        EmailPassword.init()
+    ]
+})
+```
+
+#### Passwordless users and email verification
+
+If you turn on email verification your email-based passwordless users may be redirected to an email verification screen in their existing session.
+Logging out and logging in again will solve this problem or they could click the link in the email to verify themselves.
+
+You can avoid this by running a script that will:
+
+1. list all users of passwordless
+2. create an emailverification token for each of them if they have email addresses
+3. user the token to verify their address
+
+Something similar to this script:
+
+```ts
+const SuperTokens = require("supertokens-node");
+const Session = require("supertokens-node/recipe/session");
+const Passwordless = require("supertokens-node/recipe/passwordless");
+const EmailVerification = require("supertokens-node/recipe/emailverification");
+
+SuperTokens.init({
+    supertokens: {
+        // TODO: This is a core hosted for demo purposes. You can use this, but make sure to change it to your core instance URI eventually.
+        connectionURI: "https://try.supertokens.com",
+        apiKey: "<REQUIRED FOR MANAGED SERVICE, ELSE YOU CAN REMOVE THIS FIELD>",
+    },
+    appInfo: {
+        apiDomain: "...",
+        appName: "...",
+        websiteDomain: "...",
+    },
+    recipeList: [
+        EmailVerification.init({
+            mode: "REQUIRED",
+        }),
+        Passwordless.init({
+            contactMethod: "EMAIL_OR_PHONE",
+            flowType: "USER_INPUT_CODE_AND_MAGIC_LINK",
+        }),
+        Session.init(),
+    ],
+});
+
+async function main() {
+    let paginationToken = undefined;
+    let done = false;
+    while (!done) {
+        const userList = await SuperTokens.getUsersNewestFirst({
+            includeRecipeIds: ["passwordless"],
+            limit: 100,
+            paginationToken,
+        });
+
+        for (const { recipeId, user } of userList.users) {
+            if (recipeId === "passwordless" && user.email) {
+                const tokenResp = await EmailVerification.createEmailVerificationToken(user.id, user.email);
+                if (tokenResp.status === "OK") {
+                    await EmailVerification.verifyEmailUsingToken(tokenResp.token);
+                }
+            }
+        }
+
+        done = userList.nextPaginationToken !== undefined;
+        if (!done) {
+            paginationToken = userList.nextPaginationToken;
+        }
+    }
+}
+
+main().then(console.log, console.error);
+```
+
+#### User roles
+
+The UserRoles recipe now adds role and permission information into the access token payload by default. If you are already doing this manually, this will result in duplicate data in the access token.
+
+-   You can disable this behaviour by setting `skipAddingRolesToAccessToken` and `skipAddingPermissionsToAccessToken` to true in the recipe init.
+-   Check how to use the new claims in the updated guide: https://supertokens.com/docs/userroles/protecting-routes
+
+#### Next.js integration
+
+-   Since a new exception type has been added, there is a required change in SRR (`getServerSideProps`). You should handle the new (`INVALID_CLAIMS`) exception in the same way as you handle `UNAUTHORISED`
+-   You can check our updated guide here: https://supertokens.com/docs/thirdpartyemailpassword/nextjs/session-verification/in-ssr
+
+#### AWS integration
+
+-   The new exception type and error code requires changes if you are using SuperTokens as as an Authorizer in API Gateways.
+-   You need to handle the new exception type in the authorizer code.
+-   You need to configure the "Access Denied" response.
+-   You can check our updated guide here: https://supertokens.com/docs/thirdpartyemailpassword/serverless/with-aws-lambda/authorizer
+
 ## [11.3.0] - 2022-08-30
 
 ### Added:

frontendDriverInterfaceSupported.json

@@ -1,4 +1,4 @@
 {
     "_comment": "contains a list of frontend-driver interfaces branch names that this core supports",
-    "versions": ["1.14"]
+    "versions": ["1.14", "1.15"]
 }

lib/build/postSuperTokensInitCallbacks.d.ts

@@ -65,6 +65,6 @@ function getApiIdIfMatched(path, method) {
 }
 exports.getApiIdIfMatched = getApiIdIfMatched;
 function sendUnauthorisedAccess(res) {
-    utils_1.sendNon200Response(res, "Unauthorised access", 401);
+    utils_1.sendNon200ResponseWithMessage(res, "Unauthorised access", 401);
 }
 exports.sendUnauthorisedAccess = sendUnauthorisedAccess;

lib/build/postSuperTokensInitCallbacks.js

@@ -64,8 +64,9 @@ function getAPIImplementation() {
                     };
                 }
                 let passwordResetLink =
-                    (yield options.config.resetPasswordUsingTokenFeature.getResetPasswordURL(user, userContext)) +
-                    "?token=" +
+                    options.appInfo.websiteDomain.getAsStringDangerous() +
+                    options.appInfo.websiteBasePath.getAsStringDangerous() +
+                    "/reset-password?token=" +
                     response.token +
                     "&rid=" +
                     options.recipeId;

lib/build/recipe/dashboard/utils.js

@@ -8,7 +8,6 @@ export default class BackwardCompatibilityService
     private isInServerlessEnv;
     private appInfo;
     private resetPasswordUsingTokenFeature;
-    private emailVerificationBackwardCompatibilityService;
     constructor(
         recipeInterfaceImpl: RecipeInterface,
         appInfo: NormalisedAppinfo,
@@ -19,22 +18,11 @@ export default class BackwardCompatibilityService
                 passwordResetURLWithToken: string,
                 userContext: any
             ) => Promise<void>;
-        },
-        emailVerificationFeature?: {
-            createAndSendCustomEmail?: (
-                user: User,
-                emailVerificationURLWithToken: string,
-                userContext: any
-            ) => Promise<void>;
         }
     );
     sendEmail: (
-        input:
-            | (import("../../../../emailverification/types").TypeEmailVerificationEmailDeliveryInput & {
-                  userContext: any;
-              })
-            | (import("../../../types").TypeEmailPasswordPasswordResetEmailDeliveryInput & {
-                  userContext: any;
-              })
+        input: import("../../../types").TypeEmailPasswordPasswordResetEmailDeliveryInput & {
+            userContext: any;
+        }
     ) => Promise<void>;
 }

lib/build/recipe/emailpassword/api/implementation.js

@@ -32,42 +32,31 @@ var __awaiter =
     };
 Object.defineProperty(exports, "__esModule", { value: true });
 const passwordResetFunctions_1 = require("../../../passwordResetFunctions");
-const backwardCompatibility_1 = require("../../../../emailverification/emaildelivery/services/backwardCompatibility");
 class BackwardCompatibilityService {
-    constructor(
-        recipeInterfaceImpl,
-        appInfo,
-        isInServerlessEnv,
-        resetPasswordUsingTokenFeature,
-        emailVerificationFeature
-    ) {
+    constructor(recipeInterfaceImpl, appInfo, isInServerlessEnv, resetPasswordUsingTokenFeature) {
         this.sendEmail = (input) =>
             __awaiter(this, void 0, void 0, function* () {
-                if (input.type === "EMAIL_VERIFICATION") {
-                    yield this.emailVerificationBackwardCompatibilityService.sendEmail(input);
-                } else {
-                    let user = yield this.recipeInterfaceImpl.getUserById({
-                        userId: input.user.id,
-                        userContext: input.userContext,
-                    });
-                    if (user === undefined) {
-                        throw Error("this should never come here");
-                    }
-                    try {
-                        if (!this.isInServerlessEnv) {
-                            this.resetPasswordUsingTokenFeature
-                                .createAndSendCustomEmail(user, input.passwordResetLink, input.userContext)
-                                .catch((_) => {});
-                        } else {
-                            // see https://github.com/supertokens/supertokens-node/pull/135
-                            yield this.resetPasswordUsingTokenFeature.createAndSendCustomEmail(
-                                user,
-                                input.passwordResetLink,
-                                input.userContext
-                            );
-                        }
-                    } catch (_) {}
+                let user = yield this.recipeInterfaceImpl.getUserById({
+                    userId: input.user.id,
+                    userContext: input.userContext,
+                });
+                if (user === undefined) {
+                    throw Error("this should never come here");
                 }
+                try {
+                    if (!this.isInServerlessEnv) {
+                        this.resetPasswordUsingTokenFeature
+                            .createAndSendCustomEmail(user, input.passwordResetLink, input.userContext)
+                            .catch((_) => {});
+                    } else {
+                        // see https://github.com/supertokens/supertokens-node/pull/135
+                        yield this.resetPasswordUsingTokenFeature.createAndSendCustomEmail(
+                            user,
+                            input.passwordResetLink,
+                            input.userContext
+                        );
+                    }
+                } catch (_) {}
             });
         this.recipeInterfaceImpl = recipeInterfaceImpl;
         this.isInServerlessEnv = isInServerlessEnv;
@@ -86,33 +75,6 @@ class BackwardCompatibilityService {
                           createAndSendCustomEmail: passwordResetFunctions_1.createAndSendCustomEmail(this.appInfo),
                       };
         }
-        {
-            const inputCreateAndSendCustomEmail =
-                emailVerificationFeature === null || emailVerificationFeature === void 0
-                    ? void 0
-                    : emailVerificationFeature.createAndSendCustomEmail;
-            let emailVerificationFeatureNormalisedConfig =
-                inputCreateAndSendCustomEmail !== undefined
-                    ? {
-                          createAndSendCustomEmail: (user, link, userContext) =>
-                              __awaiter(this, void 0, void 0, function* () {
-                                  let userInfo = yield this.recipeInterfaceImpl.getUserById({
-                                      userId: user.id,
-                                      userContext,
-                                  });
-                                  if (userInfo === undefined) {
-                                      throw new Error("Unknown User ID provided");
-                                  }
-                                  return yield inputCreateAndSendCustomEmail(userInfo, link, userContext);
-                              }),
-                      }
-                    : {};
-            this.emailVerificationBackwardCompatibilityService = new backwardCompatibility_1.default(
-                this.appInfo,
-                this.isInServerlessEnv,
-                emailVerificationFeatureNormalisedConfig.createAndSendCustomEmail
-            );
-        }
     }
 }
 exports.default = BackwardCompatibilityService;

lib/build/recipe/emailpassword/emaildelivery/services/backwardCompatibility/index.d.ts

@@ -1,3 +1,3 @@
 // @ts-nocheck
 import SMTP from "./smtp";
-export declare let STMPService: typeof SMTP;
+export declare let SMTPService: typeof SMTP;

lib/build/recipe/emailpassword/emaildelivery/services/backwardCompatibility/index.js

@@ -15,4 +15,4 @@
  */
 Object.defineProperty(exports, "__esModule", { value: true });
 const smtp_1 = require("./smtp");
-exports.STMPService = smtp_1.default;
+exports.SMTPService = smtp_1.default;