Merge pull request #266 from supertokens/feat/jwt-rework

feat: Access token rework

Author: rishabhpoddar

CHANGELOG.md

@@ -7,9 +7,304 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [unreleased]
 
-## [0.12.0] - 2023-05-03
+## [0.12.0] - 2023-05-05
+
+### Added
+
 - added optional password policy check in `updateEmailOrPassword`
 
+### Breaking Changes
+
+-   Changed the interface and configuration of the Session recipe, see below for details. If you do not use the Session recipe directly and do not provide custom configuration, then no migration is necessary.
+-   Renamed `GetSessionData` to `GetSessionDataInDatabase` to clarify that it always hits the DB
+-   Renamed `GetSessionDataWithContext` to `GetSessionDataInDatabaseWithContext` to clarify that it always hits the DB
+-   Renamed `UpdateSessionData` to `UpdateSessionDataInDatabase`
+-   Renamed `UpdateSessionDataWithContext` to `UpdateSessionDataInDatabaseWithContext` to clarify that it always hits the DB
+-   Renamed `SessionData` to `SessionDataInDatabase` in `SessionInformation`
+-   Renamed `sessionData` to `sessionDataInDatabase` in the input to `CreateNewSession`
+-   Added `useStaticSigningKey` to `CreateJWT` and `CreateJWTWithContext`
+-   Added support for CDI version `2.21`
+-   Dropped support for CDI version `2.8`-`2.20`
+-   `GetAccessTokenPayload` will now return standard (`sub`, `iat`, `exp`) claims and some SuperTokens specific claims along the user defined ones in `GetAccessTokenPayload`.
+-   Some claim names are now prohibited in the root level of the access token payload
+    -   They are: `sub`, `iat`, `exp`, `sessionHandle`, `parentRefreshTokenHash1`, `refreshTokenHash1`, `antiCsrfToken`
+    -   If you used these in the root level of the access token payload, then you'll need to migrate your sessions or they will be logged out during the next refresh
+    -   These props should be renamed (e.g., by adding a prefix) or moved inside an object in the access token payload
+    -   You can migrate these sessions by updating their payload to match your new structure, by calling `MergeIntoAccessTokenPayload`
+-   New access tokens are valid JWTs now
+    -   They can be used directly (i.e.: by calling `GetAccessToken` on the session) if you need a JWT
+    -   The `jwt` prop in the access token payload is removed
+-   JWT and OpenId related configuration has been removed from the Session recipe config. If necessary, they can be added by initializing the OpenId recipe before the Session recipe.
+-   Changed the Session recipe interface - CreateNewSession, GetSession and RefreshSession overrides now do not take response and request and return status instead of throwing
+-   Renamed `AccessTokenPayload` to `CustomClaimsInAccessTokenPayload` in `SessionInformation` (the return value of `GetSessionInformation`). This reflects the fact that it doesn't contain some default claims (`sub`, `iat`, etc.)
+
+### Changed
+
+-   Refactors the URL for the JWKS endpoint exposed by SuperTokens core
+-   Added new optional `useStaticSigningKey` param to `CreateJWT`
+-   The Session recipe now always initializes the OpenID recipe if it hasn't been initialized.
+-   Refactored how access token validation is done
+-   Added support for new access token version
+-   Removed the handshake call to improve start-up times
+-   Removed `GetAccessTokenLifeTimeMS` and `GetRefreshTokenLifeTimeMS` functions
+-   Added `ExposeAccessTokenToFrontendInCookieBasedAuth` (defaults to `false`) option to the Session recipe config
+-   Added new `checkDatabase` param to `VerifySession` and `GetSession`
+-   Removed deprecated `UpdateAccessTokenPayload`, `UpdateAccessTokenPayloadWithContext`, `RegenerateAccessToken` and `RegenerateAccessTokenWithContext` from the Session recipe interface
+-   Added `CreateNewSessionWithoutRequestResponse`, `CreateNewSessionWithContextWithoutRequestResponse`, `GetSessionWithoutRequestResponse`, `GetSessionWithContextWithoutRequestResponse`, `RefreshSession`, `RefreshSessionWithContextWithoutRequestResponse` to the Session recipe.
+-   Added `GetAllSessionTokensDangerously` to session objects (`SessionContainer`)
+-   Added `AttachToRequestResponse` to session objects (`SessionContainer`)
+
+### Migration
+
+#### If self-hosting core
+
+1. You need to update the core version
+2. There are manual migration steps needed. Check out the core changelogs for more details.
+
+#### If you used the jwt feature of the session recipe
+
+1. Add `ExposeAccessTokenToFrontendInCookieBasedAuth: true` to the Session recipe config on the backend if you need to access the JWT on the frontend.
+2. On the frontend where you accessed the JWT before by: `(await Session.getAccessTokenPayloadSecurely()).jwt` update to:
+
+```tsx
+let jwt = null;
+const accessTokenPayload = await Session.getAccessTokenPayloadSecurely();
+if (accessTokenPayload.jwt === undefined) {
+    jwt = await Session.getAccessToken();
+} else {
+    // This branch is only required if there are valid access tokens created before the update
+    // It can be removed after the validity period ends
+    jwt = accessTokenPayload.jwt;
+}
+```
+
+3. On the backend if you accessed the JWT before by `session.GetAccessTokenPayload()["jwt"]` please update to:
+
+```go
+var jwt string
+accessTokenPayload := session.GetAccessTokenPayload();
+if (accessTokenPayload["jwt"] == nil) {
+    jwt =  session.GetAccessToken();
+} else {
+    // This branch is only required if there are valid access tokens created before the update
+    // It can be removed after the validity period ends
+    jwt = accessTokenPayload["jwt"].(string);
+}
+```
+
+#### If you used to set an issuer in the session recipe `Jwt` configuration
+
+-   You can add an issuer claim to access tokens by overriding the `CreateNewSession` function in the session recipe init.
+    -   Check out https://supertokens.com/docs/passwordless/common-customizations/sessions/claims/access-token-payload#during-session-creation for more information
+-   You can add an issuer claim to JWTs created by the JWT recipe by passing the `iss` claim as part of the payload.
+-   You can set the OpenId discovery configuration as follows:
+
+Before:
+
+```go
+func main() {
+    supertokens.Init(supertokens.TypeInput{
+        RecipeList: []supertokens.Recipe{
+            session.Init(&sessmodels.TypeInput{
+                Jwt: &sessmodels.JWTInputConfig{
+                    Enable: true,
+					Issuer: "...",
+                },
+            }),
+        },
+    })
+}
+```
+
+After:
+
+```go
+func main() {
+    supertokens.Init(supertokens.TypeInput{
+	RecipeList: []supertokens.Recipe{
+		session.Init(&sessmodels.TypeInput{
+			GetTokenTransferMethod: func(req *http.Request, forCreateNewSession bool, userContext supertokens.UserContext) sessmodels.TokenTransferMethod {
+				return sessmodels.HeaderTransferMethod
+			},
+			Override: &sessmodels.OverrideStruct{
+				OpenIdFeature: &openidmodels.OverrideStruct{
+					Functions: func(originalImplementation openidmodels.RecipeInterface) openidmodels.RecipeInterface {
+						(*originalImplementation.GetOpenIdDiscoveryConfiguration) = func(userContext *map[string]interface{}) (openidmodels.GetOpenIdDiscoveryConfigurationResponse, error) {
+							return openidmodels.GetOpenIdDiscoveryConfigurationResponse{
+								OK: &struct{Issuer string; Jwks_uri string}{
+									Issuer:   "your issuer",
+									Jwks_uri: "https://your.api.domain/auth/jwt/jwks.json",
+								},
+							}, nil
+						}
+
+						return originalImplementation
+					},
+				},
+			},
+		}),
+	},
+})
+}
+```
+
+#### If you used `sessionData` (not `accessTokenPayload`)
+
+Related functions/prop names have changes (`sessionData` became `sessionDataFromDatabase`):
+
+-   Renamed `GetSessionData` to `GetSessionDataFromDatabase` to clarify that it always hits the DB
+-   Renamed `UpdateSessionData` to `UpdateSessionDataInDatabase`
+-   Renamed `sessionData` to `sessionDataInDatabase` in `SessionInformation` and the input to `CreateNewSession`
+
+#### If you used to set `access_token_blacklisting` in the core config
+
+-   You should now set `CheckDatabase` to true in the verifySession params.
+
+#### If you used to set `access_token_signing_key_dynamic` in the core config
+
+-   You should now set `useDynamicAccessTokenSigningKey` in the Session recipe config.
+
+#### If you used to use standard/protected props in the access token payload root:
+
+1. Update you application logic to rename those props (e.g., by adding a prefix)
+2. Update the session recipe config (in this example `sub` is the protected property we are updating by adding the `app` prefix):
+
+Before:
+
+```go
+func main() {
+    supertokens.Init(supertokens.TypeInput{
+	RecipeList: []supertokens.Recipe{
+		session.Init(&sessmodels.TypeInput{
+			Override: &sessmodels.OverrideStruct{
+				Functions: func(originalImplementation sessmodels.RecipeInterface) sessmodels.RecipeInterface {
+					originalCreateNewSession := *originalImplementation.CreateNewSession
+					(*originalImplementation.CreateNewSession) = func(req *http.Request, res http.ResponseWriter, userID string, accessTokenPayload, sessionData map[string]interface{}, userContext supertokens.UserContext) (sessmodels.SessionContainer, error) {
+						if accessTokenPayload == nil {
+							accessTokenPayload = map[string]interface{}{}
+						}
+
+						accessTokenPayload["sub"] = userID + "!!!"
+
+						return originalCreateNewSession(req, res, userID, accessTokenPayload, sessionData, userContext)
+					}
+
+					return originalImplementation
+				},
+			},
+		}),
+	},
+})
+}
+```
+
+After:
+
+```go
+func main() {
+    supertokens.Init(supertokens.TypeInput{
+	RecipeList: []supertokens.Recipe{
+		session.Init(&sessmodels.TypeInput{
+			Override: &sessmodels.OverrideStruct{
+				Functions: func(originalImplementation sessmodels.RecipeInterface) sessmodels.RecipeInterface {
+					originalGetSession := *originalImplementation.GetSession
+
+					(*originalImplementation.GetSession) = func(req *http.Request, res http.ResponseWriter, options *sessmodels.VerifySessionOptions, userContext *map[string]interface{}) (*sessmodels.TypeSessionContainer, error) {
+						result, err := originalGetSession(req, res, options, userContext)
+
+						if result != nil {
+							originalPayload := result.GetAccessTokenPayload()
+
+							if originalPayload["appSub"] == nil {
+								result.MergeIntoAccessTokenPayload(map[string]interface{}{
+									"appSub": originalPayload["sub"],
+									"sub": nil,
+								})
+							}
+						}
+
+						return result, err
+					}
+
+					originalCreateNewSession := *originalImplementation.CreateNewSession
+
+
+					(*originalImplementation.CreateNewSession) = func(req *http.Request, res http.ResponseWriter, userID string, accessTokenPayload map[string]interface{}, sessionData map[string]interface{}, userContext *map[string]interface{}) (*sessmodels.TypeSessionContainer, error) {
+						if accessTokenPayload == nil {
+							accessTokenPayload = map[string]interface{}{}
+						}
+
+						accessTokenPayload["sub"] = userID + "!!!"
+
+						return originalCreateNewSession(req, res, userID, accessTokenPayload, sessionData, userContext)
+					}
+
+					return originalImplementation
+				},
+			},
+		}),
+	},
+})
+}
+```
+
+#### If you added an override for `CreateNewSession`/`RefreshSession`/`GetSession`:
+
+This example uses `GetSession`, but the changes required for the other ones are very similar. Before:
+
+```go
+session.Init(&sessmodels.TypeInput{
+    Override: &sessmodels.OverrideStruct{
+        Functions: func(originalImplementation sessmodels.RecipeInterface) sessmodels.RecipeInterface {
+            originalGetSession := *originalImplementation.GetSession
+
+            newGetSession := func(req *http.Request, res http.ResponseWriter, options *sessmodels.VerifySessionOptions, userContext supertokens.UserContext) (sessmodels.SessionContainer, error) {
+                response, err := originalGetSession(req, res, options, userContext)
+
+                if err != nil {
+                    return nil, err
+                }
+
+                return response, nil
+            }
+            
+            *originalImplementation.GetSession = newGetSession
+            return originalImplementation
+        },
+    },
+})
+```
+
+After:
+
+```go
+session.Init(&sessmodels.TypeInput{
+    Override: &sessmodels.OverrideStruct{
+        Functions: func(originalImplementation sessmodels.RecipeInterface) sessmodels.RecipeInterface {
+            originalGetSession := *originalImplementation.GetSession
+
+            newGetSession := func(accessToken string, antiCSRFToken *string, options *sessmodels.VerifySessionOptions, userContext supertokens.UserContext) (sessmodels.SessionContainer, error) {
+                defaultUserContext := (*userContext)["_default"].(map[string]interface{})
+                request := defaultUserContext["request"]
+                
+                print(request)
+                
+                response, err := originalGetSession(accessToken, antiCSRFToken, options, userContext)
+                if err != nil {
+                    return nil, err
+                }
+                
+                return response, nil
+            }
+            
+            *originalImplementation.GetSession = newGetSession
+
+            return originalImplementation
+        },
+    },
+}),
+```
+
 ## [0.11.0] - 2023-04-28
 - Added missing arguments in `GetUsersNewestFirst` and `GetUsersOldestFirst`
 

coreDriverInterfaceSupported.json

@@ -1,18 +1,6 @@
 {
         "_comment": "contains a list of core-driver interfaces branch names that this core supports",
         "versions": [
-                "2.8",
-                "2.9",
-                "2.10",
-                "2.11",
-                "2.12",
-                "2.13",
-                "2.14",
-                "2.15",
-                "2.16",
-                "2.17",
-                "2.18",
-                "2.19",
-                "2.20"
+                "2.21"
         ]
 }

examples/go.sum

@@ -49,8 +49,8 @@ github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym
 github.com/ClickHouse/clickhouse-go v1.5.4/go.mod h1:EaI/sW7Azgz9UATzd5ZdZHRUhHgv5+JMS9NSr2smCJI=
 github.com/ClickHouse/clickhouse-go/v2 v2.2.0/go.mod h1:8f2XZUi7XoeU+uPIytSi1cvx8fmJxi7vIgqpvYTF1+o=
 github.com/DATA-DOG/go-sqlmock v1.5.0/go.mod h1:f/Ixk793poVmq4qj/V1dPUg2JEAKC73Q5eFN3EC/SaM=
-github.com/MicahParks/keyfunc v1.0.0 h1:O9VAkG6q/LqX4eS+HuIsW9KfC/Luh2NBQr9v4NiwHU0=
-github.com/MicahParks/keyfunc v1.0.0/go.mod h1:R8RZa27qn+5cHTfYLJ9/+7aSb5JIdz7cl0XFo0o4muo=
+github.com/MicahParks/keyfunc v1.9.0 h1:lhKd5xrFHLNOWrDc4Tyb/Q1AJ4LCzQ48GVJyVIID3+o=
+github.com/MicahParks/keyfunc v1.9.0/go.mod h1:IdnCilugA0O/99dW+/MkvlyrsX8+L8+x95xuVNtM5jw=
 github.com/NYTimes/gziphandler v0.0.0-20170623195520-56545f4a5d46/go.mod h1:3wb06e3pkSAbeQ52E9H9iFoQsEEwGN64994WTCIhntQ=
 github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbtSwDGJws/X0=
 github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
@@ -198,7 +198,6 @@ github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7a
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY=
 github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
-github.com/golang-jwt/jwt/v4 v4.1.0/go.mod h1:/xlHOz8bRuivTWchD4jCa+NbatV+wEUSzwAxVc6locg=
 github.com/golang-jwt/jwt/v4 v4.4.2 h1:rcc4lwaZgFMCZ5jxF9ABolDcIHdBytAFgqFPbSJQAYs=
 github.com/golang-jwt/jwt/v4 v4.4.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=

examples/with-chi-oso/service/service.go

@@ -48,7 +48,7 @@ func (s *service) Sessioninfo(w http.ResponseWriter, r *http.Request) {
 		w.Write([]byte("no session found"))
 		return
 	}
-	sessionData, err := sessionContainer.GetSessionData()
+	sessionData, err := sessionContainer.GetSessionDataInDatabase()
 	if err != nil {
 		err = supertokens.ErrorHandler(err, r, w)
 		if err != nil {

examples/with-chi/main.go

@@ -133,7 +133,7 @@ func sessioninfo(w http.ResponseWriter, r *http.Request) {
 		w.Write([]byte("no session found"))
 		return
 	}
-	sessionData, err := sessionContainer.GetSessionData()
+	sessionData, err := sessionContainer.GetSessionDataInDatabase()
 	if err != nil {
 		err = supertokens.ErrorHandler(err, r, w)
 		if err != nil {

examples/with-fiber/main.go

@@ -146,7 +146,7 @@ func sessioninfo(c *fiber.Ctx) error {
 	if sessionContainer == nil {
 		return c.Status(500).JSON("no session found")
 	}
-	sessionData, err := sessionContainer.GetSessionData()
+	sessionData, err := sessionContainer.GetSessionDataInDatabase()
 	if err != nil {
 		return c.Status(500).JSON(err.Error())
 	}

examples/with-gin/server/server.go

@@ -66,7 +66,7 @@ func sessioninfo(c *gin.Context) {
 		c.JSON(500, "no session found")
 		return
 	}
-	sessionData, err := sessionContainer.GetSessionData()
+	sessionData, err := sessionContainer.GetSessionDataInDatabase()
 	if err != nil {
 		err = supertokens.ErrorHandler(err, c.Request, c.Writer)
 		if err != nil {

examples/with-go-zero/main.go

@@ -137,7 +137,7 @@ func sessioninfo(w http.ResponseWriter, r *http.Request) {
 		w.Write([]byte("no session found"))
 		return
 	}
-	sessionData, err := sessionContainer.GetSessionData()
+	sessionData, err := sessionContainer.GetSessionDataInDatabase()
 	if err != nil {
 		err = supertokens.ErrorHandler(err, r, w)
 		if err != nil {

examples/with-http/main.go

@@ -133,7 +133,7 @@ func sessioninfo(w http.ResponseWriter, r *http.Request) {
 		w.Write([]byte("no session found"))
 		return
 	}
-	sessionData, err := sessionContainer.GetSessionData()
+	sessionData, err := sessionContainer.GetSessionDataInDatabase()
 	if err != nil {
 		err = supertokens.ErrorHandler(err, r, w)
 		if err != nil {