fix: session creation - checking tenant for user

CHANGELOG.md

@@ -7,6 +7,13 @@ to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
 
+
+## [9.3.1] 
+
+- Adds support for CDI 5.3
+- In CDI 5.3, when creating a new session for a known user, checks if the user is a member of that tenant.
+  If not, returns USER_DOES_NOT_BELONG_TO_TENANT_ERROR.
+
 ## [9.3.0]
 
 ### Changes
@@ -149,6 +156,7 @@ CREATE TABLE IF NOT EXISTS oauth_logout_challenges (
 
 CREATE INDEX oauth_logout_challenges_time_created_index ON oauth_logout_challenges(time_created ASC, app_id ASC);
 ```
+>>>>>>> origin/master
 
 ## [9.2.3] - 2024-10-09
 

build.gradle

@@ -19,7 +19,7 @@ compileTestJava { options.encoding = "UTF-8" }
 //    }
 //}
 
-version = "9.3.0"
+version = "9.3.1"
 
 
 repositories {

coreDriverInterfaceSupported.json

@@ -21,6 +21,7 @@
     "4.0",
     "5.0",
     "5.1",
-    "5.2"
+    "5.2",
+    "5.3"
   ]
 }

src/main/java/io/supertokens/session/Session.java

@@ -19,6 +19,7 @@
 import com.google.gson.JsonObject;
 import io.supertokens.Main;
 import io.supertokens.ProcessState;
+import io.supertokens.authRecipe.AuthRecipe;
 import io.supertokens.config.Config;
 import io.supertokens.config.CoreConfig;
 import io.supertokens.exceptions.AccessTokenPayloadError;
@@ -82,7 +83,7 @@ public static SessionInformationHolder createNewSession(TenantIdentifier tenantI
             JWT.JWTException, UnsupportedJWTSigningAlgorithmException, AccessTokenPayloadError {
         try {
             return createNewSession(tenantIdentifier, storage, main, recipeUserId, userDataInJWT, userDataInDatabase,
-                    false, AccessToken.getLatestVersion(), false);
+                    false, AccessToken.getLatestVersion(), false, false);
         } catch (TenantOrAppNotFoundException e) {
             throw new IllegalStateException(e);
         }
@@ -101,8 +102,9 @@ public static SessionInformationHolder createNewSession(Main main,
         try {
             return createNewSession(
                     new TenantIdentifier(null, null, null), storage, main,
-                    recipeUserId, userDataInJWT, userDataInDatabase, false, AccessToken.getLatestVersion(), false);
-        } catch (TenantOrAppNotFoundException e) {
+                    recipeUserId, userDataInJWT, userDataInDatabase, false,
+                    AccessToken.getLatestVersion(), false, false);
+        } catch (TenantOrAppNotFoundException | UnauthorisedException e) {
             throw new IllegalStateException(e);
         }
     }
@@ -121,8 +123,8 @@ public static SessionInformationHolder createNewSession(Main main, @Nonnull Stri
         try {
             return createNewSession(
                     new TenantIdentifier(null, null, null), storage, main,
-                    recipeUserId, userDataInJWT, userDataInDatabase, enableAntiCsrf, version, useStaticKey);
-        } catch (TenantOrAppNotFoundException e) {
+                    recipeUserId, userDataInJWT, userDataInDatabase, enableAntiCsrf, version, useStaticKey, false);
+        } catch (TenantOrAppNotFoundException | UnauthorisedException e) {
             throw new IllegalStateException(e);
         }
     }
@@ -132,11 +134,11 @@ public static SessionInformationHolder createNewSession(TenantIdentifier tenantI
                                                             @Nonnull JsonObject userDataInJWT,
                                                             @Nonnull JsonObject userDataInDatabase,
                                                             boolean enableAntiCsrf, AccessToken.VERSION version,
-                                                            boolean useStaticKey)
+                                                            boolean useStaticKey, boolean checkUserForTenant)
             throws NoSuchAlgorithmException, StorageQueryException, InvalidKeyException,
             InvalidKeySpecException, StorageTransactionLogicException, SignatureException, IllegalBlockSizeException,
             BadPaddingException, InvalidAlgorithmParameterException, NoSuchPaddingException, AccessTokenPayloadError,
-            UnsupportedJWTSigningAlgorithmException, TenantOrAppNotFoundException {
+            UnsupportedJWTSigningAlgorithmException, TenantOrAppNotFoundException, UnauthorisedException {
         String sessionHandle = UUID.randomUUID().toString();
         if (!tenantIdentifier.getTenantId().equals(TenantIdentifier.DEFAULT_TENANT_ID)) {
             sessionHandle += "_" + tenantIdentifier.getTenantId();
@@ -151,6 +153,7 @@ public static SessionInformationHolder createNewSession(TenantIdentifier tenantI
                 recipeUserId = userIdMapping.superTokensUserId;
             }
 
+
             primaryUserId = StorageUtils.getAuthRecipeStorage(storage)
                     .getPrimaryUserIdStrForUserId(tenantIdentifier.toAppIdentifier(), recipeUserId);
             if (primaryUserId == null) {
@@ -166,6 +169,16 @@ public static SessionInformationHolder createNewSession(TenantIdentifier tenantI
             if (userIdMappings.containsKey(recipeUserId)) {
                 recipeUserId = userIdMappings.get(recipeUserId);
             }
+
+            if(checkUserForTenant) {
+                AuthRecipeUserInfo authRecipeUserInfo = AuthRecipe.getUserById(tenantIdentifier.toAppIdentifier(),
+                        storage, recipeUserId);
+                if (authRecipeUserInfo != null) {
+                    if (!authRecipeUserInfo.tenantIds.contains(tenantIdentifier.getTenantId())) {
+                        throw new UnauthorisedException("User is not part of requested tenant!");
+                    }
+                }
+            }
         }
 
         String antiCsrfToken = enableAntiCsrf ? UUID.randomUUID().toString() : null;

src/main/java/io/supertokens/utils/SemVer.java

@@ -38,6 +38,7 @@ public class SemVer implements Comparable<SemVer> {
     public static final SemVer v5_0 = new SemVer("5.0");
     public static final SemVer v5_1 = new SemVer("5.1");
     public static final SemVer v5_2 = new SemVer("5.2");
+    public static final SemVer v5_3 = new SemVer("5.3");
 
     final private String version;
 

src/main/java/io/supertokens/webserver/WebserverAPI.java

@@ -29,7 +29,8 @@
 import io.supertokens.pluginInterface.Storage;
 import io.supertokens.pluginInterface.emailpassword.exceptions.UnknownUserIdException;
 import io.supertokens.pluginInterface.exceptions.StorageQueryException;
-import io.supertokens.pluginInterface.multitenancy.*;
+import io.supertokens.pluginInterface.multitenancy.AppIdentifier;
+import io.supertokens.pluginInterface.multitenancy.TenantIdentifier;
 import io.supertokens.pluginInterface.multitenancy.exceptions.TenantOrAppNotFoundException;
 import io.supertokens.storageLayer.StorageLayer;
 import io.supertokens.useridmapping.UserIdType;
@@ -77,10 +78,11 @@ public abstract class WebserverAPI extends HttpServlet {
         supportedVersions.add(SemVer.v5_0);
         supportedVersions.add(SemVer.v5_1);
         supportedVersions.add(SemVer.v5_2);
+        supportedVersions.add(SemVer.v5_3);
     }
 
     public static SemVer getLatestCDIVersion() {
-        return SemVer.v5_2;
+        return SemVer.v5_3;
     }
 
     public SemVer getLatestCDIVersionForRequest(HttpServletRequest req)

src/main/java/io/supertokens/webserver/api/session/SessionAPI.java

@@ -99,11 +99,12 @@ protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws I
             }
 
             AccessToken.VERSION accessTokenVersion = AccessToken.getAccessTokenVersionForCDI(version);
+            boolean shouldCheckUserForTenant = version.greaterThanOrEqualTo(SemVer.v5_3);
 
             SessionInformationHolder sessionInfo = Session.createNewSession(
                     tenantIdentifier, storage, main, userId, userDataInJWT,
                     userDataInDatabase, enableAntiCsrf, accessTokenVersion,
-                    useStaticSigningKey);
+                    useStaticSigningKey, shouldCheckUserForTenant);
 
             if (storage.getType() == STORAGE_TYPE.SQL) {
                 try {
@@ -143,6 +144,11 @@ protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws I
             super.sendJsonResponse(200, result, resp);
         } catch (AccessTokenPayloadError e) {
             throw new ServletException(new BadRequestException(e.getMessage()));
+        } catch (UnauthorisedException e) {
+                JsonObject reply = new JsonObject();
+                reply.addProperty("status", "USER_DOES_NOT_BELONG_TO_TENANT_ERROR");
+                reply.addProperty("message", e.getMessage());
+                super.sendJsonResponse(200, reply, resp);
         } catch (NoSuchAlgorithmException | StorageQueryException | InvalidKeyException | InvalidKeySpecException |
                  StorageTransactionLogicException | SignatureException | IllegalBlockSizeException |
                  BadPaddingException | InvalidAlgorithmParameterException | NoSuchPaddingException |

src/test/java/io/supertokens/test/accountlinking/SessionTests.java

@@ -386,7 +386,7 @@ public void testSessionBehaviourWhenUserBelongsTo2TenantsAndThenLinkedToSomeOthe
 
         AuthRecipe.createPrimaryUser(process.getProcess(), t1.toAppIdentifier(), t1Storage,
                 user2.getSupertokensUserId());
-        AuthRecipe.linkAccounts(process.getProcess(), t1.toAppIdentifier(), t1Storage, user1.getSupertokensUserId(),
+        AuthRecipe.linkAccounts(process.getProcess(), t2.toAppIdentifier(), t2Storage, user1.getSupertokensUserId(),
                 user2.getSupertokensUserId());
 
         SessionInformationHolder session1 = Session.createNewSession(t2, t2Storage, process.getProcess(),