diff --git a/CHANGELOG.md b/CHANGELOG.md index 8b15e873a..b80ec0cb2 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - set csrf config to `false` by default - compatibility with CDI 2.3 +### Fixed +- When regenerating session, uses old access tokens' parentRefreshTokenHash1 instead of null + ### Changed - Optimises refresh token to not store old tokens in the database - removes the need for a license key diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 000000000..388e380d8 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,97 @@ +# Contributing + +We're so excited you're interested in helping with Supertokens! We are happy to help you get started, even if you don't have any previous open-source experience :blush: + +## New to Open Source? +1. Take a look at [How to Contribute to an Open Source Project on GitHub](https://egghead.io/courses/how-to-contribute-to-an-open-source-project-on-github) +2. Go thorugh the [SuperTokens Code of Conduct](https://github.com/supertokens/supertokens-core/blob/master/CODE_OF_CONDUCT.md) + +## Where to ask Questions? +1. Check our [Github Issues](https://github.com/supertokens/supertokens-core/issues) to see if someone has already answered your question. +2. Join our community on [Discord](https://supertokens.io/discord) and feel free to ask us your questions + +As you gain experience with SuperTokens, please help answer other people's questions! :pray: + +## What to Work On? +You can get started by taking a look at our [Github issues](https://github.com/supertokens/supertokens-core/issues) +If you find one that looks interesting and no one else is already working on it, comment in the issue that you are going to work on it. + +Please ask as many questions as you need, either directly in the issue or on [Discord](https://supertokens.io/discord). We're happy to help!:raised_hands: + +### Contributions that are ALWAYS welcome + +1. More tests +2. Contributing to discussions that can be found [here](https://github.com/supertokens/supertokens-core/issues?q=is%3Aissue+is%3Aopen+label%3Adiscussions) +3. Improved error messages +4. Educational content like blogs, videos, courses + + +## Development Setup + +### Prerequisites +- OS: Linux or macOS +- JDK: openjdk 12.0.2 for [Linux](https://linuxhint.com/install_jdk12_ubuntu_1904/) or [Mac](https://java.tutorials24x7.com/blog/how-to-install-openjdk-12-on-macos) +- IDE: [IntelliJ](https://www.jetbrains.com/idea/download/)(recommended) or equivalent IDE + +### Familiarize yourself with SuperTokens +1. [Architechture of SuperTokens](https://github.com/supertokens/supertokens-core/wiki/Code-and-file-structure-overview) +2. [SuperTokens code and file structure overview](https://github.com/supertokens/supertokens-core/wiki/Code-and-file-structure-overview) +3. [Versioning methodology](https://github.com/supertokens/supertokens-core/wiki/Versioning,-git-and-releases) + + +### Project Setup +1. Fork the [supertokens-core](https://github.com/supertokens/supertokens-core) repository +2. `git clone https://github.com/supertokens/supertokens-root.git` +3. `cd supertokens-root` +4. Open the `modules.txt` file in an editor: + - The `modules.txt` file contains the core, plugin-interface, the type of plugin and their branches(versions) + - By default the `master` branch is used but you can change the branch depending on which version you want to modify + - The `sqlite-plugin` is used as the default plugin as it is an in-memory database and requires no setup + - [core](https://github.com/supertokens/supertokens-core) + - [plugin-interface](https://github.com/supertokens/supertokens-plugin-interface) + - [sqlite-plugin](https://github.com/supertokens/supertokens-sqlite-plugin) + - Check the repository branches by clicking on the links listed above, click the branch tab and check for all the available versions + - Add your github `username` separated by a ',' after `core,master` in `modules.txt` + - If, for example, your github `username` is `helloworld` then modules.txt should look like... + + ``` + // put module name like module name,branch name,github username(if contributing with a forked repository) and then call ./loadModules script + core,master,helloworld + plugin-interface,master + sqlite-plugin,master + ``` + +5. Run loadModules to clone the required repositories +`./loadModules` +6. Create a directory called sqlite_db, this directory is required to run tests with the sqlite-plugin +`mkdir sqlite_db` +7. Run all tests +`./startTestingEnv` +8. Open the project in your IDE +9. After gradle has imported all the dependencies you can start modifying the code + +## Pull Request +1. Before submitting a pull request make sure all tests have passed + - In the directory `supertokens-root` run all the tests + - `./startTestingEnv` + - The terminal output should display that all tests have passed + - core tests: + ![core tests passing](https://github.com/supertokens/supertokens-logo/blob/master/images/core-tests-passing.png) + - plugin tests: + ![plugin tests passing](https://github.com/supertokens/supertokens-logo/blob/master/images/plugin-tests-passing.png) +2. Reference the relevant issue or pull request and give a clear description of changes/features added when submitting a pull request + +## SuperTokens Community +SuperTokens is made possible by a passionate team and a strong community of developers. If you have any questions or would like to get more involved in the SuperTokens community you can check out: + - [Github Issues](https://github.com/supertokens/supertokens-core/issues) + - [Discord](https://supertokens.io/discord) + - [Twitter](https://twitter.com/supertokensio) + - or [email us](mailto:team@supertokens.io) + +Additional resources you might find useful: + - [SuperTokens Docs](https://supertokens.io/docs/community/getting-started/installation) + - [Blog Posts](https://supertokens.io/blog/) + + + + diff --git a/INSTALLATION_INSTRUCTIONS.txt b/INSTALLATION_INSTRUCTIONS.txt deleted file mode 100644 index 1efcf12cf..000000000 --- a/INSTALLATION_INSTRUCTIONS.txt +++ /dev/null @@ -1,14 +0,0 @@ -IMPORTANT: The use, storage, modification and distribution of this software is subject to the terms of the licensing agreement found in the LICENSE.md file. Please read the document carefully before performing any of these actions. By performing any of these actions, you indicate that you have read and agree to the terms of the licensing agreement. Please delete this software or this source code immediately if you do not agree to the terms of the licensing agreement. - - -------------INSTRUCTIONS BELOW------------ - -1) Open up a terminal inside this directory - -2) Run the install script command with the following options: -install [--path=] [--with-source] -* If a path is provided, then SuperTokens will be installed at that location, otherwise in the following locations: - - For Linux / Unix: /usr/lib/supertokens/ - - For MacOS: /usr/local/etc/supertokens/ - - For Windows: C:\Windows\Program Files\supertokens\ -* If --with-source is given, then all 3rd party dependencies will be downloaded along with their source code. Providing or not providing this option will have no effect on the execution of the program. \ No newline at end of file diff --git a/LICENSE.md b/LICENSE.md index 12185cf46..c6b6ccb24 100644 --- a/LICENSE.md +++ b/LICENSE.md @@ -1,21 +1,7 @@ - Copyright (c) 2020, VRAI Labs and/or its affiliates. All rights reserved. - This software is licensed under the Apache License, Version 2.0 (the - "License") as published by the Apache Software Foundation. - - You may not use this software except in compliance with the License. A copy - of the License is available below the line. - - Unless required by applicable law or agreed to in writing, software - distributed under the License is distributed on an "AS IS" BASIS, WITHOUT - WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the - License for the specific language governing permissions and limitations - under the License. - -------------------------------------------------------------------------------- Apache License Version 2.0, January 2004 - http://www.apache.org/licenses/ + https://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION @@ -188,4 +174,18 @@ incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. - END OF TERMS AND CONDITIONS \ No newline at end of file + END OF TERMS AND CONDITIONS + + Copyright 2020 SuperTokens, Inc. + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + https://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/README.md b/README.md index 5f7ca84e6..246a4a2bd 100644 --- a/README.md +++ b/README.md @@ -29,10 +29,10 @@ If you like our project, please :star2: this repository! For feedback, feel free ## What is SuperTokens? SuperTokens is an open core alternative to proprietary login providers like Auth0 or AWS Cognito. We are different because we offer: -- Open source: SuperTokens can be used for free, forever, with no limits. -- An on-premises deployment with no connection to our servers. You control 100% of your user data. +- Open source: SuperTokens can be used for free, forever, with no limits on the number of users. +- An on-premises deployment so that you control 100% of your user data, using your own database. - An end to end solution with login, sign ups, user and session management, without all the complexities of OAuth protocols. -- Ease of implementation and higher security +- Ease of implementation and higher security. - Extensibility: Anyone can contribute and make SuperTokens better! ### Philosophy @@ -44,8 +44,11 @@ Authentication directly affects UX, dev experience and security of any app. We b We want to change that - we believe the only way is to provide a solution that has the right level of abstraction, gives you maximum control, is secure, and is simple to use - just like if you build it yourself, from scratch (minus the time to learn, build and maintain). + +We also believe in the principle of least vendor lockin. Your having full control of your user's data means that you can switch away from SuperTokens without forcing your existing users to logout, reset their passwords or in the worst case, sign up again. ### Features +#### ❗⭐❗⭐ We want to make features as decoupled as possible. This means, you can use SuperTokens for just login, or just session management, or both. In fact, we also offer session management integrations with other login providers like Auth0. - Login (coming soon): - A decoupled login & sign up form as React components - pretty by default, but fully customisable. - Email & password login with email verification, and forgot password flows @@ -53,7 +56,6 @@ We want to change that - we believe the only way is to provide a solution that h - Extensibility to chain various login challenges - Password management - hashing + salting. - Social and other types of login - - Other community requests... - Session management @@ -66,7 +68,6 @@ We want to change that - we believe the only way is to provide a solution that h - Ability to get all sessions given a user ID. - Reading session data on the frontend, securely. - Manipulation of session and JWT payloads - - Other community requests... - User management (coming soon) - (Un)banning & deleting users @@ -74,12 +75,11 @@ We want to change that - we believe the only way is to provide a solution that h - Associating users with roles - Login identity consolidation (if a user logs in via google and via twitter, with the same email, they are treated as the same user). - - Other community requests... ### Documentation As of now, we only offer session management. -The docs can be seen [here](https://supertokens.io/docs/pro/getting-started/installation) +The docs can be seen [here](https://supertokens.io/docs/community/getting-started/installation) A short [implementation video](https://www.youtube.com/watch?v=kbC-QzxeZ4s&feature=emb_logo) @@ -99,6 +99,8 @@ The backend SDK talks to the SuperTokens core whenever necessary SuperTokens core talks to the installed database plugin to store information in the database. It can be run on-premises, with or without Docker. You can also use our managed service to run this. +More information about this in the [wiki section](https://github.com/supertokens/supertokens-core/wiki/SuperTokens-Architecture) + ## SuperTokens vs others Please [contact us](mailto:team@supertokens.io) if any of the information listed below is incorrect. @@ -131,22 +133,41 @@ Please [contact us](mailto:team@supertokens.io) if any of the information listed ## How will we make money? -From a sustainability point of view, for us and for this open source project, it's important that we make profit. So far, we plan to charge for: -- Hosting of the SuperTokens service. This can be done in a way that uses our database instances, or yours. -- A pro version that has (this may be charged on a per user basis): - - Multi region & sharding support for scaled apps - - A dashboard for session and user management - - Feature for compliance requirements - - Advanced threat detection features - - Feature roadmap is coming soon... +Our philosophy is inspired by Gitlab's buyer-based model and by [Enterprise Ready](http://www.enterpriseready.io/). This means that we intend to monitise on features that are: +- Only required by large or medium sized companies; or features that are +- Targetted towards non technical users of this product; + +*It's important to realise that the features we intend to monetise are not necessary for the growth and sustainability of your business (unlike many other alternate solutions). This means that you can have a very large business, with millions of users, and still not have to pay us. However, these features are aimed to increase operational effeciency as your business grows - you don't have to use them, but if you do, you will save lots of time and money :)* + +Examples of features that will require a subscription: +- Access control features for the dashboard (for managers and execs) + - SSO / LDAP / MFA login to the dashboard + - Roles to restrict access to parts of the dashboard. + - Creation of custom roles for dashboard operations. +- Healthcheck and uptime monitoring (for IT dept.) + - Cluster health stats + - Integration with services like PagerDuty +- Features to make operations easier for customer support agents + - Login as a user + - Manually send login OTPs +- Advanced analytics features (for product management & design teams) + - Sign up form A/B testing +- Advanced security (for compliance and security teams) + - Detailed audit logs of dashboard and end user actions + - Encryption of stored information + +Outside of the open core model, we will also charge for: +- Hosting of the SuperTokens service on our cloud. +- Completely managing the SuperTokens service on your cloud. - A commercial license that dictates: - Different levels of support - Liability agreement - Building custom features -- Monthly sponsorship + - Backporting updates and security fixes + ### Backers - + ## Why Java? @@ -158,7 +179,7 @@ From a sustainability point of view, for us and for this open source project, it Docker image size. ## Building from source -Instructions coming soon... +Please see our [wiki](https://github.com/supertokens/supertokens-core/wiki/Building-from-source) for instructions. ## Community - [Discord](https://supertokens.io/discord) @@ -166,7 +187,7 @@ Instructions coming soon... If you think this is a project you could use in the future, please :star2: this repository! -### Contributors +### Contributors (across all SuperTokens repositories) @@ -186,7 +207,7 @@ If you think this is a project you could use in the future, please :star2: this

Rishabh Poddar
## Contributing -Instructions coming soon +Please see the [CONTRIBUTING.md](https://github.com/supertokens/supertokens-core/blob/master/CONTRIBUTING.md) file for instructions. ## Development history Over the last few months, we have built out session management for SuperTokens. During this period, we have made our diff --git a/cli/jar/cli.jar b/cli/jar/cli.jar index e9d1f183b..600efe789 100644 Binary files a/cli/jar/cli.jar and b/cli/jar/cli.jar differ diff --git a/downloader/jar/downloader.jar b/downloader/jar/downloader.jar index 40cf8f792..0c85b8b81 100644 Binary files a/downloader/jar/downloader.jar and b/downloader/jar/downloader.jar differ diff --git a/jar/core-2.4.0.jar b/jar/core-2.4.0.jar index 5cd611365..5b5a24781 100644 Binary files a/jar/core-2.4.0.jar and b/jar/core-2.4.0.jar differ diff --git a/src/main/java/io/supertokens/session/Session.java b/src/main/java/io/supertokens/session/Session.java index c922d75a4..7469e79d8 100644 --- a/src/main/java/io/supertokens/session/Session.java +++ b/src/main/java/io/supertokens/session/Session.java @@ -166,7 +166,7 @@ public static SessionInformationHolder regenerateToken(Main main, @Nonnull Strin TokenInfo newAccessToken = AccessToken.createNewAccessToken(main, accessToken.sessionHandle, accessToken.userId, accessToken.refreshTokenHash1, - null, newJWTUserPayload, accessToken.antiCsrfToken, lmrt, + accessToken.parentRefreshTokenHash1, newJWTUserPayload, accessToken.antiCsrfToken, lmrt, accessToken.expiryTime, currCDIVersion); return new SessionInformationHolder( diff --git a/src/main/java/io/supertokens/session/accessToken/AccessToken.java b/src/main/java/io/supertokens/session/accessToken/AccessToken.java index 0e3373d27..1c5f51914 100644 --- a/src/main/java/io/supertokens/session/accessToken/AccessToken.java +++ b/src/main/java/io/supertokens/session/accessToken/AccessToken.java @@ -115,8 +115,7 @@ public static TokenInfo createNewAccessToken(@Nonnull Main main, @Nonnull String expiryTime = now + Config.getConfig(main).getAccessTokenValidity(); } AccessTokenInfo accessToken = new AccessTokenInfo(sessionHandle, userId, refreshTokenHash1, expiryTime, - parentRefreshTokenHash1, userData, antiCsrfToken, now, - false, lmrt); + parentRefreshTokenHash1, userData, antiCsrfToken, now, lmrt); String token = JWT.createJWT(new Gson().toJsonTree(accessToken), signingKey.privateKey, VERSION.V2); return new TokenInfo(token, expiryTime, now, Config.getConfig(main).getAccessTokenPath(), Config.getConfig(main).getCookieSecure(main), Config.getConfig(main).getCookieDomain(currCDIVersion), @@ -150,7 +149,7 @@ public static TokenInfo createNewAccessTokenV1(@Nonnull Main main, @Nonnull Stri long expiryTime = now + Config.getConfig(main).getAccessTokenValidity(); accessToken = new AccessTokenInfo(sessionHandle, userId, refreshTokenHash1, expiryTime, parentRefreshTokenHash1, userData, antiCsrfToken, now, - false, null); + null); String token = JWT.createJWT(new Gson().toJsonTree(accessToken), signingKey.privateKey, VERSION.V1); @@ -182,14 +181,12 @@ public static class AccessTokenInfo { public final String antiCsrfToken; public final long expiryTime; final long timeCreated; - final boolean isPaid; @Nullable public final Long lmrt; // lastManualRegenerationTime - nullable since v1 of JWT does not have this AccessTokenInfo(@Nonnull String sessionHandle, @Nonnull String userId, @Nonnull String refreshTokenHash1, long expiryTime, @Nullable String parentRefreshTokenHash1, @Nonnull JsonObject userData, - @Nullable String antiCsrfToken, long timeCreated, boolean isPaid, - @Nullable Long lmrt) { + @Nullable String antiCsrfToken, long timeCreated, @Nullable Long lmrt) { this.sessionHandle = sessionHandle; this.userId = userId; this.refreshTokenHash1 = refreshTokenHash1; @@ -198,7 +195,6 @@ public static class AccessTokenInfo { this.userData = userData; this.antiCsrfToken = antiCsrfToken; this.timeCreated = timeCreated; - this.isPaid = isPaid; this.lmrt = lmrt; } }