merges with latest

.github/ISSUE_TEMPLATE/release.md

@@ -11,21 +11,32 @@ labels:
 ### Dev Tag
  - [supertokens-core:X.Y](https://github.com/supertokens/supertokens-core/tree/X.Y)
      - [ ] core
+        - [ ] check CDI, plugin interface list
      - [ ] plugin-interface
+        - [ ] check plugin interface list
      - [ ] mysql-plugin
+         - [ ] check plugin interface list
      - [ ] postgresql-plugin
+         - [ ] check plugin interface list
      - [ ] mongodb-plugin
+         - [ ] check plugin interface list
  - [ ] [supertokens-node:X.Y](https://github.com/supertokens/supertokens-node/tree/X.Y)
+   - [ ] check CDI, FDI list
  - [ ] [supertokens-golang:X.Y](https://github.com/supertokens/supertokens-golang/tree/X.Y)
+   - [ ] check CDI, FDI list
  - [ ] [supertokens-python:X.Y](https://github.com/supertokens/supertokens-python/tree/X.Y)
+   - [ ] check CDI, FDI list
  - [ ] [supertokens-website:X.Y](https://github.com/supertokens/supertokens-website/X.Y)
+   - [ ] check FDI list
  - [ ] [supertokens-auth-react:X.Y](https://github.com/supertokens/supertokens-auth-react/tree/X.Y)
+    - [ ] check FDI list
     - [ ] Updated dependencies to use supertokens-website from npm registry
     - [ ] Various browsers - Safari, Firefox, Chrome, Edge
     - [ ] Mobile responsiveness
     - [ ] Make sure using with-typescript example that types are correct for every new configs exposed to users
     - [ ] Make sure frontend login UI shows even if backend is not working.
  - [ ] [supertokens-react-native:X.Y](https://github.com/supertokens/supertokens-react-native/X.Y)
+    - [ ] check FDI list
 
 ### Others
 
@@ -35,6 +46,7 @@ labels:
  - [ ] Examples apps in supertokens-python
  - [ ] Examples apps in supertokens-node
  - [ ] [next.js:canary](https://github.com/supertokens/next.js/tree/canary/examples/with-supertokens)
+ - [ ] RedwoodJS and playground-auth
  - [ ] Run on netlify (and hence AWS lambda) to check if it works fine there
 
 ### 📚 Documentation (test site)
@@ -47,6 +59,7 @@ labels:
    - [ ] homepage
    - [ ] pricing page feature list
    - [ ] comparison chart in the pricing page
+   - [ ] product roadmap page
 
 ## 🔥 Production 
 
@@ -63,6 +76,11 @@ labels:
        - [ ] Postgres
        - [ ] MongoDB
     - [ ] try.supertokens.io
+      ```
+      docker rm try-supertokens -f
+      docker rmi supertokens/supertokens-postgresql:<VERSION>
+      ~/try-supertokens/start_container.sh
+      ```
     - [ ] Update SaaS config
     - [ ] Update to tables checked for user count / or to know if a deployment is being used or not
     - [ ] Update logic for exporting csv file for registered users

CHANGELOG.md

@@ -16,6 +16,8 @@ to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 ### Fixes
 
 - Issue with JWT expiry always being lower than expected
+- Modulus and exponent for JsonWebKeys are now sent as unsigned when fetching public keys from the /jwt/jwks.json 
+  endpoint. Both values are url encoded without any padding.
 
 ### Changes
 

CONTRIBUTING.md

@@ -77,6 +77,11 @@ Please ask as many questions as you need, either directly in the issue or on [Di
 - plugin tests:  
 ![plugin tests passing](https://github.com/supertokens/supertokens-logo/blob/master/images/plugin-tests-passing.png)
 
+## Running the core manually
+1. Run `startTestingEnv --wait` in a terminal, and keep it running
+2. Then open `supertokens-root` in another terminal and run `cp ./temp/config.yaml .`
+3. Then run `java -classpath "./core/*:./plugin-interface/*" io.supertokens.Main ./ DEV`. This will start the core to listen on `http://localhost:3567`
+
 ## Pull Request
 1. Before submitting a pull request make sure all tests have passed  
 2. Reference the relevant issue or pull request and give a clear description of changes/features added when submitting a pull request

README.md

@@ -142,6 +142,9 @@ Mihály Lengyel</b></sub></a></td>
   </tr> 
   <tr>
 <td align="center"><a href="https://github.com/jacobhq"><img src="https://avatars.githubusercontent.com/u/29145479?v=4" width="100px;" alt=""/><br /><sub><b>Jacob Marshall</b></sub></a></td>
+<td align="center"><a href="https://github.com/miketromba"><img src="https://avatars.githubusercontent.com/u/25141252?v=4" width="100px;" alt=""/><br /><sub><b>miketromba</b></sub></a></td>
+<td align="center"><a href="https://github.com/olhapi"><img src="https://avatars.githubusercontent.com/u/4780263?v=4" width="100px;" alt=""/><br /><sub><b>Oleg Vdovenko</b></sub></a></td>
+<td align="center"><a href="https://github.com/siddharthmudgal"><img src="https://avatars.githubusercontent.com/u/9314217?v=4" width="100px;" alt=""/><br /><sub><b>Siddharth</b></sub></a></td>
   </tr>
 </table>
 

src/main/java/io/supertokens/jwt/JWTSigningFunctions.java

@@ -27,6 +27,7 @@
 import io.supertokens.pluginInterface.jwt.JWTAsymmetricSigningKeyInfo;
 import io.supertokens.pluginInterface.jwt.JWTSigningKeyInfo;
 
+import java.math.BigInteger;
 import java.security.KeyFactory;
 import java.security.NoSuchAlgorithmException;
 import java.security.PrivateKey;
@@ -96,6 +97,49 @@ public static String createJWTToken(Main main, String algorithm, JsonObject payl
         return com.auth0.jwt.JWT.create().withPayload(jwtPayload).withHeader(headerClaims).sign(signingAlgorithm);
     }
 
+    /**
+     * Returns a byte array representation of the specified big integer
+     * without the sign bit.
+     *
+     * @param bigInt The big integer to be converted. Must not be
+     *               {@code null}.
+     *
+     * @return A byte array representation of the big integer, without the
+     *         sign bit.
+     */
+    private static byte[] toBytesUnsigned(final BigInteger bigInt) {
+
+        // Copied from Apache Commons Codec 1.8
+
+        int bitlen = bigInt.bitLength();
+
+        // round bitlen
+        bitlen = ((bitlen + 7) >> 3) << 3;
+        final byte[] bigBytes = bigInt.toByteArray();
+
+        if (((bigInt.bitLength() % 8) != 0) && (((bigInt.bitLength() / 8) + 1) == (bitlen / 8))) {
+
+            return bigBytes;
+
+        }
+
+        // set up params for copying everything but sign bit
+        int startSrc = 0;
+        int len = bigBytes.length;
+
+        // if bigInt is exactly byte-aligned, just skip signbit in copy
+        if ((bigInt.bitLength() % 8) == 0) {
+
+            startSrc = 1;
+            len--;
+        }
+
+        final int startDst = bitlen / 8 - len; // to pad w/ nulls as per spec
+        final byte[] resizedBytes = new byte[bitlen / 8];
+        System.arraycopy(bigBytes, startSrc, resizedBytes, startDst, len);
+        return resizedBytes;
+    }
+
     /**
      * Used to return public keys that a JWT verifier will use. Note returns an empty array if there are no keys in
      * storage.
@@ -131,10 +175,10 @@ public static List<JsonObject> getJWKS(Main main) throws StorageQueryException,
                     // Most verifiers seem to expect kty and alg to be in upper case so forcing that here
                     jwk.addProperty("kty", algorithm.getAlgorithmType().toUpperCase());
                     jwk.addProperty("kid", currentKeyInfo.keyId);
-                    jwk.addProperty("n", Base64.getUrlEncoder()
-                            .encodeToString(((RSAPublicKey) publicKey).getModulus().toByteArray()));
-                    jwk.addProperty("e", Base64.getUrlEncoder()
-                            .encodeToString(((RSAPublicKey) publicKey).getPublicExponent().toByteArray()));
+                    jwk.addProperty("n", Base64.getUrlEncoder().withoutPadding()
+                            .encodeToString(toBytesUnsigned(((RSAPublicKey) publicKey).getModulus())));
+                    jwk.addProperty("e", Base64.getUrlEncoder().withoutPadding()
+                            .encodeToString(toBytesUnsigned(((RSAPublicKey) publicKey).getPublicExponent())));
                     jwk.addProperty("alg", currentKeyInfo.algorithm.toUpperCase());
                     jwk.addProperty("use", "sig"); // We generate JWKs that are meant to be used for signature
                                                    // verification

src/test/java/io/supertokens/test/jwt/JWKSTest.java

@@ -238,4 +238,32 @@ public String getPrivateKeyId() {
         process.kill();
         assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STOPPED));
     }
+
+    /**
+     * Test that the modulus of the JWK is unsigned
+     */
+    @Test
+    public void testThatJWKModulusIsUnsigned() throws Exception {
+        String[] args = { "../" };
+        TestingProcessManager.TestingProcess process = TestingProcessManager.start(args);
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STARTED));
+
+        List<JsonObject> keysFromStorage = JWTSigningFunctions.getJWKS(process.getProcess());
+
+        for (int i = 0; i < keysFromStorage.size(); i++) {
+            JsonObject key = keysFromStorage.get(i);
+            byte[] modulusBytes = Base64.getUrlDecoder().decode(key.get("n").getAsString());
+
+            // The modulus is always positive and should not contain the sign byte (0)
+            assert modulusBytes[0] != 0;
+
+            byte[] exponentBytes = Base64.getUrlDecoder().decode(key.get("e").getAsString());
+
+            // The exponent is always positive and should not contain the sign byte (0)
+            assert exponentBytes[0] != 0;
+        }
+
+        process.kill();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STOPPED));
+    }
 }