Merge branch '6.0' into merge-6.0

CHANGELOG.md

@@ -76,6 +76,11 @@ ALTER TABLE emailpassword_pswd_reset_tokens ADD CONSTRAINT emailpassword_pswd_re
 ALTER TABLE emailpassword_pswd_reset_tokens ADD COLUMN email VARCHAR(256);
 ```
 
+## [6.0.12] - 2023-09-04
+
+- Fixes randomly occurring `serialization error for concurrent update` in `verifySession` API
+- Fixes `MISSING_EE_FOLDER_ERROR` error when the core starts up with an empty database
+
 ## [6.0.11] - 2023-08-16
 
 - Fixed feature flag cron job

README.md

@@ -15,7 +15,7 @@ Supertokens architecture is optimized to add secure authentication for your user
 **Three building blocks of SuperTokens architecture**
 
 1. Frontend SDK: Manages session tokens and renders login UI widgets
-2. Backend SDK: Provides APIs for sign-up, sign-in, signout, session refreshing etc. Your Frontend will talk to these APIs
+2. Backend SDK: Provides APIs for sign-up, sign-in, signout, session refreshing, etc. Your Frontend will talk to these APIs
 3. SuperTokens Core: The HTTP service for the core auth logic and database operations. This service is used by the Backend SDK
 
 ## Supports multiple auth strategies
@@ -49,29 +49,29 @@ Guides to setup different recipes
 ### If you like our project, please :star2: this repository! For feedback, feel free to join our [Discord](https://supertokens.io/discord), or create an issue on this repo
 
 ## 🚀 What is SuperTokens?
-SuperTokens is an open core alternative to proprietary login providers like Auth0 or AWS Cognito. We are
+SuperTokens is an open-core alternative to proprietary login providers like Auth0 or AWS Cognito. We are
  different because we offer:
 - Open source: SuperTokens can be used for free, forever, with no limits on the number of users.
 - An on-premises deployment so that you control 100% of your user data, using your own database.
-- An end to end solution with login, sign ups, user and session management, without all the complexities of OAuth protocols.
+- An end-to-end solution with login, sign-ups, user and session management, without all the complexities of OAuth protocols.
 - Ease of implementation and higher security.
 - Extensibility: Anyone can contribute and make SuperTokens better!
 
 ### Philosophy
-Authentication directly affects UX, dev experience and security of any app. We believe that
- current solutions are unable to optimise for all three "pillars", leading to a large number of
-  applications hand rolling their own auth. This not only leads to security issues, but is also a massive
+Authentication directly affects the UX, dev experience, and security of any app. We believe that
+ current solutions cannot optimize for all three "pillars", leading to many
+  applications hand-rolling their own auth. This not only leads to security issues but is also a massive
    time drain.
 
 We want to change that - we believe the only way is to provide a solution that has the right level of
- abstraction, gives you maximum control, is secure, and is simple to use - just like if you build it yourself,
-  from scratch (minus the time to learn, build and maintain).
+ abstraction gives you maximum control, is secure, and is simple to use - just like if you build it yourself,
+  from scratch (minus the time to learn, build, and maintain).
 
-We also believe in the principle of least vendor lockin. Your having full control of your user's data means that you can switch away from SuperTokens without forcing your existing users to logout, reset their passwords or in the worst case, sign up again. 
+We also believe in the principle of least vendor lock-in. Your having full control of your user's data means that you can switch away from SuperTokens without forcing your existing users to logout, reset their passwords, or in the worst case, sign up again. 
 
 ### Features - [Click here](https://thirdpartyemailpassword.demo.supertokens.io/) to see the demo app.
 - Please visit [our website](https://supertokens.io/pricing) to see the list of features.
-- We want to make features as decoupled as possible. This means, you can use SuperTokens for just login, or just session management, or both. In fact, we also offer session management integrations with other login providers like Auth0.
+- We want to make features as decoupled as possible. This means you can use SuperTokens for just login, or just session management, or both. In fact, we also offer session management integrations with other login providers like Auth0.
 
 
 ### Documentation
@@ -85,15 +85,15 @@ Please find an [architecture diagram here](https://supertokens.io/docs/community
 **For more information, please visit our [GitHub wiki section](https://github.com/supertokens/supertokens-core/wiki/SuperTokens-Architecture).**
 
 ## ☕ Why Java?
-- ✅ Whilst running Java can seem difficult, we provide the JDK along with the binary / docker image when distributing it. This makes running SuperTokens just like running any other http microservice.
-- ✅ Java has a very mature ecosystem. This implies that third party libraries have been battle tested.
+- ✅ Whilst running Java can seem difficult, we provide the JDK along with the binary/docker image when distributing it. This makes running SuperTokens just like running any other HTTP microservice.
+- ✅ Java has a very mature ecosystem. This implies that third-party libraries have been battle-tested.
 - ✅ Java's strong type system ensures fewer bugs and easier maintainability. This is especially important when many people are expected to work on the same project.
-- ✅ Our team is most comfortable with Java and hiring for great Java developers is relatively easy as well.
+- ✅ Our team is most comfortable with Java and hiring great Java developers is relatively easy as well.
 - ✅ One of the biggest criticisms of Java is memory usage. We have three solutions to this: 
-   - The most frequent auth related operation is session verification - this happens within the backend SDK (node, python, Go) without contacting the Java core. Therefore, a single instance of the core can handle several 10s of thousands of users fairly easily.
-   - We have carefully chosen our dependencies. For eg: we use an embedded tomcat server instead of a higher level web framework.
-   - We also plan on using [GraalVM](https://www.graalvm.org/) in the future and this can reduce memory usage down by 95%! 
-- ✅ If you require any modifications to the auth APIs, those would need to be done on the backend SDK level (for example Node, Golang, Python..). So you’d rarely need to directly modify / work  with the Java code in this repo.
+   - The most frequent auth-related operation is session verification - this happens within the backend SDK (node, python, Go) without contacting the Java core. Therefore, a single instance of the core can handle several 10s of thousands of users fairly easily.
+   - We have carefully chosen our dependencies. For eg: we use an embedded tomcat server instead of a higher-level web framework.
+   - We also plan on using [GraalVM](https://www.graalvm.org/) in the future and this can reduce memory usage by 95%! 
+- ✅ If you require any modifications to the auth APIs, those would need to be done on the backend SDK level (for example Node, Golang, Python..). So you’d rarely need to directly modify/work  with the Java code in this repo.
 
 ## 🔥 SuperTokens vs others
 Please find a detailed comparison chart [on our website](https://supertokens.io/pricing#comparison-chart)
@@ -218,7 +218,7 @@ Portions of this software are licensed as follows:
 
 * All content that resides under the "ee/" directory of this repository, if that directory exists, is licensed under the
   license defined in "ee/LICENSE.md".
-* All third party components incorporated into the SuperTokens Software are licensed under the original license provided
+* All third-party components incorporated into the SuperTokens Software are licensed under the original license provided
   by the owner of the applicable component.
-* Content outside of the above mentioned directories or restrictions above is available under the "Apache 2.0"
+* Content outside of the above-mentioned directories or restrictions above is available under the "Apache 2.0"
   license as defined in the level "LICENSE.md" file

build.gradle

@@ -19,7 +19,7 @@ compileTestJava { options.encoding = "UTF-8" }
 //    }
 //}
 
-version = "6.0.11"
+version = "6.0.12"
 
 
 repositories {

ee/src/test/java/io/supertokens/ee/test/CronjobTest.java

@@ -29,6 +29,7 @@ public static void afterTesting() {
     @Before
     public void beforeEach() {
         Utils.reset();
+        FeatureFlag.clearURLClassLoader();
     }
 
 

ee/src/test/java/io/supertokens/ee/test/EETest.java

@@ -81,6 +81,7 @@ public static void afterTesting() {
     @Before
     public void beforeEach() {
         Utils.reset();
+        FeatureFlag.clearURLClassLoader();
     }
 
     @Rule

ee/src/test/java/io/supertokens/ee/test/api/DeleteLicenseKeyAPITest.java

@@ -33,6 +33,7 @@ public static void afterTesting() {
     @Before
     public void beforeEach() {
         Utils.reset();
+        FeatureFlag.clearURLClassLoader();
     }
 
     @Test

ee/src/test/java/io/supertokens/ee/test/api/GetFeatureFlagAPITest.java

@@ -28,6 +28,7 @@ public static void afterTesting() {
     @Before
     public void beforeEach() {
         Utils.reset();
+        FeatureFlag.clearURLClassLoader();
     }
 
     @Test

ee/src/test/java/io/supertokens/ee/test/api/GetLicenseKeyAPITest.java

@@ -28,6 +28,7 @@ public static void afterTesting() {
     @Before
     public void beforeEach() {
         Utils.reset();
+        FeatureFlag.clearURLClassLoader();
     }
 
     @Test

ee/src/test/java/io/supertokens/ee/test/api/SetLicenseKeyAPITest.java

@@ -31,6 +31,7 @@ public static void afterTesting() {
     @Before
     public void beforeEach() {
         Utils.reset();
+        FeatureFlag.clearURLClassLoader();
     }
 
     @Test

src/main/java/io/supertokens/multitenancy/Multitenancy.java

@@ -212,17 +212,20 @@ public static boolean addNewOrUpdateAppOrTenant(Main main, TenantIdentifier sour
         return addNewOrUpdateAppOrTenant(main, newTenant, false);
     }
 
+    @TestOnly
     public static boolean addNewOrUpdateAppOrTenant(Main main, TenantConfig newTenant,
                                                     boolean shouldPreventDbConfigUpdate)
-            throws CannotModifyBaseConfigException, BadPermissionException,
-            StorageQueryException, FeatureNotEnabledException, IOException, InvalidConfigException,
-            InvalidProviderConfigException, TenantOrAppNotFoundException {
-        return addNewOrUpdateAppOrTenant(main, newTenant, shouldPreventDbConfigUpdate, false);
+            throws InvalidProviderConfigException, StorageQueryException, FeatureNotEnabledException,
+            TenantOrAppNotFoundException, IOException, InvalidConfigException, CannotModifyBaseConfigException,
+            BadPermissionException {
+        return addNewOrUpdateAppOrTenant(main, newTenant, shouldPreventDbConfigUpdate, false, true);
     }
 
+
     public static boolean addNewOrUpdateAppOrTenant(Main main, TenantConfig newTenant,
                                                     boolean shouldPreventProtectedConfigUpdate,
-                                                    boolean skipThirdPartyConfigValidation)
+                                                    boolean skipThirdPartyConfigValidation,
+                                                    boolean forceReloadResources)
             throws CannotModifyBaseConfigException, BadPermissionException,
             StorageQueryException, FeatureNotEnabledException, IOException, InvalidConfigException,
             InvalidProviderConfigException, TenantOrAppNotFoundException {
@@ -259,7 +262,8 @@ public static boolean addNewOrUpdateAppOrTenant(Main main, TenantConfig newTenan
                         .addTenantIdInTargetStorage(newTenant.tenantIdentifier);
             } catch (TenantOrAppNotFoundException e) {
                 // it should never come here, since we just added the tenant above.. but just in case.
-                return addNewOrUpdateAppOrTenant(main, newTenant, shouldPreventProtectedConfigUpdate);
+                return addNewOrUpdateAppOrTenant(main, newTenant, shouldPreventProtectedConfigUpdate,
+                        skipThirdPartyConfigValidation, forceReloadResources);
             }
             return true;
         } catch (DuplicateTenantException e) {
@@ -279,7 +283,8 @@ public static boolean addNewOrUpdateAppOrTenant(Main main, TenantConfig newTenan
                 } catch (TenantOrAppNotFoundException ex) {
                     // this can happen cause of a race condition if the tenant was deleted in the middle
                     // of it being recreated.
-                    return addNewOrUpdateAppOrTenant(main, newTenant, shouldPreventProtectedConfigUpdate);
+                    return addNewOrUpdateAppOrTenant(main, newTenant, shouldPreventProtectedConfigUpdate,
+                            skipThirdPartyConfigValidation, forceReloadResources);
                 } catch (DuplicateTenantException ex) {
                     // we treat this as a success
                     return false;
@@ -300,7 +305,9 @@ public static boolean addNewOrUpdateAppOrTenant(Main main, TenantConfig newTenan
         } catch (DuplicateClientTypeException e) {
             throw new InvalidProviderConfigException("Duplicate clientType was specified in the clients list.");
         } finally {
-            MultitenancyHelper.getInstance(main).forceReloadAllResources(tenantsThatChanged);
+            if (forceReloadResources) {
+                MultitenancyHelper.getInstance(main).forceReloadAllResources(tenantsThatChanged);
+            }
         }
     }
 

src/main/java/io/supertokens/multitenancy/MultitenancyHelper.java

@@ -29,7 +29,6 @@
 import io.supertokens.multitenancy.exception.CannotModifyBaseConfigException;
 import io.supertokens.output.Logging;
 import io.supertokens.pluginInterface.STORAGE_TYPE;
-import io.supertokens.pluginInterface.Storage;
 import io.supertokens.pluginInterface.exceptions.InvalidConfigException;
 import io.supertokens.pluginInterface.exceptions.StorageQueryException;
 import io.supertokens.pluginInterface.multitenancy.*;
@@ -76,8 +75,13 @@ public static void init(Main main) throws StorageQueryException, IOException {
                         new TenantConfig(
                                 new TenantIdentifier(null, null, null),
                                 new EmailPasswordConfig(true), new ThirdPartyConfig(true, null),
-                                new PasswordlessConfig(true), new JsonObject()), false);
-            } catch (CannotModifyBaseConfigException | BadPermissionException | FeatureNotEnabledException | InvalidConfigException | InvalidProviderConfigException | TenantOrAppNotFoundException e) {
+                                new PasswordlessConfig(true), new JsonObject()), false, false, false);
+                // Not force reloading all resources here (the last boolean in the function above)
+                // because the ucl for the FeatureFlag is not yet loaded and results in an empty
+                // instance of eeFeatureFlag. This is applicable only when the core is starting on
+                // an empty database as no tenants are loaded from the db yet.
+            } catch (CannotModifyBaseConfigException | BadPermissionException | FeatureNotEnabledException |
+                     InvalidConfigException | InvalidProviderConfigException | TenantOrAppNotFoundException e) {
                 throw new IllegalStateException(e);
             }
         }
@@ -98,21 +102,25 @@ private TenantConfig[] getAllTenantsFromDb() throws StorageQueryException {
         return StorageLayer.getMultitenancyStorage(main).getAllTenants();
     }
 
-    public List<TenantIdentifier> refreshTenantsInCoreBasedOnChangesInCoreConfigOrIfTenantListChanged(boolean reloadAllResources) {
+    public List<TenantIdentifier> refreshTenantsInCoreBasedOnChangesInCoreConfigOrIfTenantListChanged(
+            boolean reloadAllResources) {
         try {
             return main.getResourceDistributor().withResourceDistributorLock(() -> {
                 try {
                     TenantConfig[] tenantsFromDb = getAllTenantsFromDb();
 
-                    Map<ResourceDistributor.KeyClass, JsonObject> normalizedTenantsFromDb = Config.getNormalisedConfigsForAllTenants(
+                    Map<ResourceDistributor.KeyClass, JsonObject> normalizedTenantsFromDb =
+                            Config.getNormalisedConfigsForAllTenants(
                             tenantsFromDb, Config.getBaseConfigAsJsonObject(main));
 
-                    Map<ResourceDistributor.KeyClass, JsonObject> normalizedTenantsFromMemory = Config.getNormalisedConfigsForAllTenants(
+                    Map<ResourceDistributor.KeyClass, JsonObject> normalizedTenantsFromMemory =
+                            Config.getNormalisedConfigsForAllTenants(
                             this.tenantConfigs, Config.getBaseConfigAsJsonObject(main));
 
                     List<TenantIdentifier> tenantsThatChanged = new ArrayList<>();
 
-                    for (Map.Entry<ResourceDistributor.KeyClass, JsonObject> entry : normalizedTenantsFromMemory.entrySet()) {
+                    for (Map.Entry<ResourceDistributor.KeyClass, JsonObject> entry :
+                            normalizedTenantsFromMemory.entrySet()) {
                         JsonObject tenantConfigFromMemory = entry.getValue();
                         JsonObject tenantConfigFromDb = normalizedTenantsFromDb.get(entry.getKey());
 
@@ -128,7 +136,8 @@ public List<TenantIdentifier> refreshTenantsInCoreBasedOnChangesInCoreConfigOrIf
                         return tenantsThatChanged;
                     }
 
-                    ProcessState.getInstance(main).addState(ProcessState.PROCESS_STATE.TENANTS_CHANGED_DURING_REFRESH_FROM_DB, null);
+                    ProcessState.getInstance(main)
+                            .addState(ProcessState.PROCESS_STATE.TENANTS_CHANGED_DURING_REFRESH_FROM_DB, null);
 
                     // this order is important. For example, storageLayer depends on config, and cronjobs depends on
                     // storageLayer
@@ -191,7 +200,8 @@ public void loadFeatureFlag(List<TenantIdentifier> tenantsThatChanged) {
         FeatureFlag.loadForAllTenants(main, apps, tenantsThatChanged);
     }
 
-    public void loadSigningKeys(List<TenantIdentifier> tenantsThatChanged) throws UnsupportedJWTSigningAlgorithmException {
+    public void loadSigningKeys(List<TenantIdentifier> tenantsThatChanged)
+            throws UnsupportedJWTSigningAlgorithmException {
         List<AppIdentifier> apps = new ArrayList<>();
         Set<AppIdentifier> appsSet = new HashSet<>();
         for (TenantConfig t : tenantConfigs) {

src/main/java/io/supertokens/webserver/api/multitenancy/BaseCreateOrUpdate.java

@@ -43,11 +43,15 @@ public BaseCreateOrUpdate(Main main) {
         super(main, RECIPE_ID.MULTITENANCY.toString());
     }
 
-    protected void handle(HttpServletRequest req, TenantIdentifier sourceTenantIdentifier, TenantIdentifier targetTenantIdentifier, Boolean emailPasswordEnabled, Boolean thirdPartyEnabled, Boolean passwordlessEnabled, JsonObject coreConfig, HttpServletResponse resp)
+    protected void handle(HttpServletRequest req, TenantIdentifier sourceTenantIdentifier,
+                          TenantIdentifier targetTenantIdentifier, Boolean emailPasswordEnabled,
+                          Boolean thirdPartyEnabled, Boolean passwordlessEnabled, JsonObject coreConfig,
+                          HttpServletResponse resp)
             throws ServletException, IOException {
 
         TenantConfig tenantConfig = Multitenancy.getTenantInfo(main,
-                new TenantIdentifier(targetTenantIdentifier.getConnectionUriDomain(), targetTenantIdentifier.getAppId(), targetTenantIdentifier.getTenantId()));
+                new TenantIdentifier(targetTenantIdentifier.getConnectionUriDomain(), targetTenantIdentifier.getAppId(),
+                        targetTenantIdentifier.getTenantId()));
 
         boolean createdNew = false;
 
@@ -119,7 +123,7 @@ protected void handle(HttpServletRequest req, TenantIdentifier sourceTenantIdent
             Multitenancy.checkPermissionsForCreateOrUpdate(
                     main, sourceTenantIdentifier, tenantConfig.tenantIdentifier);
 
-            Multitenancy.addNewOrUpdateAppOrTenant(main, tenantConfig, shouldProtectProtectedConfig(req));
+            Multitenancy.addNewOrUpdateAppOrTenant(main, tenantConfig, shouldProtectProtectedConfig(req), false, true);
             JsonObject result = new JsonObject();
             result.addProperty("status", "OK");
             result.addProperty("createdNew", createdNew);