feat: account linking

.github/PULL_REQUEST_TEMPLATE.md

@@ -34,7 +34,7 @@ highlighting the necessary changes)
     - To know which one it is, run find the latest released tag (`git tag`) in the format `vX.Y.Z`, and then find the
       latest branch (`git branch --all`) whose `X.Y` is greater than the latest released tag.
     - If no such branch exists, then create one from the latest released branch.
-
+- [ ] If added a foreign key constraint on `app_id_to_user_id` table, make sure to delete from this table when deleting the user as well if `deleteUserIdMappingToo` is false.
 ## Remaining TODOs for this PR
 
 - [ ] Item1

CHANGELOG.md

@@ -7,6 +7,187 @@ to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [unreleased]
 
+## [7.0.0] - 2023-09-19
+
+- Support for CDI version 4.0
+- Adds Account Linking feature
+
+### Session recipe changes
+
+- New access token version: v5, which contains a required prop: `rsub`. This contains the recipe user ID that belongs to the login method that the user used to login. The `sub` claim in the access token payload is now the primary user ID.
+- APIs that return `SessionInformation` (like GET `/recipe/session`) contains userId, recipeUserId in the response.
+- Apis that create / modify / refresh a session return the `recipeUserId` in the `session` object in the response.
+- Token theft detected response returns userId and recipeUserId
+
+### Db Schema changes
+
+- Adds columns `primary_or_recipe_user_id`, `is_linked_or_is_a_primary_user` and `primary_or_recipe_user_time_joined` to `all_auth_recipe_users` table
+- Adds columns `primary_or_recipe_user_id` and `is_linked_or_is_a_primary_user` to `app_id_to_user_id` table
+- Removes index `all_auth_recipe_users_pagination_index` and addes `all_auth_recipe_users_pagination_index1`, 
+  `all_auth_recipe_users_pagination_index2`, `all_auth_recipe_users_pagination_index3` and 
+  `all_auth_recipe_users_pagination_index4` indexes instead on `all_auth_recipe_users` table
+- Adds `all_auth_recipe_users_recipe_id_index` on `all_auth_recipe_users` table
+- Adds `all_auth_recipe_users_primary_user_id_index` on `all_auth_recipe_users` table
+- Adds `email` column to `emailpassword_pswd_reset_tokens` table
+- Changes `user_id` foreign key constraint on `emailpassword_pswd_reset_tokens` to `app_id_to_user_id` table
+
+### Migration steps for SQL
+
+1. Ensure that the core is already upgraded to version 6.0.13 (CDI version 3.0)
+2. Stop the core instance(s)
+3. Run the migration script
+
+    <details>
+
+    <summary>If using PostgreSQL</summary>
+
+    ```sql
+    ALTER TABLE all_auth_recipe_users
+      ADD COLUMN primary_or_recipe_user_id CHAR(36) NOT NULL DEFAULT ('0');
+
+    ALTER TABLE all_auth_recipe_users
+      ADD COLUMN is_linked_or_is_a_primary_user BOOLEAN NOT NULL DEFAULT FALSE;
+
+    ALTER TABLE all_auth_recipe_users
+      ADD COLUMN primary_or_recipe_user_time_joined BIGINT NOT NULL DEFAULT 0;
+
+    UPDATE all_auth_recipe_users
+      SET primary_or_recipe_user_id = user_id
+      WHERE primary_or_recipe_user_id = '0';
+
+    UPDATE all_auth_recipe_users
+      SET primary_or_recipe_user_time_joined = time_joined
+      WHERE primary_or_recipe_user_time_joined = 0;
+
+    ALTER TABLE all_auth_recipe_users
+      ADD CONSTRAINT all_auth_recipe_users_primary_or_recipe_user_id_fkey
+        FOREIGN KEY (app_id, primary_or_recipe_user_id)
+        REFERENCES app_id_to_user_id (app_id, user_id) ON DELETE CASCADE;
+
+    ALTER TABLE all_auth_recipe_users
+      ALTER primary_or_recipe_user_id DROP DEFAULT;
+
+    ALTER TABLE app_id_to_user_id
+      ADD COLUMN primary_or_recipe_user_id CHAR(36) NOT NULL DEFAULT ('0');
+
+    ALTER TABLE app_id_to_user_id
+      ADD COLUMN is_linked_or_is_a_primary_user BOOLEAN NOT NULL DEFAULT FALSE;
+
+    UPDATE app_id_to_user_id
+      SET primary_or_recipe_user_id = user_id
+      WHERE primary_or_recipe_user_id = '0';
+
+    ALTER TABLE app_id_to_user_id
+      ADD CONSTRAINT app_id_to_user_id_primary_or_recipe_user_id_fkey
+        FOREIGN KEY (app_id, primary_or_recipe_user_id)
+        REFERENCES app_id_to_user_id (app_id, user_id) ON DELETE CASCADE;
+
+    ALTER TABLE app_id_to_user_id
+        ALTER primary_or_recipe_user_id DROP DEFAULT;
+
+    DROP INDEX all_auth_recipe_users_pagination_index;
+
+    CREATE INDEX all_auth_recipe_users_pagination_index1 ON all_auth_recipe_users (
+      app_id, tenant_id, primary_or_recipe_user_time_joined DESC, primary_or_recipe_user_id DESC);
+
+    CREATE INDEX all_auth_recipe_users_pagination_index2 ON all_auth_recipe_users (
+      app_id, tenant_id, primary_or_recipe_user_time_joined ASC, primary_or_recipe_user_id DESC);
+
+    CREATE INDEX all_auth_recipe_users_pagination_index3 ON all_auth_recipe_users (
+      recipe_id, app_id, tenant_id, primary_or_recipe_user_time_joined DESC, primary_or_recipe_user_id DESC);
+
+    CREATE INDEX all_auth_recipe_users_pagination_index4 ON all_auth_recipe_users (
+      recipe_id, app_id, tenant_id, primary_or_recipe_user_time_joined ASC, primary_or_recipe_user_id DESC);
+
+    CREATE INDEX all_auth_recipe_users_primary_user_id_index ON all_auth_recipe_users (primary_or_recipe_user_id, app_id);
+
+    CREATE INDEX all_auth_recipe_users_recipe_id_index ON all_auth_recipe_users (app_id, recipe_id, tenant_id);
+
+    ALTER TABLE emailpassword_pswd_reset_tokens DROP CONSTRAINT IF EXISTS emailpassword_pswd_reset_tokens_user_id_fkey;
+
+    ALTER TABLE emailpassword_pswd_reset_tokens ADD CONSTRAINT emailpassword_pswd_reset_tokens_user_id_fkey FOREIGN KEY (app_id, user_id) REFERENCES app_id_to_user_id (app_id, user_id) ON DELETE CASCADE;
+
+    ALTER TABLE emailpassword_pswd_reset_tokens ADD COLUMN email VARCHAR(256);
+    ```
+    </details>
+
+    <details>
+
+    <summary>If using MySQL</summary>
+
+    ```sql
+    ALTER TABLE all_auth_recipe_users
+      ADD primary_or_recipe_user_id CHAR(36) NOT NULL DEFAULT ('0');
+
+    ALTER TABLE all_auth_recipe_users
+      ADD is_linked_or_is_a_primary_user BOOLEAN NOT NULL DEFAULT FALSE;
+
+    ALTER TABLE all_auth_recipe_users
+      ADD primary_or_recipe_user_time_joined BIGINT UNSIGNED NOT NULL DEFAULT 0;
+
+    UPDATE all_auth_recipe_users
+      SET primary_or_recipe_user_id = user_id
+      WHERE primary_or_recipe_user_id = '0';
+
+    UPDATE all_auth_recipe_users
+      SET primary_or_recipe_user_time_joined = time_joined
+      WHERE primary_or_recipe_user_time_joined = 0;
+
+    ALTER TABLE all_auth_recipe_users
+      ADD FOREIGN KEY (app_id, primary_or_recipe_user_id)
+      REFERENCES app_id_to_user_id (app_id, user_id) ON DELETE CASCADE;
+
+    ALTER TABLE all_auth_recipe_users
+      ALTER primary_or_recipe_user_id DROP DEFAULT;
+
+    ALTER TABLE app_id_to_user_id
+      ADD primary_or_recipe_user_id CHAR(36) NOT NULL DEFAULT ('0');
+
+    ALTER TABLE app_id_to_user_id
+      ADD is_linked_or_is_a_primary_user BOOLEAN NOT NULL DEFAULT FALSE;
+
+    UPDATE app_id_to_user_id
+      SET primary_or_recipe_user_id = user_id
+      WHERE primary_or_recipe_user_id = '0';
+
+    ALTER TABLE app_id_to_user_id
+      ADD FOREIGN KEY (app_id, primary_or_recipe_user_id)
+      REFERENCES app_id_to_user_id (app_id, user_id) ON DELETE CASCADE;
+
+    ALTER TABLE app_id_to_user_id
+      ALTER primary_or_recipe_user_id DROP DEFAULT;
+
+    DROP INDEX all_auth_recipe_users_pagination_index ON all_auth_recipe_users;
+
+    CREATE INDEX all_auth_recipe_users_pagination_index1 ON all_auth_recipe_users (
+      app_id, tenant_id, primary_or_recipe_user_time_joined DESC, primary_or_recipe_user_id DESC);
+
+    CREATE INDEX all_auth_recipe_users_pagination_index2 ON all_auth_recipe_users (
+      app_id, tenant_id, primary_or_recipe_user_time_joined ASC, primary_or_recipe_user_id DESC);
+
+    CREATE INDEX all_auth_recipe_users_pagination_index3 ON all_auth_recipe_users (
+      recipe_id, app_id, tenant_id, primary_or_recipe_user_time_joined DESC, primary_or_recipe_user_id DESC);
+
+    CREATE INDEX all_auth_recipe_users_pagination_index4 ON all_auth_recipe_users (
+      recipe_id, app_id, tenant_id, primary_or_recipe_user_time_joined ASC, primary_or_recipe_user_id DESC);
+
+    CREATE INDEX all_auth_recipe_users_primary_user_id_index ON all_auth_recipe_users (primary_or_recipe_user_id, app_id);
+
+    CREATE INDEX all_auth_recipe_users_recipe_id_index ON all_auth_recipe_users (app_id, recipe_id, tenant_id);
+
+    ALTER TABLE emailpassword_pswd_reset_tokens 
+      DROP FOREIGN KEY emailpassword_pswd_reset_tokens_ibfk_1;
+
+    ALTER TABLE emailpassword_pswd_reset_tokens
+      ADD FOREIGN KEY (app_id, user_id) REFERENCES app_id_to_user_id (app_id, user_id) ON DELETE CASCADE;
+
+    ALTER TABLE emailpassword_pswd_reset_tokens ADD email VARCHAR(256);
+    ```
+
+    </details>
+
+4. Start the new instance(s) of the core (version 7.0.0)
+
 ## [6.0.13] - 2023-09-15
 
 - Fixes paid stats reporting for multitenancy
@@ -86,8 +267,8 @@ to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 - Support for multitenancy.
 - New config `supertokens_saas_secret` added to support multitenancy in SaaS mode.
-- New config `supertokens_default_cdi_version` is added to specify the version of CDI core must assume when the
-  version is not specified in the request. If this config is not specified, the core will assume the latest version.
+- New config `supertokens_default_cdi_version` is added to specify the version of CDI core must assume when the version
+  is not specified in the request. If this config is not specified, the core will assume the latest version.
 
 ### Fixes
 
@@ -1811,7 +1992,6 @@ to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
           "key_string": "$keys.value",
           "algorithm": "RS256",
           "created_at": "$keys.created_at_time",
-
         }
       },
       {
@@ -1826,7 +2006,7 @@ to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
         }
       }
-    ]);
+  ]);
     ```
 
 - If using `access_token_signing_key_dynamic` true or not set:

build.gradle

@@ -19,7 +19,7 @@ compileTestJava { options.encoding = "UTF-8" }
 //    }
 //}
 
-version = "6.0.13"
+version = "7.0.0"
 
 
 repositories {

coreDriverInterfaceSupported.json

@@ -16,6 +16,7 @@
     "2.19",
     "2.20",
     "2.21",
-    "3.0"
+    "3.0",
+    "4.0"
   ]
 }

ee/src/main/java/io/supertokens/ee/EEFeatureFlag.java

@@ -272,6 +272,49 @@ private JsonObject getMultiTenancyStats()
         return stats;
     }
 
+    private JsonObject getAccountLinkingStats() throws StorageQueryException {
+        JsonObject result = new JsonObject();
+        Storage[] storages = StorageLayer.getStoragesForApp(main, this.appIdentifier);
+        boolean usesAccountLinking = false;
+
+        for (Storage storage : storages) {
+            if (((AuthRecipeStorage)storage).checkIfUsesAccountLinking(this.appIdentifier)) {
+                usesAccountLinking = true;
+                break;
+            }
+        }
+
+        result.addProperty("usesAccountLinking", usesAccountLinking);
+        if (!usesAccountLinking) {
+            result.addProperty("totalUserCountWithMoreThanOneLoginMethod", 0);
+            JsonArray mauArray = new JsonArray();
+            for (int i = 0; i < 30; i++) {
+                mauArray.add(new JsonPrimitive(0));
+            }
+            result.add("mauWithMoreThanOneLoginMethod", mauArray);
+            return result;
+        }
+
+        int totalUserCountWithMoreThanOneLoginMethod = 0;
+        int[] maus = new int[30];
+
+        long now = System.currentTimeMillis();
+        long today = now - (now % (24 * 60 * 60 * 1000L));
+
+        for (Storage storage : storages) {
+            totalUserCountWithMoreThanOneLoginMethod += ((AuthRecipeStorage)storage).getUsersCountWithMoreThanOneLoginMethod(this.appIdentifier);
+
+            for (int i = 0; i < 30; i++) {
+                long timestamp = today - (i * 24 * 60 * 60 * 1000L);
+                maus[i] += ((ActiveUsersStorage)storage).countUsersThatHaveMoreThanOneLoginMethodAndActiveSince(appIdentifier, timestamp);
+            }
+        }
+
+        result.addProperty("totalUserCountWithMoreThanOneLoginMethod", totalUserCountWithMoreThanOneLoginMethod);
+        result.add("mauWithMoreThanOneLoginMethod", new Gson().toJsonTree(maus));
+        return result;
+    }
+
     private JsonArray getMAUs() throws StorageQueryException, TenantOrAppNotFoundException {
         JsonArray mauArr = new JsonArray();
         for (int i = 0; i < 30; i++) {
@@ -319,6 +362,10 @@ public JsonObject getPaidFeatureStats() throws StorageQueryException, TenantOrAp
             if (feature == EE_FEATURES.MULTI_TENANCY) {
                 usageStats.add(EE_FEATURES.MULTI_TENANCY.toString(), getMultiTenancyStats());
             }
+
+            if (feature == EE_FEATURES.ACCOUNT_LINKING) {
+                usageStats.add(EE_FEATURES.ACCOUNT_LINKING.toString(), getAccountLinkingStats());
+            }
         }
 
         usageStats.add("maus", getMAUs());

pluginInterfaceSupported.json

@@ -1,6 +1,6 @@
 {
   "_comment": "contains a list of plugin interfaces branch names that this core supports",
   "versions": [
-    "3.0"
+    "4.0"
   ]
 }

src/main/java/io/supertokens/ActiveUsers.java

@@ -1,6 +1,8 @@
 package io.supertokens;
 
+import io.supertokens.pluginInterface.authRecipe.sqlStorage.AuthRecipeSQLStorage;
 import io.supertokens.pluginInterface.exceptions.StorageQueryException;
+import io.supertokens.pluginInterface.exceptions.StorageTransactionLogicException;
 import io.supertokens.pluginInterface.multitenancy.AppIdentifierWithStorage;
 import io.supertokens.pluginInterface.multitenancy.exceptions.TenantOrAppNotFoundException;
 import io.supertokens.storageLayer.StorageLayer;
@@ -37,4 +39,18 @@ public static int countUsersActiveSince(Main main, long time)
         return countUsersActiveSince(new AppIdentifierWithStorage(null, null, StorageLayer.getStorage(main)), main,
                 time);
     }
+
+    public static void removeActiveUser(AppIdentifierWithStorage appIdentifierWithStorage, String userId)
+            throws StorageQueryException {
+        try {
+            ((AuthRecipeSQLStorage) appIdentifierWithStorage.getActiveUsersStorage()).startTransaction(con -> {
+                appIdentifierWithStorage.getActiveUsersStorage().deleteUserActive_Transaction(con, appIdentifierWithStorage, userId);
+                ((AuthRecipeSQLStorage) appIdentifierWithStorage.getActiveUsersStorage()).commitTransaction(con);
+                return null;
+            });
+
+        } catch (StorageTransactionLogicException e) {
+            throw new StorageQueryException(e.actualException);
+        }
+    }
 }