-
Notifications
You must be signed in to change notification settings - Fork 11
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge branch 'master' of github.com:supertokens/blog into blog/all-yo…
…u-need-to-know
- Loading branch information
Showing
17 changed files
with
486 additions
and
8 deletions.
There are no files selected for viewing
223 changes: 223 additions & 0 deletions
223
content/how-to-create-an-invite-only-auth-flow/index.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,223 @@ | ||
--- | ||
title: How to create an invite-only auth flow in 2023 | ||
date: "2023-09-28" | ||
description: "Invite only flows can drive exclusivity and enhance user engagement. In this blog we will go over how you can customize SuperTokens authentication to create an invite only flow" | ||
cover: "how-to-create-an-invite-only-auth-flow.png" | ||
category: "programming" | ||
author: "Joel Coutinho" | ||
--- | ||
|
||
|
||
## Introduction | ||
Whether aiming to boost referrals, drive exclusivity, or simply enhance user engagement, a well-crafted invite flow can make all the difference. In this blog post, we will delve into the steps of how you can secure your React app with Email-password authentication with SuperTokens, customized to have an invite-only flow. | ||
|
||
|
||
## Setup | ||
Our demo app will use a React frontend with a NodeJS backend, but the instructions should translate to other frameworks and languages. You can find the list of [SuperTokens-supported frameworks and languages here](https://supertokens.com/docs/community/sdks). | ||
|
||
We can start a new project configured with SuperTokens using their CLI with the following command: | ||
|
||
`npx create-supertokens-app@latest` | ||
|
||
You should see the following output: | ||
|
||
![SuperTokens CLI](./supertokens-cli.png) | ||
|
||
|
||
Follow the prompts on-screen and set up an app with a React frontend, and NodeJs backend configured with email-password based authentication. | ||
|
||
We can now start customizing the authentication flows to enable invite-only authentication | ||
|
||
## Step 1: Disable Sign Ups | ||
If you were to run the example application now, you will be greeted with the authentication page. This page allows you to sign users up. We will need to disable the sign-up UI on the frontend and disable the sign up API on the backend. | ||
|
||
![SuperTokens Sign Up screen](./sign-in-screen.png) | ||
|
||
### Disable the sign up UI in SuperTokens Frontend config | ||
|
||
We can customize the frontend UI and use CSS to to hide the sign up button. | ||
|
||
```tsx | ||
import SuperTokens from "supertokens-auth-react"; | ||
import EmailPassword from "supertokens-auth-react/recipe/emailpassword"; | ||
|
||
SuperTokens.init({ | ||
appInfo: { | ||
apiDomain: "...", | ||
appName: "...", | ||
websiteDomain: "..." | ||
}, | ||
recipeList: [ | ||
EmailPassword.init({ | ||
signInAndUpFeature: { | ||
signInForm: { | ||
style: ` | ||
[data-supertokens~=headerSubtitle] { | ||
display: none; | ||
} | ||
`, | ||
} | ||
}, | ||
}), | ||
] | ||
}); | ||
``` | ||
|
||
This should hide the button which allows you to switch to the sign up screen. | ||
|
||
![SuperTokens Sign Up screen with sign up disabled](./sign-in-screen-sign-up-disabled.png) | ||
|
||
### Disable the sign up API in SuperTokens Backend config | ||
|
||
We override the SuperTokens backend config to disable the public facing sign up API: | ||
|
||
```ts | ||
import SuperTokens from "supertokens-node"; | ||
import EmailPassword from "supertokens-node/recipe/emailpassword"; | ||
|
||
SuperTokens.init({ | ||
appInfo: { | ||
apiDomain: "...", | ||
appName: "...", | ||
websiteDomain: "..." | ||
}, | ||
supertokens: { | ||
connectionURI: "...", | ||
}, | ||
recipeList: [ | ||
EmailPassword.init({ | ||
override: { | ||
apis: (originalImplementation) => { | ||
return { | ||
...originalImplementation, | ||
signUpPOST: undefined, | ||
} | ||
} | ||
} | ||
}) | ||
] | ||
}); | ||
``` | ||
|
||
## Step 2: Creating the invite-only flow | ||
|
||
### Create a protected API that will create users and send invite links | ||
To create users and send them an invite links we will need to create an API on the backend which will: | ||
|
||
- Call the `signUp` function from the SuperTokens backend SDK using the user's email and a fake password. This fake password should be unguessable and should be shared across all invited users. | ||
- Generate a password reset link and send that as an invite link to the user's email. | ||
- Once the user clicks the link, they will be shown a page asking them to input their password after which, they can login. | ||
- Finally we add an access control check to make sure that only users with the `admin` role can add additional users. | ||
|
||
```ts | ||
|
||
import express from "express"; | ||
import { verifySession } from "supertokens-node/recipe/session/framework/express"; | ||
import { SessionRequest } from "supertokens-node/framework/express"; | ||
import UserRoles from "supertokens-node/recipe/userroles"; | ||
import EmailPassword from "supertokens-node/recipe/emailpassword"; | ||
|
||
const FAKE_PASSWORD = "asokdA87fnf30efjoiOI**cwjkn"; | ||
|
||
let app = express(); | ||
|
||
app.post("/create-user", verifySession({ | ||
overrideGlobalClaimValidators: async function (globalClaimValidators) { | ||
return [...globalClaimValidators, | ||
UserRoles.UserRoleClaim.validators.includes("admin")] | ||
} | ||
}), async (req: SessionRequest, res) => { | ||
let email = req.body.email; | ||
|
||
let signUpResult = await EmailPassword.signUp("public", email, FAKE_PASSWORD); | ||
if (signUpResult.status === "EMAIL_ALREADY_EXISTS_ERROR") { | ||
res.status(400).send("User already exists"); | ||
return; | ||
} | ||
|
||
// we successfully created the user. Now we should send them their invite link | ||
await EmailPassword.sendResetPasswordEmail("public", signUpResult.user.id); | ||
|
||
res.send("Success"); | ||
}); | ||
``` | ||
|
||
>Note: | ||
> - The code above uses the default password reset path for the invite link (`/auth/reset-password`). You can create custom UI hosted on another path and use the password reset functions provided by the SuperTOkens frontend SDK to call the password reset token consumption API from the frontend. | ||
> - Additionally the `sendResetPasswordEmail` function uses the default password reset email(or the one customized using the emailDelivery config). If you would like to create the reset password link and send it yourself, you can use the `createResetPasswordLink` function to generate the password reset string. | ||
### Ensure that invited users have reset their passwords | ||
|
||
To ensure that users who have reset their passwords, we need to make the following changes: | ||
|
||
- Prevent users from signing in with the `FAKE_PASSWORD`. | ||
- Prevent users from resetting their password by setting their new password as the `FAKE_PASSWORD`. | ||
- Prevent users from updating their password and setting it to the `FAKE_PASSWORD`. | ||
|
||
|
||
|
||
```ts | ||
import SuperTokens from "supertokens-node"; | ||
import EmailPassword from "supertokens-node/recipe/emailpassword"; | ||
|
||
const FAKE_PASSWORD = "asokdA87fnf30efjoiOI**cwjkn" | ||
|
||
SuperTokens.init({ | ||
appInfo: { | ||
apiDomain: "...", | ||
appName: "...", | ||
websiteDomain: "..." | ||
}, | ||
supertokens: { | ||
connectionURI: "...", | ||
}, | ||
recipeList: [ | ||
EmailPassword.init({ | ||
override: { | ||
apis: (originalImplementation) => { | ||
// ... override from previous code snippets... | ||
return originalImplementation | ||
}, | ||
functions: (originalImplementation) => { | ||
return { | ||
...originalImplementation, | ||
updateEmailOrPassword: async function (input) { | ||
// This can be called on the backend | ||
// in your own APIs | ||
if (input.password === FAKE_PASSWORD) { | ||
throw new Error("Use a different password") | ||
} | ||
|
||
return originalImplementation.updateEmailOrPassword(input); | ||
}, | ||
resetPasswordUsingToken: async function (input) { | ||
// This is called during the password reset flow | ||
// when the user enters their new password | ||
if (input.newPassword === FAKE_PASSWORD) { | ||
return { | ||
status: "RESET_PASSWORD_INVALID_TOKEN_ERROR" | ||
} | ||
} | ||
return originalImplementation.resetPasswordUsingToken(input); | ||
}, | ||
signIn: async function (input) { | ||
// This is called in the email password sign in API | ||
if (input.password === FAKE_PASSWORD) { | ||
return { | ||
status: "WRONG_CREDENTIALS_ERROR" | ||
} | ||
} | ||
return originalImplementation.signIn(input); | ||
}, | ||
} | ||
} | ||
} | ||
}) | ||
] | ||
}); | ||
``` | ||
|
||
And that's it! Your app now only allows invited users to log in. Once a user is invited they will be sent an email asking to reset their password post which they are able to sign in. | ||
|
||
## Conclusion | ||
Although there a few customizations that needed to be made, setting up an invite only flow with SuperTokens is pretty straight forward. You can find the related [documentation for the invite flow here](https://supertokens.com/docs/emailpassword/common-customizations/disable-sign-up/emailpassword-changes) if you need the code for other languages/frameworks. |
Binary file added
BIN
+14.1 KB
content/how-to-create-an-invite-only-auth-flow/sign-in-screen-sign-up-disabled.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,52 @@ | ||
--- | ||
title: How we cut our AWS costs by more than 50% | ||
date: "2023-09-19" | ||
description: "Part 1 in a series of how we were able to cut down our AWS infrastructure costs by more than 50%" | ||
cover: "how-we-cut-our-aws-costs.png" | ||
category: "programming" | ||
author: "Joel Coutinho" | ||
--- | ||
|
||
In this two part series we will go over SuperTokens manged service infrastructure and the changes we made to cut our AWS billing by more than 50%. | ||
|
||
**Part 1: How does the SuperTokens managed service work and why does it need to change.** | ||
|
||
## Introduction | ||
|
||
The SuperTokens managed service powers numerous web products, mobile applications, and services and is primarily hosted on AWS. Our infrastructure leverages a suite of AWS tools, including AWS RDS for our database, EC2 instances for SuperToken deployments, and System Manager for instance management and automation. Over time, we've refined our deployment cycle to enhance stability, fault tolerance, and cost efficiency but our most recent update has yielded our biggest savings yet, slashing costs by over 50% while achieving [record scalability](https://twitter.com/supertokensio/status/1701600309397852270). | ||
|
||
|
||
## What was the SuperTokens infrastructure like? | ||
|
||
To gain a better understanding of the SuperTokens infrastructure, it's crucial to grasp the deployment cycle. | ||
|
||
![SuperTokens Deployment process](./supertokens-deployment-process.png) | ||
|
||
SuperTokens allow users to use the SuperTokens SAAS service in two modes: development and production. Here’s the breakdown of each: | ||
|
||
**Development Mode:** | ||
The Development mode runs on an *EC2 T3.small* instance. To maximize resource utilization, we deploy up to seven development core instances on the same *T3.small* instance. This configuration results in a remarkably swift setup for new development cores, typically taking a mere 15-20 seconds and is suitable for testing purposes. | ||
|
||
**Production mode:** | ||
In contrast, production mode follows a different deployment strategy. Each production mode deployment is hosted on a dedicated *EC2 T2.micro* instance. This means that when a new production SuperTokens core instance needs to be created, a fresh *T2.micro* instance is spun up, and docker is installed on it using System Manager. Consequently, this process requires additional time compared to the development mode, with an average deployment time of around 4-5 minutes. | ||
|
||
|
||
For example, if 7 users were to sign up for SuperTokens, it would look like the following: | ||
|
||
![SuperTokens example Infrastructure](./supertokens-example-infrastructure.png) | ||
|
||
### Initial Improvements to the deployment cycle | ||
|
||
One of our initial optimizations focused on reducing the startup time for generating production instances. We recognized that creating a custom [AMI](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIs.html)(Amazon Machine Image) pre-installed with Docker alongside the operating system that would cut down on start-up time. This change trimmed approximately 45 seconds from the production deployment procedure, reducing the setup time to approximately 3-4 minutes. | ||
|
||
In retrospect, another avenue for improvement that we identified was the usage of [AWS Reserved Instances](https://aws.amazon.com/ec2/pricing/reserved-instances/). While this approach would have entailed an upfront cost, it would have resulted in substantial long-term savings. | ||
|
||
So what prompted us to change our deployment process? | ||
|
||
## Why we had to change our deployment process | ||
The past year has been quite a ride for SuperTokens. We released a host of new features and saw a big uptick in users. But, as our user numbers climbed, so did our infrastructure costs. With our AWS credits running out soon, we knew we had to do something to cut our expenses. | ||
|
||
With the release of our new multi-tenancy feature we saw the opportunity to consolidate core instances to optimize the utilization of our EC2 instances to cut down our costs while also providing the expected performance. | ||
|
||
In part 2 we will go over the changes we made to achieve this. | ||
|
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added
BIN
+50.8 KB
content/how-we-cut-our-aws-costs/supertokens-example-infrastructure.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.