supertokens · rishabhpoddar · Apr 5, 2023 · Jan 30, 2023 · Jan 30, 2023 · Feb 13, 2023
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,127 @@ to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [unreleased]
 
+## [5.0.0] - 2023-04-05
+
+### Fixes
+
+- Fixed creating JWTs using MongoDB if a key already exists
+
+### Breaking changes
+
+- Using an internal `SemVer` class to handle version numbers. This will make handling CDI version ranges easier.
+- Support for CDI version `2.21`
+  - Removed POST `/recipe/handshake`
+  - Added `useDynamicSigningKey` into `createNewSession` (POST `/recipe/session`), replacing 
+    `access_token_signing_key_dynamic` used in CDI<=2.18
+  - Added `useStaticSigningKey` into `createSignedJWT` (POST `/recipe/jwt`)
+  - Added `checkDatabase` into `verifySession` (POST `/recipe/session/verify`), replacing 
+    `access_token_blacklisting` used in CDI<=2.18
+  - Removed `idRefreshToken`, `jwtSigningPublicKey`, `jwtSigningPublicKeyExpiryTime` and `jwtSigningPublicKeyList` 
+    from responses
+  - Deprecated GET `/recipe/jwt/jwks`
+  - Added GET `/.well-known/jwks.json`: a standard jwks
+- Added new access token version
+  - Uses standard prop names (i.e.: `sub` instead of `userId`)
+  - Contains the id of the signing key in the header (as `kid`)
+  - Stores the user payload merged into the root level, instead of the `userData` prop
+- Session handling function now throw if the user payload contains protected props (`sub`, `iat`, `exp`, 
+  `sessionHandle`, `refreshTokenHash1`, `parentRefreshTokenHash1`, `antiCsrfToken`)
+  - A related exception type was added as `AccessTokenPayloadError`
+- Refactored the handling of signing keys
+- `createNewSession` now takes a `useStaticKey` parameter instead of depending on the 
+  `access_token_signing_key_dynamic` config value
+- `createJWTToken` now supports signing by a dynamic key
+- `getSession` now takes a `checkDatabase` parameter instead of using the `access_token_blacklisting` config value 
+- Updated plugin interface version to 2.21
+
+### Configuration Changes
+
+- `access_token_signing_key_dynamic` is now deprecated, only used for requests with CDI<=2.18
+- `access_token_blacklisting` is now deprecated, only used for requests with CDI<=2.18
+- Renamed `access_token_signing_key_update_interval` to `access_token_dynamic_signing_key_update_interval`
+
+### Database Changes
+
+- Added new `useStaticKey` field into session info
+- Manual migration is also required if `access_token_signing_key_dynamic` was set to true
+
+#### Migration steps for SQL
+- If using `access_token_signing_key_dynamic` false:
+  - `ALTER TABLE session_info ADD COLUMN use_static_key BOOLEAN NOT NULL DEFAULT(true);`
+  - ```sql
+    INSERT INTO jwt_signing_keys(key_id, key_string, algorithm, created_at)
+      select CONCAT('s-', created_at_time) as key_id, value as key_string, 'RS256' as algorithm, created_at_time as created_at
+      from session_access_token_signing_keys;
+    ```
+- If using `access_token_signing_key_dynamic` true:
+  - `ALTER TABLE session_info ADD COLUMN use_static_key BOOLEAN NOT NULL DEFAULT(false);` 
+
+#### Migration steps for MongoDB
+
+- If using `access_token_signing_key_dynamic` false:
+  - ```
+    db.session_info.update({},
+      {
+        "$set": {
+          "use_static_key": true
+        }
+      });
+    ```
+  - ```
+    db.key_value.aggregate([
+      {
+        "$match": {
+          _id: "access_token_signing_key_list"
+        }
+      },
+      {
+        $unwind: "$keys"
+      },
+      {
+        $addFields: {
+          _id: {
+            "$concat": [
+              "s-",
+              {
+                $convert: {
+                  input: "$keys.created_at_time",
+                  to: "string"
+                }
+              }
+            ]
+          },
+          "key_string": "$keys.value",
+          "algorithm": "RS256",
+          "created_at": "$keys.created_at_time",
+
+        }
+      },
+      {
+        "$project": {
+          "keys": 0,
+
+        }
+      },
+      {
+        "$merge": {
+          "into": "jwt_signing_keys",
+
+        }
+      }
+    ]);
+    ```
+
+- If using `access_token_signing_key_dynamic` true:
+  - ```
+    db.session_info.update({},
+      {
+        "$set": {
+          "use_static_key": false
+        }
+      });
+    ```
+
 ## [4.6.0] - 2023-03-30
 
 - Add Optional Search Tags to Pagination API to enable dashboard search

diff --git a/build.gradle b/build.gradle
@@ -19,7 +19,7 @@ compileTestJava { options.encoding = "UTF-8" }
 //    }
 //}
 
-version = "4.6.0"
+version = "5.0.0"
 
 
 repositories {

diff --git a/config.yaml b/config.yaml
@@ -20,20 +20,19 @@ core_config_version: 0
 # access_token_validity:
 
 
-# (OPTIONAL | Default: false) boolean value. If true, allows for immediate revocation of any access token.
-# Keep in mind that setting this to true will result in a db query for each API call that
-# requires authentication.
+# (OPTIONAL | Default: false) boolean value. Deprecated, please see changelog. Only used in CDI<=2.18
+# If true, allows for immediate revocation of any access token. Keep in mind that setting this to true will result
+# in a db query for each API call that requires authentication.
 # access_token_blacklisting:
 
 
-# (OPTIONAL | Default: true) boolean value. If this is set to true, the JWT (access token)
-# signing key will change every fixed intervale of time.
+# (OPTIONAL | Default: true) boolean value. Deprecated, please see changelog.
+# If this is set to true, the access tokens created using CDI<=2.18 will be signed using a static signing key.
 # access_token_signing_key_dynamic:
 
 
-# (OPTIONAL | Default:168) integer value. Time in hours for how frequently the JWT (access token) signing key
-# will change. This value only makes sense if "access_token_signing_key_dynamic" is true.
-# access_token_signing_key_update_interval:
+# (OPTIONAL | Default:168) integer value. Time in hours for how frequently the dynamic signing key will change.
+# access_token_dynamic_signing_key_update_interval:
 
 
 # (OPTIONAL | Default: 144000) double value. Time in mins for how long a refresh token is valid for.

diff --git a/coreDriverInterfaceSupported.json b/coreDriverInterfaceSupported.json
@@ -14,6 +14,7 @@
     "2.17",
     "2.18",
     "2.19",
-    "2.20"
+    "2.20",
+    "2.21"
   ]
 }
diff --git a/devConfig.yaml b/devConfig.yaml
@@ -20,21 +20,22 @@ core_config_version: 0
 # access_token_validity:
 
 
-# (OPTIONAL | Default: false) boolean value. If true, allows for immediate revocation of any access token.
-# Keep in mind that setting this to true will result in a db query for each API call that
-# requires authentication.
+# (OPTIONAL | Default: false) boolean value. Deprecated, please see changelog. Only used in CDI<=2.18
+# If true, allows for immediate revocation of any access token. Keep in mind that setting this to true will result
+# in a db query for each API call that requires authentication.
 # access_token_blacklisting:
 
 
-# (OPTIONAL | Default: true) boolean value. If this is set to true, the JWT (access token)
-# signing key will change every fixed intervale of time.
+# (OPTIONAL | Default: true) boolean value. Deprecated, please see changelog.
+# If this is set to true, the access tokens created using CDI<=2.18 will be signed using a static signing key.
 # access_token_signing_key_dynamic:
 
 
-# (OPTIONAL | Default:168) integer value. Time in hours for how frequently the JWT (access token) signing key
-# will change. This value only makes sense if "access_token_signing_key_dynamic" is true.
-# access_token_signing_key_update_interval:
+# (OPTIONAL | Default:168) integer value. Time in hours for how frequently the dynamic signing key will change.
+# access_token_dynamic_signing_key_update_interval:
 
+# This is now deprecated, we only add this to the dev config to test if the fallback in the config parser works right
+# access_token_signing_key_update_interval:
 
 # (OPTIONAL | Default: 144000) double value. Time in mins for how long a refresh token is valid for.
 # refresh_token_validity:

diff --git a/ee/src/test/java/io/supertokens/ee/test/api/DeleteLicenseKeyAPITest.java b/ee/src/test/java/io/supertokens/ee/test/api/DeleteLicenseKeyAPITest.java
@@ -51,7 +51,7 @@ public void testDeletingLicenseKeyWhenItIsNotSet() throws Exception {
 
         JsonObject response = HttpRequestForTesting.sendJsonDELETERequest(process.getProcess(), "",
                 "http://localhost:3567/ee/license",
-                null, 10000, 10000, null, WebserverAPI.getLatestCDIVersion(), "");
+                null, 10000, 10000, null, WebserverAPI.getLatestCDIVersion().get(), "");
         assertEquals(1, response.entrySet().size());
         assertEquals("OK", response.get("status").getAsString());
 
@@ -83,7 +83,7 @@ public void testDeletingLicenseKey() throws Exception {
 
         JsonObject response = HttpRequestForTesting.sendJsonDELETERequest(process.getProcess(), "",
                 "http://localhost:3567/ee/license",
-                null, 10000, 10000, null, WebserverAPI.getLatestCDIVersion(), "");
+                null, 10000, 10000, null, WebserverAPI.getLatestCDIVersion().get(), "");
         assertEquals(1, response.entrySet().size());
         assertEquals("OK", response.get("status").getAsString());
 

diff --git a/ee/src/test/java/io/supertokens/ee/test/api/GetFeatureFlagAPITest.java b/ee/src/test/java/io/supertokens/ee/test/api/GetFeatureFlagAPITest.java
@@ -45,7 +45,7 @@ public void testRetrievingFeatureFlagInfoWhenNoLicenseKeyIsSet() throws Exceptio
 
         JsonObject response = HttpRequestForTesting.sendGETRequest(process.getProcess(), "",
                 "http://localhost:3567/ee/featureflag",
-                null, 1000, 1000, null, WebserverAPI.getLatestCDIVersion(), "");
+                null, 1000, 1000, null, WebserverAPI.getLatestCDIVersion().get(), "");
         assertEquals(3, response.entrySet().size());
         assertEquals("OK", response.get("status").getAsString());
         assertEquals(0, response.get("features").getAsJsonArray().size());
@@ -77,7 +77,7 @@ public void testRetrievingFeatureFlagInfoWhenLicenseKeyIsSet() throws Exception
 
         JsonObject response = HttpRequestForTesting.sendGETRequest(process.getProcess(), "",
                 "http://localhost:3567/ee/featureflag",
-                null, 1000, 1000, null, WebserverAPI.getLatestCDIVersion(), "");
+                null, 1000, 1000, null, WebserverAPI.getLatestCDIVersion().get(), "");
         assertEquals(3, response.entrySet().size());
         assertEquals("OK", response.get("status").getAsString());
         assertEquals(1, response.get("features").getAsJsonArray().size());

diff --git a/ee/src/test/java/io/supertokens/ee/test/api/GetLicenseKeyAPITest.java b/ee/src/test/java/io/supertokens/ee/test/api/GetLicenseKeyAPITest.java
@@ -42,7 +42,7 @@ public void testRetrievingLicenseKeyWhenItIsNotSet() throws Exception {
 
         JsonObject response = HttpRequestForTesting.sendGETRequest(process.getProcess(), "",
                 "http://localhost:3567/ee/license",
-                null, 10000, 10000, null, WebserverAPI.getLatestCDIVersion(), "");
+                null, 10000, 10000, null, WebserverAPI.getLatestCDIVersion().get(), "");
         Assert.assertEquals(1, response.entrySet().size());
         Assert.assertEquals("NO_LICENSE_KEY_FOUND_ERROR", response.get("status").getAsString());
 
@@ -64,7 +64,7 @@ public void testRetrievingLicenseKeyWhenItIsSet() throws Exception {
         // retrieve license key
         JsonObject response = HttpRequestForTesting.sendGETRequest(process.getProcess(), "",
                 "http://localhost:3567/ee/license",
-                null, 10000, 10000, null, WebserverAPI.getLatestCDIVersion(), "");
+                null, 10000, 10000, null, WebserverAPI.getLatestCDIVersion().get(), "");
 
         assertEquals(2, response.entrySet().size());
         assertEquals("OK", response.get("status").getAsString());
@@ -93,7 +93,7 @@ public void testRetrievingLicenseKeyWhenEEFolderDoesNotExist() throws Exception
         // retrieve license key
         JsonObject response = HttpRequestForTesting.sendGETRequest(process.getProcess(), "",
                 "http://localhost:3567/ee/license",
-                null, 10000, 10000, null, WebserverAPI.getLatestCDIVersion(), "");
+                null, 10000, 10000, null, WebserverAPI.getLatestCDIVersion().get(), "");
 
         Assert.assertEquals(1, response.entrySet().size());
         Assert.assertEquals("NO_LICENSE_KEY_FOUND_ERROR", response.get("status").getAsString());

diff --git a/ee/src/test/java/io/supertokens/ee/test/api/SetLicenseKeyAPITest.java b/ee/src/test/java/io/supertokens/ee/test/api/SetLicenseKeyAPITest.java
@@ -58,7 +58,7 @@ public void testSettingBadInput() throws Exception {
         try {
             HttpRequestForTesting.sendJsonPUTRequest(process.getProcess(), "",
                     "http://localhost:3567/ee/license",
-                    requestBody, 10000, 10000, null, WebserverAPI.getLatestCDIVersion(), "");
+                    requestBody, 10000, 10000, null, WebserverAPI.getLatestCDIVersion().get(), "");
             throw new Exception("should never come here");
         } catch (HttpResponseException e) {
             assertTrue(e.statusCode == 400 && e.getMessage().equals(
@@ -91,7 +91,7 @@ public void testSettingLicenseKeyWhenEEFolderDoesNotExist() throws Exception {
 
         JsonObject response = HttpRequestForTesting.sendJsonPUTRequest(process.getProcess(), "",
                 "http://localhost:3567/ee/license",
-                requestBody, 10000, 10000, null, WebserverAPI.getLatestCDIVersion(), "");
+                requestBody, 10000, 10000, null, WebserverAPI.getLatestCDIVersion().get(), "");
         assertEquals(1, response.entrySet().size());
         assertEquals("MISSING_EE_FOLDER_ERROR", response.get("status").getAsString());
 
@@ -110,7 +110,7 @@ public void testSettingLicenseKeySuccessfully() throws Exception {
 
         JsonObject response = HttpRequestForTesting.sendJsonPUTRequest(process.getProcess(), "",
                 "http://localhost:3567/ee/license",
-                requestBody, 10000, 10000, null, WebserverAPI.getLatestCDIVersion(), "");
+                requestBody, 10000, 10000, null, WebserverAPI.getLatestCDIVersion().get(), "");
         assertEquals(1, response.entrySet().size());
         assertEquals("OK", response.get("status").getAsString());
 
@@ -138,7 +138,7 @@ public void testCallingAPIToSyncLicenseKey() throws Exception {
 
         JsonObject response = HttpRequestForTesting.sendJsonPUTRequest(process.getProcess(), "",
                 "http://localhost:3567/ee/license",
-                new JsonObject(), 10000, 10000, null, WebserverAPI.getLatestCDIVersion(), "");
+                new JsonObject(), 10000, 10000, null, WebserverAPI.getLatestCDIVersion().get(), "");
         assertEquals(1, response.entrySet().size());
         assertEquals("OK", response.get("status").getAsString());
 
@@ -163,7 +163,7 @@ public void testSettingInvalidLicenseKey() throws Exception {
 
         JsonObject response = HttpRequestForTesting.sendJsonPUTRequest(process.getProcess(), "",
                 "http://localhost:3567/ee/license",
-                requestBody, 10000, 10000, null, WebserverAPI.getLatestCDIVersion(), "");
+                requestBody, 10000, 10000, null, WebserverAPI.getLatestCDIVersion().get(), "");
 
         assertEquals(1, response.entrySet().size());
         assertEquals("INVALID_LICENSE_KEY_ERROR", response.get("status").getAsString());

diff --git a/pluginInterfaceSupported.json b/pluginInterfaceSupported.json
@@ -1,6 +1,6 @@
 {
   "_comment": "contains a list of plugin interfaces branch names that this core supports",
   "versions": [
-    "2.22"
+    "2.23"
   ]
 }
diff --git a/src/main/java/io/supertokens/Main.java b/src/main/java/io/supertokens/Main.java
@@ -32,12 +32,13 @@
 import io.supertokens.exceptions.QuitProgramException;
 import io.supertokens.featureflag.FeatureFlag;
 import io.supertokens.inmemorydb.Start;
-import io.supertokens.jwt.JWTSigningKey;
+import io.supertokens.signingkeys.JWTSigningKey;
 import io.supertokens.output.Logging;
 import io.supertokens.pluginInterface.STORAGE_TYPE;
 import io.supertokens.pluginInterface.exceptions.StorageQueryException;
-import io.supertokens.session.accessToken.AccessTokenSigningKey;
+import io.supertokens.signingkeys.AccessTokenSigningKey;
 import io.supertokens.session.refreshToken.RefreshTokenKey;
+import io.supertokens.signingkeys.SigningKeys;
 import io.supertokens.storageLayer.StorageLayer;
 import io.supertokens.version.Version;
 import io.supertokens.webserver.Webserver;
@@ -193,6 +194,7 @@ private void init() throws IOException {
         AccessTokenSigningKey.init(this);
         RefreshTokenKey.init(this);
         JWTSigningKey.init(this);
+        SigningKeys.init(this);
 
         // starts removing old session cronjob
         Cronjobs.addCronjob(this, DeleteExpiredSessions.getInstance(this));
@@ -218,9 +220,7 @@ private void init() throws IOException {
         }
 
         // starts DeleteExpiredAccessTokenSigningKeys cronjob if the access token signing keys can change
-        if (Config.getConfig(this).getAccessTokenSigningKeyDynamic()) {
-            Cronjobs.addCronjob(this, DeleteExpiredAccessTokenSigningKeys.getInstance(this));
-        }
+        Cronjobs.addCronjob(this, DeleteExpiredAccessTokenSigningKeys.getInstance(this));
 
         // creates password hashing pool
         PasswordHashing.init(this);

diff --git a/src/main/java/io/supertokens/ProcessState.java b/src/main/java/io/supertokens/ProcessState.java
@@ -60,8 +60,7 @@ public synchronized void clear() {
     /**
      * INIT: Initialization started INIT_FAILURE: Initialization failed
      * STARTED: Initialized successfully SHUTTING_DOWN: Shut down signal received STOPPED
-     * RETRYING_ACCESS_TOKEN_JWT_VERIFICATION: When access
-     * token verification fails due to change in signing key, so we retry it
+     * RETRYING_ACCESS_TOKEN_JWT_VERIFICATION: When access token verification fails due to change in signing key, so we retry it
      * CRON_TASK_ERROR_LOGGING: When an exception is thrown from a Cronjob
      * DEVICE_DRIVER_INFO_LOGGED:When program is saving deviceDriverInfo into ping
      * SERVER_PING: When program is pinging the server with information
@@ -81,7 +80,7 @@ public synchronized void clear() {
     public enum PROCESS_STATE {
         INIT, INIT_FAILURE, STARTED, SHUTTING_DOWN, STOPPED, RETRYING_ACCESS_TOKEN_JWT_VERIFICATION,
         CRON_TASK_ERROR_LOGGING, WAITING_TO_INIT_STORAGE_MODULE, GET_SESSION_NEW_TOKENS, DEADLOCK_FOUND,
-        CREATING_NEW_TABLE, SENDING_TELEMETRY, SENT_TELEMETRY, SETTING_ACCESS_TOKEN_SIGNING_KEY_TO_NULL,
+        CREATING_NEW_TABLE, SENDING_TELEMETRY, SENT_TELEMETRY, UPDATING_ACCESS_TOKEN_SIGNING_KEYS,
         PASSWORD_HASH_BCRYPT, PASSWORD_HASH_ARGON, PASSWORD_VERIFY_BCRYPT, PASSWORD_VERIFY_ARGON,
         PASSWORD_VERIFY_FIREBASE_SCRYPT, ADDING_REMOTE_ADDRESS_FILTER, LICENSE_KEY_CHECK_NETWORK_CALL,
         INVALID_LICENSE_KEY, SERVER_ERROR_DURING_LICENSE_KEY_CHECK_FAIL
-Original file line number
+Diff line change
@@ Expand Up / @@ -19,7 +19,7 @@ compileTestJava { options.encoding = "UTF-8" } @@
     //    }
     //}
-    version = "4.6.0"
+    version = "5.0.0"
     repositories {
@@ Expand Down @@