fix: getUserByAccountInfo fix to consider tenantId instead of appId (#1153)

Author: tamassoltesz

CHANGELOG.md

@@ -7,6 +7,10 @@ to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
 
+## [11.0.2]
+
+- Fixes `AuthRecipe#getUserByAccountInfo` to consider the tenantId instead of the appId when fetching the webauthn user
+
 ## [11.0.1]
 
 - Upgrades the embedded tomcat 11.0.6 and logback classic to 1.5.13 because of security vulnerabilities

build.gradle

@@ -8,6 +8,7 @@
 
 plugins {
     id 'application'
+    id 'java-library'
 }
 compileJava { options.encoding = "UTF-8" }
 compileTestJava { options.encoding = "UTF-8" }
@@ -19,7 +20,7 @@ compileTestJava { options.encoding = "UTF-8" }
 //    }
 //}
 
-version = "11.0.1"
+version = "11.0.2"
 
 repositories {
     mavenCentral()
@@ -45,7 +46,7 @@ dependencies {
     implementation group: 'ch.qos.logback', name: 'logback-classic', version: '1.5.13'
 
     // https://mvnrepository.com/artifact/org.apache.tomcat.embed/tomcat-embed-core
-    implementation group: 'org.apache.tomcat.embed', name: 'tomcat-embed-core', version: '11.0.6'
+    api group: 'org.apache.tomcat.embed', name: 'tomcat-embed-core', version: '11.0.6'
 
     // https://mvnrepository.com/artifact/com.google.code.findbugs/jsr305
     implementation group: 'com.google.code.findbugs', name: 'jsr305', version: '3.0.2'

src/main/java/io/supertokens/inmemorydb/queries/GeneralQueries.java

@@ -1275,7 +1275,8 @@ public static AuthRecipeUserInfo[] listPrimaryUsersByEmail_Transaction(Start sta
 
         userIds.addAll(ThirdPartyQueries.getPrimaryUserIdUsingEmail_Transaction(start, sqlCon, appIdentifier, email));
 
-        String webauthnUserId = WebAuthNQueries.getPrimaryUserIdUsingEmail_Transaction(start, sqlCon, appIdentifier, email);
+        String webauthnUserId = WebAuthNQueries.getPrimaryUserIdForAppUsingEmail_Transaction(start, sqlCon,
+                appIdentifier, email);
         if(webauthnUserId != null) {
             userIds.add(webauthnUserId);
         }
@@ -1312,7 +1313,7 @@ public static AuthRecipeUserInfo[] listPrimaryUsersByEmail(Start start, TenantId
 
         userIds.addAll(ThirdPartyQueries.getPrimaryUserIdUsingEmail(start, tenantIdentifier, email));
 
-        String webauthnUserId = WebAuthNQueries.getPrimaryUserIdUsingEmail(start, tenantIdentifier.toAppIdentifier(), email);
+        String webauthnUserId = WebAuthNQueries.getPrimaryUserIdForTenantUsingEmail(start, tenantIdentifier, email);
         if(webauthnUserId != null) {
             userIds.add(webauthnUserId);
         }

src/main/java/io/supertokens/inmemorydb/queries/WebAuthNQueries.java

@@ -376,13 +376,15 @@ private static AuthRecipeUserInfo getAuthRecipeUserInfo(Start start, Connection
         return userInfo;
     }
 
-    public static String getPrimaryUserIdUsingEmail(Start start, AppIdentifier appIdentifier, String email)
+    public static String getPrimaryUserIdForTenantUsingEmail(Start start, TenantIdentifier tenantIdentifier,
+                                                             String email)
             throws StorageQueryException {
         try {
             return start.startTransaction(con -> {
                 try {
                     Connection sqlConnection = (Connection) con.getConnection();
-                    return getPrimaryUserIdUsingEmail_Transaction(start, sqlConnection, appIdentifier, email);
+                    return getPrimaryUserIdForTenantUsingEmail_Transaction(start, sqlConnection, tenantIdentifier,
+                            email);
                 } catch (SQLException e) {
                     throw new StorageQueryException(e);
                 }
@@ -392,7 +394,30 @@ public static String getPrimaryUserIdUsingEmail(Start start, AppIdentifier appId
         }
     }
 
-    public static String getPrimaryUserIdUsingEmail_Transaction(Start start, Connection sqlConnection, AppIdentifier appIdentifier, String email)
+    public static String getPrimaryUserIdForTenantUsingEmail_Transaction(Start start, Connection sqlConnection,
+                                                                         TenantIdentifier tenantIdentifier,
+                                                                         String email)
+            throws SQLException, StorageQueryException {
+        String QUERY = "SELECT DISTINCT all_users.primary_or_recipe_user_id AS user_id "
+                + "FROM " + getConfig(start).getWebAuthNUserToTenantTable() + " AS ep" +
+                " JOIN " + getConfig(start).getUsersTable() + " AS all_users" +
+                " ON ep.app_id = all_users.app_id AND ep.user_id = all_users.user_id" +
+                " WHERE ep.app_id = ? AND ep.email = ? AND ep.tenant_id = ?";
+
+        return execute(sqlConnection, QUERY, pst -> {
+            pst.setString(1, tenantIdentifier.getAppId());
+            pst.setString(2, email);
+            pst.setString(3, tenantIdentifier.getTenantId());
+        }, result -> {
+            if (result.next()) {
+                 return result.getString("user_id");
+            }
+            return null;
+        });
+    }
+
+    public static String getPrimaryUserIdForAppUsingEmail_Transaction(Start start, Connection sqlConnection,
+                                                                      AppIdentifier appIdentifier, String email)
             throws SQLException, StorageQueryException {
         String QUERY = "SELECT DISTINCT all_users.primary_or_recipe_user_id AS user_id "
                 + "FROM " + getConfig(start).getWebAuthNUserToTenantTable() + " AS ep" +
@@ -405,7 +430,7 @@ public static String getPrimaryUserIdUsingEmail_Transaction(Start start, Connect
             pst.setString(2, email);
         }, result -> {
             if (result.next()) {
-                 return result.getString("user_id");
+                return result.getString("user_id");
             }
             return null;
         });

src/test/java/io/supertokens/test/AuthRecipeTest.java

@@ -17,19 +17,41 @@
 package io.supertokens.test;
 
 import com.google.gson.JsonObject;
+import io.supertokens.Main;
 import io.supertokens.ProcessState;
+import io.supertokens.ResourceDistributor;
 import io.supertokens.authRecipe.AuthRecipe;
 import io.supertokens.authRecipe.UserPaginationContainer;
+import io.supertokens.authRecipe.exception.AccountInfoAlreadyAssociatedWithAnotherPrimaryUserIdException;
+import io.supertokens.authRecipe.exception.InputUserIdIsNotAPrimaryUserException;
+import io.supertokens.authRecipe.exception.RecipeUserIdAlreadyLinkedWithAnotherPrimaryUserIdException;
+import io.supertokens.authRecipe.exception.RecipeUserIdAlreadyLinkedWithPrimaryUserIdException;
 import io.supertokens.emailpassword.EmailPassword;
 import io.supertokens.emailverification.EmailVerification;
+import io.supertokens.emailverification.exception.EmailAlreadyVerifiedException;
 import io.supertokens.emailverification.exception.EmailVerificationInvalidTokenException;
+import io.supertokens.featureflag.EE_FEATURES;
+import io.supertokens.featureflag.FeatureFlagTestContent;
+import io.supertokens.featureflag.exceptions.FeatureNotEnabledException;
+import io.supertokens.multitenancy.Multitenancy;
+import io.supertokens.multitenancy.exception.BadPermissionException;
+import io.supertokens.multitenancy.exception.CannotModifyBaseConfigException;
 import io.supertokens.passwordless.Passwordless;
 import io.supertokens.passwordless.Passwordless.CreateCodeResponse;
 import io.supertokens.pluginInterface.RECIPE_ID;
 import io.supertokens.pluginInterface.STORAGE_TYPE;
 import io.supertokens.pluginInterface.authRecipe.AuthRecipeUserInfo;
+import io.supertokens.pluginInterface.emailpassword.exceptions.DuplicateEmailException;
+import io.supertokens.pluginInterface.emailpassword.exceptions.UnknownUserIdException;
+import io.supertokens.pluginInterface.exceptions.InvalidConfigException;
+import io.supertokens.pluginInterface.exceptions.StorageQueryException;
+import io.supertokens.pluginInterface.exceptions.StorageTransactionLogicException;
+import io.supertokens.pluginInterface.multitenancy.*;
+import io.supertokens.pluginInterface.multitenancy.exceptions.TenantOrAppNotFoundException;
 import io.supertokens.session.Session;
 import io.supertokens.storageLayer.StorageLayer;
+import io.supertokens.test.httpRequest.HttpResponseException;
+import io.supertokens.thirdparty.InvalidProviderConfigException;
 import io.supertokens.thirdparty.ThirdParty;
 import io.supertokens.usermetadata.UserMetadata;
 import io.supertokens.version.Version;
@@ -38,15 +60,16 @@
 import org.junit.Rule;
 import org.junit.Test;
 import org.junit.rules.TestRule;
-import org.reflections.Reflections;
 
+import java.io.IOException;
+import java.security.NoSuchAlgorithmException;
+import java.security.spec.InvalidKeySpecException;
 import java.util.*;
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.Executors;
 import java.util.concurrent.TimeUnit;
 import java.util.concurrent.atomic.AtomicInteger;
 import java.util.function.Function;
-import java.util.stream.Collectors;
 
 import static org.junit.Assert.*;
 
@@ -660,6 +683,95 @@ public void deleteUserTest() throws Exception {
         assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STOPPED));
     }
 
+    @Test
+    public void loadUsersByAccountInfoReturnsUsersForTenantOnly()
+            throws InterruptedException, TenantOrAppNotFoundException, InvalidProviderConfigException,
+            StorageQueryException, FeatureNotEnabledException, IOException, InvalidConfigException,
+            CannotModifyBaseConfigException, BadPermissionException, DuplicateEmailException, HttpResponseException,
+            AccountInfoAlreadyAssociatedWithAnotherPrimaryUserIdException, InputUserIdIsNotAPrimaryUserException,
+            RecipeUserIdAlreadyLinkedWithAnotherPrimaryUserIdException, UnknownUserIdException,
+            RecipeUserIdAlreadyLinkedWithPrimaryUserIdException, EmailVerificationInvalidTokenException,
+            StorageTransactionLogicException, NoSuchAlgorithmException, EmailAlreadyVerifiedException,
+            InvalidKeySpecException {
+        String[] args = {"../"};
+
+        TestingProcessManager.TestingProcess process = TestingProcessManager.start(args);
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STARTED));
+
+        if (StorageLayer.getStorage(process.getProcess()).getType() != STORAGE_TYPE.SQL) {
+            return;
+        }
+
+        Main main = process.getProcess();
+
+        FeatureFlagTestContent.getInstance(process.getProcess())
+                .setKeyValue(FeatureFlagTestContent.ENABLED_FEATURES, new EE_FEATURES[]{
+                        EE_FEATURES.MULTI_TENANCY, EE_FEATURES.ACCOUNT_LINKING});
+
+        // tenant 1
+        TenantIdentifier tenantIdentifier = ResourceDistributor.getAppForTesting();
+
+        // tenant 2
+        JsonObject config2 = new JsonObject();
+        TenantIdentifier tenantIdentifier2 = new TenantIdentifier(tenantIdentifier.getConnectionUriDomain(),
+                tenantIdentifier.getAppId(), "t1");
+
+        Multitenancy.addNewOrUpdateAppOrTenant(
+                main,
+                tenantIdentifier,
+                new TenantConfig(
+                        tenantIdentifier2,
+                        new EmailPasswordConfig(true),
+                        new ThirdPartyConfig(true, null),
+                        new PasswordlessConfig(true),
+                        null, null, config2
+                )
+        );
+
+        AuthRecipeUserInfo publicTenantUser = EmailPassword.signUp(tenantIdentifier,
+                StorageLayer.getStorage(main), main,
+                "[email protected]", "password");
+
+        EmailPassword.signUp(tenantIdentifier2, StorageLayer.getStorage(main), main,
+                "[email protected]", "password");
+
+        List<JsonObject> webauthnUsers = io.supertokens.test.webauthn.Utils.registerUsers(main, 1);
+
+        String token = EmailVerification.generateEmailVerificationToken(main,
+                publicTenantUser.getSupertokensUserId(), "[email protected]");
+        EmailVerification.verifyEmail(main, token);
+
+        AuthRecipe.CreatePrimaryUserResult result = AuthRecipe.createPrimaryUser(main,
+                tenantIdentifier.toAppIdentifier(), StorageLayer.getStorage(main),
+                publicTenantUser.getSupertokensUserId());
+
+        publicTenantUser = AuthRecipe.getUserById(tenantIdentifier.toAppIdentifier(), StorageLayer.getStorage(main),
+                result.user.getSupertokensUserId());
+
+        AuthRecipe.linkAccounts(main,
+                webauthnUsers.getFirst().getAsJsonObject("user").get("id").getAsString(),
+                publicTenantUser.getSupertokensUserId());
+
+        AuthRecipeUserInfo[] usersByEmail = AuthRecipe.getUsersByAccountInfo(tenantIdentifier2,
+                StorageLayer.getStorage(tenantIdentifier2, main), false,
+                "[email protected]", null, null, null, null);
+
+        assertEquals(1, usersByEmail.length);
+        assertEquals(1, usersByEmail[0].loginMethods.length);
+        assertEquals(1, usersByEmail[0].tenantIds.size());
+        assertEquals("t1", usersByEmail[0].tenantIds.toArray()[0]);
+
+
+        usersByEmail = AuthRecipe.getUsersByAccountInfo(tenantIdentifier,
+                StorageLayer.getStorage(tenantIdentifier, main), false,
+                "[email protected]", null, null, null, null);
+
+        assertEquals(1, usersByEmail.length);
+        assertEquals(2, usersByEmail[0].loginMethods.length);
+        assertEquals(1, usersByEmail[0].tenantIds.size());
+        assertEquals("public", usersByEmail[0].tenantIds.toArray()[0]);
+    }
+
     private static List<String> getAuthRecipes() {
         return Arrays.asList("emailpassword", "thirdparty", "passwordless");
     }

src/test/java/io/supertokens/test/TestServiceUtils.java

@@ -34,8 +34,6 @@ public static void startServices() {
         try {
             OAuthProviderService.startService();
             PostgresqlService.startService();
-            MysqlService.startService();
-            MongodbService.startService();
         } catch (Exception e) {
             throw new RuntimeException(e);
         }
@@ -44,8 +42,6 @@ public static void startServices() {
     public static void killServices() throws InterruptedException, IOException {
         OAuthProviderService.killService();
         PostgresqlService.killService();
-        MysqlService.killService();
-        MongodbService.killService();
     }
 
     private static class CmdHelper {