supertokens
diff --git a/‎html/supertokens_python/constants.html‎
Lines changed: 1 addition & 1 deletion b/‎html/supertokens_python/constants.html‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎html/supertokens_python/recipe/emailpassword/emaildelivery/services/smtp/password_reset_email.html‎
Lines changed: 4 additions & 0 deletions b/‎html/supertokens_python/recipe/emailpassword/emaildelivery/services/smtp/password_reset_email.html‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎html/supertokens_python/recipe/jwt/recipe_implementation.html‎
Lines changed: 3 additions & 3 deletions b/‎html/supertokens_python/recipe/jwt/recipe_implementation.html‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎html/supertokens_python/recipe/session/access_token.html‎
Lines changed: 60 additions & 70 deletions b/‎html/supertokens_python/recipe/session/access_token.html‎
Lines changed: 60 additions & 70 deletions
diff --git a/‎html/supertokens_python/recipe/session/api/implementation.html‎
Lines changed: 6 additions & 0 deletions b/‎html/supertokens_python/recipe/session/api/implementation.html‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎html/supertokens_python/recipe/session/constants.html‎
Lines changed: 1 addition & 2 deletions b/‎html/supertokens_python/recipe/session/constants.html‎
Lines changed: 1 addition & 2 deletions
diff --git a/‎html/supertokens_python/recipe/session/framework/flask/index.html‎
Lines changed: 6 additions & 4 deletions b/‎html/supertokens_python/recipe/session/framework/flask/index.html‎
Lines changed: 6 additions & 4 deletions
diff --git a/‎html/supertokens_python/recipe/session/interfaces.html‎
Lines changed: 0 additions & 13 deletions b/‎html/supertokens_python/recipe/session/interfaces.html‎
Lines changed: 0 additions & 13 deletions
@@ -42,7 +42,7 @@ <h1 class="title">Module <code>supertokens_python.constants</code></h1>
 from __future__ import annotations
 
 SUPPORTED_CDI_VERSIONS = [&#34;2.21&#34;]
-VERSION = &#34;0.14.3&#34;
+VERSION = &#34;0.14.4&#34;
 TELEMETRY = &#34;/telemetry&#34;
 USER_COUNT = &#34;/users/count&#34;
 USER_DELETE = &#34;/user/remove&#34;
 
@@ -38,6 +38,10 @@ <h1 class="title">Module <code>supertokens_python.recipe.emailpassword.emaildeli
         &lt;title&gt;*|MC:SUBJECT|*&lt;/title&gt;
 
         &lt;style type=&#34;text/css&#34;&gt;
+            body {
+                        max-width: 100vw;
+                        overflow: hidden;
+                }
                 p {
                         margin: 10px 0;
                         padding: 0;
 
@@ -80,7 +80,7 @@ <h1 class="title">Module <code>supertokens_python.recipe.jwt.recipe_implementati
         data = {
             &#34;payload&#34;: payload,
             &#34;validity&#34;: validity_seconds,
-            &#34;use_static_signing_key&#34;: use_static_signing_key is not False,
+            &#34;useStaticSigningKey&#34;: use_static_signing_key is not False,
             &#34;algorithm&#34;: &#34;RS256&#34;,
             &#34;jwksDomain&#34;: self.app_info.api_domain.get_as_string_dangerous(),
         }
@@ -147,7 +147,7 @@ <h2 class="section-title" id="header-classes">Classes</h2>
         data = {
             &#34;payload&#34;: payload,
             &#34;validity&#34;: validity_seconds,
-            &#34;use_static_signing_key&#34;: use_static_signing_key is not False,
+            &#34;useStaticSigningKey&#34;: use_static_signing_key is not False,
             &#34;algorithm&#34;: &#34;RS256&#34;,
             &#34;jwksDomain&#34;: self.app_info.api_domain.get_as_string_dangerous(),
         }
@@ -202,7 +202,7 @@ <h3>Methods</h3>
     data = {
         &#34;payload&#34;: payload,
         &#34;validity&#34;: validity_seconds,
-        &#34;use_static_signing_key&#34;: use_static_signing_key is not False,
+        &#34;useStaticSigningKey&#34;: use_static_signing_key is not False,
         &#34;algorithm&#34;: &#34;RS256&#34;,
         &#34;jwksDomain&#34;: self.app_info.api_domain.get_as_string_dangerous(),
     }
 
@@ -41,16 +41,15 @@ <h1 class="title">Module <code>supertokens_python.recipe.session.access_token</c
 # under the License.
 from __future__ import annotations
 
-from typing import Any, Dict, List, Optional, Union
+from typing import Any, Dict, Optional, Union
 
 import jwt
-from jwt.exceptions import DecodeError, PyJWKClientError
+from jwt.exceptions import DecodeError
 
 from supertokens_python.logger import log_debug_message
 from supertokens_python.utils import get_timestamp_ms
 
 from .exceptions import raise_try_refresh_token_exception
-from .jwks import JWKClient, JWKSRequestError, PyJWK
 from .jwt import ParsedJWTInfo
 
 
@@ -71,47 +70,44 @@ <h1 class="title">Module <code>supertokens_python.recipe.session.access_token</c
     return None
 
 
+from supertokens_python.recipe.session.jwks import get_latest_keys
+
+
 def get_info_from_access_token(
     jwt_info: ParsedJWTInfo,
-    jwk_clients: List[JWKClient],
     do_anti_csrf_check: bool,
 ):
     try:
         payload: Optional[Dict[str, Any]] = None
-        client: Optional[JWKClient] = None
-        keys: Optional[List[PyJWK]] = None
-
-        # Get the keys from the first available client
-        for c in jwk_clients:
-            try:
-                client = c
-                keys = c.get_latest_keys()
-                break
-            except JWKSRequestError:
-                continue
-
-        if keys is None or client is None:
-            raise PyJWKClientError(&#34;No key found&#34;)
-
-        if jwt_info.version &lt; 3:
+        decode_algo = (
+            jwt_info.parsed_header[&#34;alg&#34;]
+            if jwt_info.parsed_header is not None
+            else &#34;RS256&#34;
+        )
+
+        if jwt_info.version &gt;= 3:
+            matching_keys = get_latest_keys(jwt_info.kid)
+            payload = jwt.decode(  # type: ignore
+                jwt_info.raw_token_string,
+                matching_keys[0].key,  # type: ignore
+                algorithms=[decode_algo],
+                options={&#34;verify_signature&#34;: True, &#34;verify_exp&#34;: True},
+            )
+        else:
             # It won&#39;t have kid. So we&#39;ll have to try the token against all the keys from all the jwk_clients
             # If any of them work, we&#39;ll use that payload
-            for k in keys:
+            for k in get_latest_keys():
                 try:
-                    payload = jwt.decode(jwt_info.raw_token_string, k.key, algorithms=[&#34;RS256&#34;])  # type: ignore
+                    payload = jwt.decode(  # type: ignore
+                        jwt_info.raw_token_string,
+                        k.key,  # type: ignore
+                        algorithms=[decode_algo],
+                        options={&#34;verify_signature&#34;: True, &#34;verify_exp&#34;: True},
+                    )
                     break
                 except DecodeError:
                     pass
 
-        elif jwt_info.version &gt;= 3:
-            matching_key = client.get_matching_key_from_jwt(jwt_info.raw_token_string)
-            payload = jwt.decode(  # type: ignore
-                jwt_info.raw_token_string,
-                matching_key.key,  # type: ignore
-                algorithms=[&#34;RS256&#34;],
-                options={&#34;verify_signature&#34;: True, &#34;verify_exp&#34;: True},
-            )
-
         if payload is None:
             raise DecodeError(&#34;Could not decode the token&#34;)
 
@@ -138,7 +134,7 @@ <h1 class="title">Module <code>supertokens_python.recipe.session.access_token</c
         if anti_csrf_token is None and do_anti_csrf_check:
             raise Exception(&#34;Access token does not contain the anti-csrf token&#34;)
 
-        assert isinstance(expiry_time, int)
+        assert isinstance(expiry_time, (float, int))
 
         if expiry_time &lt; get_timestamp_ms():
             raise Exception(&#34;Access token expired&#34;)
@@ -165,8 +161,8 @@ <h1 class="title">Module <code>supertokens_python.recipe.session.access_token</c
     if version &gt;= 3:
         if (
             not isinstance(payload.get(&#34;sub&#34;), str)
-            or not isinstance(payload.get(&#34;exp&#34;), int)
-            or not isinstance(payload.get(&#34;iat&#34;), int)
+            or not isinstance(payload.get(&#34;exp&#34;), (int, float))
+            or not isinstance(payload.get(&#34;iat&#34;), (int, float))
             or not isinstance(payload.get(&#34;sessionHandle&#34;), str)
             or not isinstance(payload.get(&#34;refreshTokenHash1&#34;), str)
         ):
@@ -181,8 +177,8 @@ <h1 class="title">Module <code>supertokens_python.recipe.session.access_token</c
         not isinstance(payload.get(&#34;sessionHandle&#34;), str)
         or payload.get(&#34;userData&#34;) is None
         or not isinstance(payload.get(&#34;refreshTokenHash1&#34;), str)
-        or not isinstance(payload.get(&#34;expiryTime&#34;), int)
-        or not isinstance(payload.get(&#34;timeCreated&#34;), int)
+        or not isinstance(payload.get(&#34;expiryTime&#34;), (float, int))
+        or not isinstance(payload.get(&#34;timeCreated&#34;), (float, int))
     ):
         log_debug_message(
             &#34;validateAccessTokenStructure: Access token is using version &lt; 3&#34;
@@ -201,7 +197,7 @@ <h1 class="title">Module <code>supertokens_python.recipe.session.access_token</c
 <h2 class="section-title" id="header-functions">Functions</h2>
 <dl>
 <dt id="supertokens_python.recipe.session.access_token.get_info_from_access_token"><code class="name flex">
-<span>def <span class="ident">get_info_from_access_token</span></span>(<span>jwt_info: ParsedJWTInfo, jwk_clients: List[JWKClient], do_anti_csrf_check: bool)</span>
+<span>def <span class="ident">get_info_from_access_token</span></span>(<span>jwt_info: ParsedJWTInfo, do_anti_csrf_check: bool)</span>
 </code></dt>
 <dd>
 <div class="desc"></div>
@@ -211,45 +207,39 @@ <h2 class="section-title" id="header-functions">Functions</h2>
 </summary>
 <pre><code class="python">def get_info_from_access_token(
     jwt_info: ParsedJWTInfo,
-    jwk_clients: List[JWKClient],
     do_anti_csrf_check: bool,
 ):
     try:
         payload: Optional[Dict[str, Any]] = None
-        client: Optional[JWKClient] = None
-        keys: Optional[List[PyJWK]] = None
-
-        # Get the keys from the first available client
-        for c in jwk_clients:
-            try:
-                client = c
-                keys = c.get_latest_keys()
-                break
-            except JWKSRequestError:
-                continue
-
-        if keys is None or client is None:
-            raise PyJWKClientError(&#34;No key found&#34;)
-
-        if jwt_info.version &lt; 3:
+        decode_algo = (
+            jwt_info.parsed_header[&#34;alg&#34;]
+            if jwt_info.parsed_header is not None
+            else &#34;RS256&#34;
+        )
+
+        if jwt_info.version &gt;= 3:
+            matching_keys = get_latest_keys(jwt_info.kid)
+            payload = jwt.decode(  # type: ignore
+                jwt_info.raw_token_string,
+                matching_keys[0].key,  # type: ignore
+                algorithms=[decode_algo],
+                options={&#34;verify_signature&#34;: True, &#34;verify_exp&#34;: True},
+            )
+        else:
             # It won&#39;t have kid. So we&#39;ll have to try the token against all the keys from all the jwk_clients
             # If any of them work, we&#39;ll use that payload
-            for k in keys:
+            for k in get_latest_keys():
                 try:
-                    payload = jwt.decode(jwt_info.raw_token_string, k.key, algorithms=[&#34;RS256&#34;])  # type: ignore
+                    payload = jwt.decode(  # type: ignore
+                        jwt_info.raw_token_string,
+                        k.key,  # type: ignore
+                        algorithms=[decode_algo],
+                        options={&#34;verify_signature&#34;: True, &#34;verify_exp&#34;: True},
+                    )
                     break
                 except DecodeError:
                     pass
 
-        elif jwt_info.version &gt;= 3:
-            matching_key = client.get_matching_key_from_jwt(jwt_info.raw_token_string)
-            payload = jwt.decode(  # type: ignore
-                jwt_info.raw_token_string,
-                matching_key.key,  # type: ignore
-                algorithms=[&#34;RS256&#34;],
-                options={&#34;verify_signature&#34;: True, &#34;verify_exp&#34;: True},
-            )
-
         if payload is None:
             raise DecodeError(&#34;Could not decode the token&#34;)
 
@@ -276,7 +266,7 @@ <h2 class="section-title" id="header-functions">Functions</h2>
         if anti_csrf_token is None and do_anti_csrf_check:
             raise Exception(&#34;Access token does not contain the anti-csrf token&#34;)
 
-        assert isinstance(expiry_time, int)
+        assert isinstance(expiry_time, (float, int))
 
         if expiry_time &lt; get_timestamp_ms():
             raise Exception(&#34;Access token expired&#34;)
@@ -347,8 +337,8 @@ <h2 class="section-title" id="header-functions">Functions</h2>
     if version &gt;= 3:
         if (
             not isinstance(payload.get(&#34;sub&#34;), str)
-            or not isinstance(payload.get(&#34;exp&#34;), int)
-            or not isinstance(payload.get(&#34;iat&#34;), int)
+            or not isinstance(payload.get(&#34;exp&#34;), (int, float))
+            or not isinstance(payload.get(&#34;iat&#34;), (int, float))
             or not isinstance(payload.get(&#34;sessionHandle&#34;), str)
             or not isinstance(payload.get(&#34;refreshTokenHash1&#34;), str)
         ):
@@ -363,8 +353,8 @@ <h2 class="section-title" id="header-functions">Functions</h2>
         not isinstance(payload.get(&#34;sessionHandle&#34;), str)
         or payload.get(&#34;userData&#34;) is None
         or not isinstance(payload.get(&#34;refreshTokenHash1&#34;), str)
-        or not isinstance(payload.get(&#34;expiryTime&#34;), int)
-        or not isinstance(payload.get(&#34;timeCreated&#34;), int)
+        or not isinstance(payload.get(&#34;expiryTime&#34;), (float, int))
+        or not isinstance(payload.get(&#34;timeCreated&#34;), (float, int))
     ):
         log_debug_message(
             &#34;validateAccessTokenStructure: Access token is using version &lt; 3&#34;
 
@@ -101,6 +101,8 @@ <h1 class="title">Module <code>supertokens_python.recipe.session.api.implementat
     ) -&gt; Union[SessionContainer, None]:
         method = normalise_http_method(api_options.request.method())
         if method in (&#34;options&#34;, &#34;trace&#34;):
+            if session_required:
+                raise Exception(f&#34;verify_session cannot be used with {method} method&#34;)
             return None
         incoming_path = NormalisedURLPath(api_options.request.get_path())
         refresh_token_path = api_options.config.refresh_token_path
@@ -181,6 +183,8 @@ <h2 class="section-title" id="header-classes">Classes</h2>
     ) -&gt; Union[SessionContainer, None]:
         method = normalise_http_method(api_options.request.method())
         if method in (&#34;options&#34;, &#34;trace&#34;):
+            if session_required:
+                raise Exception(f&#34;verify_session cannot be used with {method} method&#34;)
             return None
         incoming_path = NormalisedURLPath(api_options.request.get_path())
         refresh_token_path = api_options.config.refresh_token_path
@@ -276,6 +280,8 @@ <h3>Methods</h3>
 ) -&gt; Union[SessionContainer, None]:
     method = normalise_http_method(api_options.request.method())
     if method in (&#34;options&#34;, &#34;trace&#34;):
+        if session_required:
+            raise Exception(f&#34;verify_session cannot be used with {method} method&#34;)
         return None
     incoming_path = NormalisedURLPath(api_options.request.get_path())
     refresh_token_path = api_options.config.refresh_token_path
 
@@ -61,8 +61,7 @@ <h1 class="title">Module <code>supertokens_python.recipe.session.constants</code
 
 available_token_transfer_methods: List[TokenTransferMethod] = [&#34;cookie&#34;, &#34;header&#34;]
 
-JWKCacheMaxAgeInMs = 60 * 1000  # 1min
-JWKRequestCooldownInMs = 500  # 0.5s
+JWKCacheMaxAgeInMs = 60 * 1000  # 60s
 protected_props = [
     &#34;sub&#34;,
     &#34;iat&#34;,
 
@@ -89,8 +89,9 @@ <h1 class="title">Module <code>supertokens_python.recipe.session.framework.flask
                 baseRequest.set_session_as_none()
             else:
                 baseRequest.set_session(session)
-            response = make_response(f(*args, **kwargs))
-            return response
+
+            response = f(*args, **kwargs)
+            return make_response(response) if response is not None else None
 
         return cast(_T, wrapped_function)
 
@@ -151,8 +152,9 @@ <h2 class="section-title" id="header-functions">Functions</h2>
                 baseRequest.set_session_as_none()
             else:
                 baseRequest.set_session(session)
-            response = make_response(f(*args, **kwargs))
-            return response
+
+            response = f(*args, **kwargs)
+            return make_response(response) if response is not None else None
 
         return cast(_T, wrapped_function)
 
 
@@ -64,7 +64,6 @@ <h1 class="title">Module <code>supertokens_python.recipe.session.interfaces</cod
 
 if TYPE_CHECKING:
     from supertokens_python.framework import BaseRequest
-    from .jwks import JWKClient
 
 from supertokens_python.framework import BaseResponse
 
@@ -156,8 +155,6 @@ <h1 class="title">Module <code>supertokens_python.recipe.session.interfaces</cod
 
 
 class RecipeInterface(ABC):  # pylint: disable=too-many-public-methods
-    JWK_clients: List[JWKClient] = []
-
     def __init__(self):
         pass
 
@@ -1008,8 +1005,6 @@ <h3>Class variables</h3>
 <span>Expand source code</span>
 </summary>
 <pre><code class="python">class RecipeInterface(ABC):  # pylint: disable=too-many-public-methods
-    JWK_clients: List[JWKClient] = []
-
     def __init__(self):
         pass
 
@@ -1183,13 +1178,6 @@ <h3>Subclasses</h3>
 <ul class="hlist">
 <li><a title="supertokens_python.recipe.session.recipe_implementation.RecipeImplementation" href="recipe_implementation.html#supertokens_python.recipe.session.recipe_implementation.RecipeImplementation">RecipeImplementation</a></li>
 </ul>
-<h3>Class variables</h3>
-<dl>
-<dt id="supertokens_python.recipe.session.interfaces.RecipeInterface.JWK_clients"><code class="name">var <span class="ident">JWK_clients</span> : List[JWKClient]</code></dt>
-<dd>
-<div class="desc"></div>
-</dd>
-</dl>
 <h3>Methods</h3>
 <dl>
 <dt id="supertokens_python.recipe.session.interfaces.RecipeInterface.create_new_session"><code class="name flex">
@@ -2697,7 +2685,6 @@ <h4><code><a title="supertokens_python.recipe.session.interfaces.GetSessionToken
 <li>
 <h4><code><a title="supertokens_python.recipe.session.interfaces.RecipeInterface" href="#supertokens_python.recipe.session.interfaces.RecipeInterface">RecipeInterface</a></code></h4>
 <ul class="">
-<li><code><a title="supertokens_python.recipe.session.interfaces.RecipeInterface.JWK_clients" href="#supertokens_python.recipe.session.interfaces.RecipeInterface.JWK_clients">JWK_clients</a></code></li>
 <li><code><a title="supertokens_python.recipe.session.interfaces.RecipeInterface.create_new_session" href="#supertokens_python.recipe.session.interfaces.RecipeInterface.create_new_session">create_new_session</a></code></li>
 <li><code><a title="supertokens_python.recipe.session.interfaces.RecipeInterface.fetch_and_set_claim" href="#supertokens_python.recipe.session.interfaces.RecipeInterface.fetch_and_set_claim">fetch_and_set_claim</a></code></li>
 <li><code><a title="supertokens_python.recipe.session.interfaces.RecipeInterface.get_all_session_handles_for_user" href="#supertokens_python.recipe.session.interfaces.RecipeInterface.get_all_session_handles_for_user">get_all_session_handles_for_user</a></code></li>