[RELEASE]: Multi tenancy

[rishabhpoddar]

📅 Checklist

🔶 Staging

Dev Tag

• supertokens-core:X.Y
  • core
    • check CDI, plugin interface list
  • plugin-interface
    • check plugin interface list
  • mysql-plugin
    • check plugin interface list
  • postgresql-plugin
    • check plugin interface list
  • mongodb-plugin
    • check plugin interface list
• supertokens-node:X.Y
  • check CDI, FDI list
  • dashboard version updating.
  • Why do we override the getPayload and getLastFetch function in allowedDomainClaims?
  • In the changelog, mention the compatible frontend SDKs and core as well.
  • userinfo map bug fix: fix: user info map supertokens-node#651
  • if we do thirdpartyemailpassword init without a provider, it will disable all third party routes. This means that even though a tenant has third party provider, it won’t work - cause all third party routes will have been disabled.
  • mention in the Changelog the changes in FDI spec. Specifically for third party sign in up. Since mobile apps make the call manually. Also, that it doesn’t support older CDIs and older FDIs.
  • Make sure that this is resolved: https://supertokens.slack.com/archives/D03CNFWTP99/p1689342076274879
  • add test to make sure that appId can be used in connectionuri and things work with that.
• supertokens-golang:X.Y
  • check CDI, FDI list
• supertokens-python:X.Y
  • check CDI, FDI list
  • test all the providers manually.
• supertokens-website:X.Y
  • check FDI list
• supertokens-web-js:X.Y
  • check FDI list
  • check web-js interface version
  • Update dependency version of supertokens-website in package.json from npm registry
  • API calls that require a session (like refresh, email verification token generation, isEmailVerified), should not call the global getTenantId function and just query the path without a tenantId.
  • Add a migration guide to https://github.com/supertokens/supertokens-web-js/blob/master/CHANGELOG.md
• supertokens-auth-react:X.Y
  • check FDI list
  • check web-js interface version
  • Updated dependencies to use supertokens-web-js in package.json from npm registry
  • Various browsers - Safari, Firefox, Chrome, Edge
  • Mobile responsiveness
  • Make sure using with-typescript example that types are correct for every new configs exposed to users
  • Make sure frontend login UI shows even if backend is not working.
  • ID for allowed domains claims needs to be the same as what's on the backend.
• supertokens-dashboard
  • Need to make request queue system for all older minor versions of the dashboard as well.
  • Need to add ability to remove and add users to tenants in the dashboard.
  • User permissions
• Check that all items in this list (feat: thirdparty re-work supertokens-node#471) are done for:
  • nodejs
  • golang
  • python
• Change CLI to show a temp unavailable message for golang and python
• Test that the dev credentials work as expected post pushing website to prod.
• License key should not be required for in memory
• In backend SDk, we need to verify that the access token is valid for that client ID in the case of client ID + secret flow (we already check the aud for id token)

Others

• Example apps in create-supertokens-app CLI
• Examples apps in supertokens-auth-react
• Examples apps in supertokens-web-js
• Examples apps in supertokens-react-native
• Examples apps in supertokens-golang
• Examples apps in supertokens-python
• Examples apps in supertokens-node
• Examples apps in android
• Example apps in ios
• Example apps in flutter
• next.js:canary
• RedwoodJS and playground-auth
• Run on netlify (and hence AWS lambda) to check if it works fine there
• Test on vercel (with-emailpassword-vercel app)
• SuperTokens Jackson SAML example update
• Supabase docs
• Capacitor template app: https://github.com/RobSchilderr/capacitor-supertokens-nextjs-turborepo

📚 Documentation (test site)

• All recipe main documentation update
• Code type checking versions are pointing to X.Y
  • jsEnv
  • goEnv
  • pythonEnv
• Update table schema in mysql / postgresql section for self hosted
• community documentation update
• website changes (test.supertokens.io)
  • homepage - remove multi tenancy waitlist section
  • product roadmap page
  • Update API key code snippet in SaaS dashboard
  • Update recipe list and links to the docs for supertokens.com dashboard
• Check coreinjector putting in right uri with older and newer APIs in prod
• in the saas dashboard, for the option of Please select your desired Recipe (auth method), you need to also add “Multi login, multi tenant” option, and that should link to the multi tenancy docs.
• There is a glitch in billing section where the SMS cost section shows for a few seconds, and then disappears.
• Need to confirm that the react code for submitting the tenantId in “common-domain-login” is correct.
• Check that cURL commands for creating a saas app is correct (for example, they should use PUT and not POST).
• For python and golang, in post login email change docs, in method 2, we need to check if the email exists for any tenant that the user is a part of.
• Check coreinjector putting in right uri with older and newer APIs in prod.
• In websocket session management, we need to mention that the claims should be checked properly.
• use the released versions of the sdks in code type checking for all SDKs
• Fix all golang and python snippets - from branch tp-rework-partial-snippets
  • also apply changes from this PR https://github.com/supertokens/docs/pull/683/files
• Verify that the dev credentials for oauth still work - for older and newer versions of the backend sdk. especially for apple login
• Solve [RELEASE]: Multi tenancy #731 (comment)
• Make sure that there is no delete button on the saas dashboard in prod.
• Fix nextjs CLI app
• In multi tenancy docs, the link to thirdpartyemailpassword points to thirdpartypasswordless in the last doc
• In post sign up docs, add code snippet for python (api way): https://supertokens.com/docs/thirdpartyemailpassword/common-customizations/handling-signinup-success
• Write about spinner behaviour in multi tenancy and why it's needed and how to override and style it.
• In intro of multi tenancy, write about different login methods being supported
• In common UX flow, where we mention about building the form to ask tenant ID, in vue and angular, actually use vue and angular code instead of react.
• Add demo app link in docs to live demo for multi tenancy + mention the use of CLI to generate multi tenancy docs.
• IIn muoti tenancy features, write about flexible tenant discovery
• sign in up code snippets for python need to be functions and not apis
• there are also issues where you have syncio and asyncio in python, but both those code tabs are asyncio (for example, in email verification > generate link manually
• there are cases in python where the claim.build function is being called without a tenant id - check in all places where build( is there and make sure it passes in tenant id
• Issues with comments in golang in third party > handling sign in up success where the comment says overriding api, but we are overriding functions
• GetUsersByEmail in golang has certain places where tenant id and email are flipped. Same thing goes for python
• Check that getting user info from provider is correctly done, and it shows how to get the first name, last name, access token from the third party provider.
• Docs for how to change tenants whilst being logged in - checks for if the user belongs to the tenant and calling the createNewSession without the protected props.
• Docs on common UX flow 3 where user logs in first and then is asked to choose a tenant, or is assigned the non public tenant automatically if there exists just one such tenant.
• Docs for how to create a new app on our managed service vs in self hosted.

🔥 Production

💻 NPM and core release

• core
  • supertokens-core:X.Y
  • plugin-interface
  • mysql-plugin
  • postgresql-plugin
  • mongodb-plugin
  • Docker update
    • MySQL
      • check if new env cnofigs need to be added
    • Postgres
      • check if new env cnofigs need to be added
    • MongoDB
      • check if new env cnofigs need to be added
  • try.supertokens.io

    docker rm try-supertokens -f
    docker rmi supertokens/supertokens-postgresql:<VERSION>
    nano ~/try-supertokens/start_container.sh (update version tag)
    ~/try-supertokens/start_container.sh
    

  • Update SaaS config
  • Change lambda function to use new slack bot
  • Fix healthcheck not not update instatus if a core can't be found and it was just released.
  • Discuss how we can move a user's prod shared instance to their own dedicated instance for core 6.0
  • Need to limit prod instances to only work with prod SSH keys
  • Update to tables checked for user count / or to know if a deployment is being used or not
  • Update logic for deleting all data in dev env if a new table was added and if the data should be removed from it too
  • Update logic for exporting csv file for registered users
  • Update SaaS instances to use the latest docker images.
  • Change checklist in contributing guide for which tables to pick when migrating data from dev to prod instance.
  • Update license key used for cores to include nea feature.
  • Update table schema in mysql / postgresql section for self hosted in docs
  • Update SaaS to monitor for 429s
  • uncomment dangling instance and core instance removal part once we are confident that the cronjobs are identifying the instances correctly
  • Update rate limit for new infra:
    • for shared instance (t3.large):
      • dev 10 rps, 20 burst; nodelay
      • prod: 10 rps, 20 burst; nodelay
    • for dedicated instance (t3.small)
      • dev: 100 rps, 150 burst; nodelay
      • prod: 100 rps, 150 burst; nodelay
  • Confirm the rate limit setting is fine based on demo apps and their RPS.
  • Defragment dev instances of older supertokens core apps - for example, in us-east-1, we still have 56 instances. Why?
• supertokens-node:X.Y
• supertokens-golang:X.Y
  • Change CLI to use latest of auth react here too
  • Add support for multi tenancy example
  • Update frontend SDK changelog to mention the right version for this SDK
• supertokens-website:X.Y
• supertokens-web-js:X.Y
• supertokens-auth-react:X.Y
• supertokens-python:X.Y
  • Change CLI to use latest of auth react here too
  • Add support for multi tenancy example
  • Update frontend SDK changelog to mention the right version for this SDK
• supertokens-dashboard
• Clear data button on saas dashboard should only delete for the app and nothing more - not other app, no CUD etc etc.
• Add in docs for frontend SDK that if using python or golang, use the older versions.
• change multi tenancy title in guides to have organizations in the name

📚 Documentation

• Pushed to production
• Post message on discord about new update
• Post release of golang and python sdk on discord
• Updated swaggerhub FDI spec
• Update frontend-driver-interface repo
• Updated swaggerhub CDI spec
• Update core-driver-interface-repo
• Updated dashboard spec on swaggerhub
• Update dashboard spec
• Update internal contributing guide to move from previous core version to the latest one
• Algolia search update for docs
• robots.txt, sitemap.xml, noindex page update
• Auto generate release note on github:
  • supertokens-core
  • supertokens-plugin-interface
  • supertokens-mysql-plugin
  • supertokens-postgresql-plugin
  • supertokens-mongodb-plugin
  • supertokens-node
  • supertokens-golang
  • supertokens-python
  • supertokens-website
  • supertokens-web-js
  • supertokens-auth-react
  • supertokens-dashboard
• Add CLI example app fro multi tenancy - we need to complete vue and angular frontends, and those will implement the tenantId form in vue and angular respectively.
• Remove the page reload stuff in the CLI example apps after releasing the auth-react update
• Finish all saas changes: https://github.com/supertokens/backend/issues/275
• All changes mentioned here: [RELEASE]: Multi tenancy #731 (comment)

[rishabhpoddar]

changes to docs / auth react flows

docs: https://test.supertokens.com/docs/thirdpartyemailpassword/common-customizations/multi-tenancy/common-domain-login (pre built ui)

• We need to refresh the page once the tenantID has been submitted
• We need to not clear the tenant ID in useEffect and read from that when initialising TenantLoginPage
• getRedirectionURL can directly redirect to a different sub domain.
• Instead of rendering the <SignInAndUp /> component in TenantLoginPage, we should use the getRoutingComponent - to confirm that, it still uses react router dom in case getSuperTokensRoutesForReactRouterDom is called in the main router of the app.
• Need to also say to clear tenantId in onHandleEvent for SIGN_OUT or UNAUTHORISED.
• If react router dom is being used, we should tell users to remove that from the app.js.
• Remove the step for disabling the default UI in step 2

https://test.supertokens.com/docs/thirdpartyemailpassword/common-customizations/multi-tenancy/sub-domain-login (pre build ui):

• Indentation of getTenantId is not proper.

In both the UX flows:

• Instead of adding hasAccessToCurrentDomain to each session auth (pre built UI), we should add it to the global session.init override.
• Instead of adding hasAccessToCurrentDomain in shouldLoadRoute (custom UI), we should add it to the global session.init override.

auth-react SDK:

• if reset password (or any other) route is loaded even though the current tenant doesn't have the associated recipe enabled, it should not throw an error. Instead, it should redirect to the auth screen.
• canHandleRoute should only depend on the static list of recipes that are initialised and nothing else. In case, this returns true, but the tenant has not enabled that recipe, then it will just cause a redirection to the auth page (see point above)
• add a new optional param getSuperTokensRoutesForReactRouterDom like getSuperTokensRoutesForReactRouterDom(reactRouterDom, [...], "/auth")

TODO later

docs: https://test.supertokens.com/docs/thirdpartyemailpassword/common-customizations/multi-tenancy/common-domain-login (pre built ui)

• Add a part about clearing the current tenant ID in TenantLoginPage (giving the user a button to change tenant id)
• Update with-one-login-many-subdomains to not reload the page

auth-rect SDK:

• We don't want to call getLoginMethods when the sdk is initialised and want to delay that to when pre built UI is rendered. We will show a spinner while that's being called (if more than 200 ms has lapsed, or just show a white screen). This should eliminate the for manual page refresh in TenantLoginPage component.
• Revisit the disableDefaultUI config and how it works with useDynamicLoading is set to true.
  • As a side task, check how example apps like splitting sign up / in UI will work in the case of multi tenancy
• Improve the example of examples/with-one-login-many-subdomains to have some Ui which allows users to change the current tenant ID during login.
• When calling the generateEmailVerifyTokenPOST we do not need to pass a tenantId in the path
• When calling the isEmailVerifiedGET we do not need to pass a tenantId in the path .
• We should consider adding a function like supertokens.hasTenantBeenSpecifiedByUser() in the auth-react SDK which would return true if the getTenantId function returns a string vlaue, or a session exists, or the current path has a tenantId query param - this would make it easier for users to build the AuthPage UI in the common UX 1 flow.
• Google workspaces button in pre built UI doesn't look fine since the width is too small
• We cache the loginMethods per tenant, and we always call getTenantId function (wherever applicable) instead of reading the tenant ID from some cache. So this means, that if the tenantID is changed (from the return of getTenantId), the next time any feature component is rendered, we will show the login methods based on the new tenantId (either from the cache, or by fetching over the network).

[rishabhpoddar]

Things to do after pushing to prod:

• Check that links on docs cross recipe work (multi tenancy recipe points to right docs, user roles post sign up point to right docs)
• Replace backend secrets properly
• Replace slack bot (posts correctly to server error)
• Check CLI example work
• Check dev credentials flow work for google and apple
• new app creation work
• supertokens.com dashboard works fine

[nkshah2]

Golang SDK feedback:

• multitenancy.CreateOrUpdateThirdPartyConfig should have skipVerification as optional - DONE
• CHANGELOG should mention changes in APIInterface that are breaking for users who are overriding APIs - WAS ALREADY DONE
• CHANGELOG mentions Adds optional param tenantId to GetUserCount which returns total count across all tenants if not passed. but tenant id is not optional - CHANGELOG is correct as we use pointers for optional params.
• getUsersThatHaveRole Does not seem to be using tenantId in any way - DONE
• FromUserInfoAPI in tpmodels.TypeUserInfoMap has an inline type declaration - DONE

type TypeUserInfoMap struct {
	FromIdTokenPayload struct {
		UserId        string `json:"userId,omitempty"`
		Email         string `json:"email,omitempty"`
		EmailVerified string `json:"emailVerified,omitempty"`
	} `json:"fromIdTokenPayload,omitempty"`
	FromUserInfoAPI struct {
		UserId        string `json:"userId,omitempty"`
		Email         string `json:"email,omitempty"`
		EmailVerified string `json:"emailVerified,omitempty"`
	} `json:"fromUserInfoAPI,omitempty"`
}

From a user's point of view this typing is very ugly

UserInfoMap: tpmodels.TypeUserInfoMap{
								FromUserInfoAPI: struct{UserId string "json:\"userId,omitempty\""; Email string "json:\"email,omitempty\""; EmailVerified string "json:\"emailVerified,omitempty\""}{
									UserId:        "id",
									Email:         "email",
									EmailVerified: "email_verified",
								},
							},

We should declare another type which is then used for both FromUserInfoAPI and FromIdTokenPayload

• CHANGELOG should mention a breaking change for UnknownUserIDError being renamed to UnknownUserIdError - DONE

Updated return type of GetEmailForUserId in the EmailVerification recipe config. It should now return OK, EmailDoesNotExistError or UnknownUserIDError as response.

Should be updated to rename UnknownUserIDError to UnknownUserIdError