Supertokens - get userid by user email - authorization

Using supertokens (hosted), is there a direct way to query the userId of another user by email? The only solution I found was to fetch all users and search for it, which is obviously not efficient.

Depending on the recipe and the SDK you use, there are functions available for that. For example, with the NodeJS SDK, you have:
EmailPassword recipe
getUserByEmail
ThirdParty recipe
getUsersByEmail (notice that this will return an array of users since you can have multiple users sign up with the same email, but different OAuth providers)
Passwordless recipe
getUserByEmail (This function will return Promise<undefined> if the user doesn't exist, if if they had used phone number to sign up)
ThirdPartyEmailPassword
getUsersByEmail
ThirdPartyPasswordless
getUsersByEmail
Other SDKs
For other backend SDKs, you can check out their docs:
Python SDK -> choose your recipe -> choose either asyncio or syncio module (depending on your web framework execution env) and then you will see a list of functions exposed by that recipe. One of them will allow you to get the user from their email.
Golang SDK -> click on the "recipe" item, choose your recipe, and you will see a list of functions exposed by that recipe. One of them will allow you to get the user from their email.
Using the SuperTokens Core APIs directly
In the API Spec, you can see sections for each recipe. Depending on how the user signed up, you can query that /recipe/user GET API with their email as a query param. Be sure to pass in the correct rid header in the GET request.

Related

How should I implement user authentication/roles for an Electron desktop app?

I'm designing the architecture for a college project and I don't know how to deal with the user authentication and authorization part of it. The project is a desktop Electron app which would need two types (hence the roles) of users. They both need to be authenticated in order to use the app, and depending on their identity, they will have different authorizations. Since the project is meant to be used by teachers and students as part of a laboratory class after it is done, I don't think more than 30 people will be using it at the same time.
My first thought was using a PostrgeSQL database in AWS for this and implementing the authentication myself, but this means that users will have to sign up and create a new profile, which means remembering yet another <username/email, password>. Trying to avoid this, I read a bit about OAuth 2.0 and OIDC, and how it can be used to authenticate and authorize users without implementing either of those tasks oneself, but rather delegating the task to OIDC. I created a free account with Auth0 and thought about using it for the OIDC integration but after reading about 40 pages of an "OIDC integration handbook" they offer for free, I could not know if I would be able to distinguish my user base through these roles or tags as I mentioned. I just followed the steps in the tutorial handbook and tried to understand how the auth flow worked, but that didn't give me any information on my question.
So all in all what I want to know is: is it possible to implement this with Auth0 (free account) without having to use a third-party database solution (such as PostgreSQL with AWS)? If not, what would you recommend me to look into? Preferrably a solution that will let me discriminate between the two types of users BUT at the same time taking advantage of the OIDC implementation of Google for example.
There are 2 separate solutions here:
DESKTOP AUTHENTICATION
The 2 standard requirements are:
Use Authorization Code Flow (PKCE)
Login via System Browser
You listen for a login response via one of these mechanisms (I prefer the latter):
Loopback web server
Private URI scheme OS notification
My blog has some tutorials + code samples that use Electron. You can run both of the above listening options and see what you prefer.
API AUTHORIZATION WITH ROLES
You need to make roles available to the API via claims. This can be done by either of these mechanisms (I prefer the latter):
Including roles in access tokens via Auth0
Get the API to read user roles from its own database
My Authorization blog post discusses building up a claims object in an easy to extend way. The main objective is usually for API OAuth processing to result in an object something like this:
class UserPrincipal {
// The technical user id from the access token
string sub;
// The user id from your own database
string userId;
// The user's roles
string[] roles;
}
Given that object you can do things like this:
Use role based authorization when needed
Serve up user resources after login from your application data
TO SUMMARISE
Auth0 will meet some of your requirements and may be all you need in the early days. You will probably need to manage non OAuth user data in your API at some point though.
Happy to answer any follow up questions ..

how to retrieve templates for different user accounts

I have one account in docusign which has 3 users for it. We have a requirement of retrieving templates of users for that account. The Template:List API is retrieving all the templates of the account. There is also one path parameter named user_id but it is not retrieving the templates of particular user account instead it is retrieving all templates.
Is there any way through Rest API we will retrieve list of templates of user account?
If there Please provide the Rest API details or link.
From my own testing, it appears you're right. This could be a bug, I'm not sure and I'll follow up but this may take time.
Two possible workaround.
Make the API call in the context of the user that you wish you get templates. Basically, you'll need to obtain an accessToken for the API for that user. With JWT that is very simple, just use the userID when you ask for the token (but you do have to get consent).
Filter the list of templates you get. The list does include information about the owner of the template (again, userID) but you'll get all of them and have to do the work to find the ones you want.
(Update 5/26/2020: confirmed with engineering this is a bug. It is tracked under TT-3290).
(Update 6/23/2020: bug was resolved, will be deployed shortly)

Slack Enterprise list all files/conversations

is it possible to list all of the conversations in my slack organization using the API?
Or for the very least, within a workspace.
When I tried calling the "conversations.list" endpoint using a token with an enterprise token, I got an "enterprise_is_restricted" error.
When I invoked the same endpoint with a workspace token, I got a list of all of the public channels, and IM's that I'm a member of, but private conversations that my user (the primary owner) is not a member of were not retreived. Now it makes sense that I wouldn't be able to read them, but I'm looking for a way to list them, to get their name and members basically.
And than with files. I got the same "enterprise_is_restricted" error when I used my enterprise app token, and when I used a specific workspace token, I only got files that were shared with me. I want to be able to keep track of what files are being shared and with whom (for information security reasons), so this is very problemetic for me.
Yes it is possible. The following should give you at least permissions to all conversations within the workspace.
Generate an OAuth Access Token for your Slack app
Go to api.slack.com to set permissions for it. This particular method needs the following scopes: "channels:read,groups:read,mpim:read,im:read"
Install/reinstall the app and use that OAuth token to access your list of conversations

Adding arbitrary objects in the OpenFire Session

We have an existing OAuth2 based website. Our plan is to use a web based (XMPP over websockets) chat system.
now this chat system will be available once the user logs in. What we actually do not want is to login twice, once for the web site and once for the chat system.
So I figured how to trick it with my own auth provider and a custom username/password.
So basically the question is how do I have an object that I want to travel along with the user chat session so that I can provide out of band processing.
Does the session management allow this?
In a similar use-case, there I need to persist and store various pieces of information about a user, in Openfire, so that external calls and look-ups are not necessary during later, custom logic in an Openfire plugin. It is possible to add any number of custom properties to an openfire user, via REST, or other APIs.
Then, those custom properties can be retrieved as needed, without external calls.
create user api
Then, if using Internal APIs, you get
Get the session's username or address (JID)
call UserManager's getUser on the username or JID to get the User object
call User's getPropertyValue to get a specific property or getProperties to retrieve all custom user properties

When connecting to an API do I need an access token per each user using my application?

I'm connected to an API that provides information about cars based on their registration. According to the docs the api can provide both user specific data and general data about the registration supplied.
I am using the connection method which does require specific users data, and therefore does not require me to gain access to any specific users account.
On my end users will visit my application and enter a registration number which I will use to call the API and return all of the information about the car.
Am I right in my thinking that my application is essentially the 'user' as far as the api is concerned, and I will only need to use one access token. I can then use this access token to make multiple API calls (one for each user that searches on my application)?
Or will i need to set up an access token for each user that visits my application and treat them separately.
Only your application making the API requests requires a token, unless the licence agreement/documentation of this car API says otherwise.
As far as your users are concerned, your application is just magically sourcing the registration info from its database.