Improvements list

[rishabhpoddar]

• [ ] fix aws lambda docs:
  • [ ] using with .mjs
  • [ ] the docs say to create a POST request handler, but thats not true, we need to create an ANY request handler
• [x] in nextjs, getServerSideProps, if a user wants to forward the request to their other API, how can we do that.
• [ ] When using multiple tabs or going back and forth its not very obvious what recipe you are currently viewing, its not intuitive to look at the nav bar for this - One way to help with this is to associate colors with recipes and then instead of the entire page being black some parts of the page can use the recipe colors
• [x] Do no keep showing the appInfo forms everywhere in the quick setup -it can be intimidating for users. Instead, just show it once and then show all the code snippets. We still want to keep showing the code snippets with placeholders.
• [x] Python docs section, it is not pointing to the python repo.
• [x] The grouping of blog page is not that good.
• [x] Session blog post images can be made of higher quality.
• [ ] Add integration guides with casbin, permit.io, oso (for authorisation)
• [x] Extract demo apps into separate folder and show how to clone them, or get started with them easily.
• [x] Improve example apps to add more basic functionality and boilerplate code
• [ ] When hovering on answer for prebuilt UI and custom UI, we should have a small tooltip explaining what those mean.
• [ ] Add obut remix run support: https://github.com/ITenthusiasm/remix-supertokens
• [ ] Add a page like https://www.ory.sh/docs/hydra/concepts/before-oauth2
• [ ] Need to say that no customisations need to made to the core to fit your business use case
• [x] Add docs for how to use getSession in server side rendering situations
• [x] How to auth with websockets
• [ ] Change https://supertokens.com/docs/emailpassword/common-customizations/signup-form/adding-fields#handle-form-fields-on-successful-sign-up to also add the signUpFeature part from the previous code snippet. And also include how to add those to the user metadata object
• [x] Update / delete user info in passwordless + thirdpartypasswordless recipe
• [ ] Add about how to update user's phone in passwordless
• [ ] example of how to deploy on heroku
• [x] Add example for CORS and issues related to it
• [ ] make it clear that we can use multiple recipes at once , that was a bit confusing joining the bits and pieces
• [ ] Add demo app section in left nav bar instead of in the about page. Also link to the auth-react examples directory.
• [ ] In the self hosted docker setup page, add about all the env vars and what they mean.
• [ ] In protecting website route, add about NextJS specifically.
• [ ] In adding axios interceptors, add a disclaimer that if you are using nuxt, not to use nuxt/axios, but use normal axios
• [ ] In SDK reference docs, check if this is the first time that the user is visiting a docs page, and if it is, show a top banner guiding them to the right place.
• [ ] Link hasura video in the hasura tutorial (https://www.youtube.com/watch?v=sgicweOyDyk&ab_channel=Hasura) until (33:36)
• [ ] Add helm chart to docs: https://github.com/voidstack-io/charts/tree/main/charts/supertokens
• [x] In axios / fetch code snippet tab, add httpclient tab too, and say that it's not supported and to use fetch / axios instead.
• [ ] In section for getSession, show how to catch try refresh token exception and send a 401
• [x] Add page for how to change password for a user
• [ ] (Kubernetes docs) https://github.com/supertokens/supertokens-core/issues/358
• [x] In custom OAuth provider, add about buttonComponent to render custom button style
• [ ] In connecting to mysql, say that you need to create a new user that listens on all interfaces (since root user doesn't and then you get https://stackoverflow.com/questions/1559955/host-xxx-xx-xxx-xxx-is-not-allowed-to-connect-to-this-mysql-server)
• [ ] How to enable material design (by disabling shadow dom)
• [x] Passwordless auth0 migration guide
• [ ] Add why we chose this type of architecture as opposed to another type.
• [ ] Add about healthcheck API (/hello) in the self hosted section of the core.
• [ ] create a page for webhook
  • make algolia point to override if someone searches for webhook
  • change blog for API customisation to have webhook in it
• [ ] https://github.com/supertokens/docs/issues/187 (deploying supertokens docker image on heroku)
• [x] Adding support for mobile apps with reset password and email verification links
• [ ] nuxtjs guide (for sessions only)
• [ ] querying the core and backend APIs with postman
• [ ] In testing, have a separate page for "Testing the core", "Testing the backend SDK"
• [ ] In testing with postman section, write in big important tooltip that these are APIs exposed by our backed SDK and not by our core.
• [x] NestJS guide, link to setting up core as well.
• [ ] Add how to disable UI that we provide
• [x] Move getting social provider's access token into its own page
• [x] Handling general errors in all frameworks
• [x] Move some of the sign up form section for tpep and tp into its own section (those that are related to providers)
• [ ] Show breaking version code snippets for languages in their tabs
• [ ] Python overrides, say how to get the param types of the function.
• [x] Explain concepts like CDI, FDI, Recipe interfaces, API interfaces earlier in the docs (outside of advanced customisations)
• [ ] The need for reverse proxy if api domain and website domain have totally different TLDs (and how to easily setup such a proxy - just add a DNS entry that points to the API server, per frontend domain)
• [ ] In the /community/introduction page we explain how we have partial support for some stacks. In the implementation calls people assume that means for stacks other than ReactJS it will be too much work to integrate. We should change the wording to say "We support both UI and Logical for ReactJS" and "Only logical support for other stacks" (Not exactly but something along those lines).
• [ ] How to: Third party flow with react native
• [ ] Add production checklist
• [x] Add typing for request object post session verification for express and others.
• [ ] Fix showing redundant text in website and react native tabs in pages like https://supertokens.io/docs/thirdpartyemailpassword/advanced-customizations/frontend-functions-override/usage
• [ ] In frontend and backend tabs, also add a cURL section
• [ ] Change testing of backend quick setup to a curl command instead of go to /auth on website... (create a new API for status in FDI)
• [ ] Using without ReactJS UI docs are not good.
• [x] Simpler architecture diagram
• [ ] Mentoin the word "auth0 action" in override
• [ ] We do not know the website domain and api domain for netlify. So what value would users provide in there?
• [ ] [Possible approach] Move getting started to introduction (Firebase model) [Recipes become landing page and then everything else is under recipes]
• [ ] [Possible approach] Single recipe approach (Problem will be how to document configuring that one recipe and enable/disable features)
• [ ] [Possible approach] supertokens.io will have two options in the navbar "Guide" and "API Reference". Guide will take you to implementation docs, API reference will take you to SDK and API reference docs
• [ ] Add about how to disable sign up
• [ ] State on website / docs that we support cockroachDB as well.
• [ ] In backend quick setup step 2 (recipes with third party login), people either miss the section about getting client id + secret for third party providers or get confused on what part is focussed (Highlighted text vs orange link). Configuring the third party clients can becomes its own step after initialisation to solve the first part. For the second part we should make it more clear that each client has 2 steps involved (Following the docs and configuring the callback url)
• [ ] Frontend quick setup step 3, example code for usage without router-dom should include sample for functional components as well
• [ ] A lot of people read "Free forever" and click download without realising Saas is free as well.
• [ ] Make all code in quick setup minimal
• [ ] In "Self-hosted without Docker" page, mention to run supertokens --help to see if it is installed correctly. Also mention the location of the config.yaml file, and that the zipped and unzipped folder can be deleted.
• [ ] Consider renaming backend middleware to something more appropriate.
• [ ] Make it clear somehow that if using nextjs only for frontend (and not the API), you can follow the quick setup guide.
• [ ] Add docker-compose file for docker images
• [ ] IMPORTANT: Add NextJS docs for session?
• [ ] Add about using react component override to add custom sign up fields which we don't support (for example a drop down selector)
• [ ] https://workos.com/blog/great-documentation-examples
• [ ] Session docs improvements: https://docs.google.com/document/d/1IrI7cQqza-n5-0yx2T-2iZ2YhbgRi3lBYCHxile4cfY/edit#
• [ ] Document all the functions exposed by the recipes
• [ ] Write about vertical and horizontal scaling: https://discord.com/channels/@me/831194730171859004/831402863388917761
• [ ] NextJS docs -> use redirect links (like supertokens.io/nextjs) instead of directly linking to github
• [ ] Separate API reference docs and main docs
• [ ] Have a section about recipe vs guide like this: https://v3.vuejs.org/cookbook/#the-cookbook-vs-the-guide
• [ ] Add more comments in nextJS docs regarding configuration part
• [x] https://github.com/supertokens/main-website/issues/375
• [ ] Make getting started left pane and common customisation left pane very very visible and obvious that users need to click on it:
  • Maybe expand it 1/4th way or something by default and with a ... indicating there is more
• [ ] Session docs improvements: https://docs.google.com/document/d/1IrI7cQqza-n5-0yx2T-2iZ2YhbgRi3lBYCHxile4cfY/edit#
• [ ] Write about serverless execution
  • [ ] vercel: https://github.com/supertokens/supertokens-node/issues/118
  • [ ] firebase functions
• [ ] Add about if you want to wrap your whole app in an auth wrapper, how to do it.
• [ ] Add about using react component override to add custom sign up fields which we don't support (for example a drop down selector)
• [ ] In NextJS configuration docs, importing google, facebook on frontend and backend in the file causes an issue when copy / pasting. Need to fix that
• [ ] Write about vertical and horizontal scaling: https://discord.com/channels/@me/831194730171859004/831402863388917761
• [ ] https://github.com/supertokens/supertokens-core/issues/386#issuecomment-1653926580
• [ ] Multi tenancy related
  • [ ] Common UX flow 3 where users sign in via public tenant and then org is created where they are moved to
  • [ ] Switching tenants whilst being logged in
  • [ ] Associating and disassociating user with multiple tenants.
• [x] User impersonation docs.
• [ ] Another piece of feedback is that I did run into some hiccups for setting up auth for nextjs. Main reason is the docs have nextjs as an integration in a later subsection as opposed to the getting started iirc
• [ ] In email password migration docs, mention that a domain change will mean existing password managers will stop working.
• [ ] Add docs for emailpassword, thirdparty and passwordless login.
• [ ] For mobile docs, have a section on how to do it via web browser based login.
• [ ] Add for changing of phone number in passwordless recipe (similar to how we have changing of email)
• [ ] Add docs for overriding shouldDoInterception in sharing across multiple api domains (https://discord.com/channels/603466164219281420/1174223672257564763/1174238268167032853)
• [ ] Email password + passwordless docs
• [ ] Implement migrateto.supertokens.com which asks a bunch of questions and gives step by step process in simple terms.
• [ ] Add about RPS limit in the migration section.
• [ ] Add in consume code, custom UI docs that if using in react strict dev mode, it can be called twice, causing the second time to fail.
• [ ] Move Multi tenancy to somewhere closer to the top in the docs
• [ ] Add SCIM docs
• [ ] Change multi tenancy to Enterprise SSO
• [ ] Add about unit testing and mocking: https://github.com/supertokens/docs/issues/5#issuecomment-1854648050
• [ ] Add docs for jwt verification with proper caching in golang and python as well (like how we do in our sdk - accounting for key change and all).
• [ ] docs for adding custom framework support for node sdk
• [ ] In password migration docs, mention how to tackle SHA + salt password hashes
• [ ] Add about custom window and cookie handler on the frontend.
• [ ] What to do if the userContext doesn't have the request object? When can that happen and how to solve for that?
• [ ] Writing testing docs fro mocking the core and session
• [ ] In nextjs integration guide, for frontend page route protection, also mention that you can add this to the layout file too.
• [ ] https://discord.com/channels/603466164219281420/1189837683736985650/1189906690804559913
• [ ] I noticed some documentation that could be improved. Postgres 15+ differentiates privileges from schema access for users and now requires the extra sql statement GRANT ALL ON SCHEMA public TO supertokens_user; Also, the docker commands to run super token core define a port which is discarded when in host network mode. I instead wrote this command, which works for a local windows setup docker run -p 3567:3567 -e POSTGRESQL_CONNECTION_URI="postgresql://supertokens_user:somePassword@host.docker.internal:5432/supertokens" -d registry.supertokens.io/supertokens/supertokens-postgresql. Hope this helps and super tokens is an awesome tool!
• [ ] The multiple client types can be confusion for third party config.,
• [ ] Add manually creating a new session docs to other recipe docs too + in that doc, mention how the frontend manages those tokens automatically via our interceptors.
• [ ] for mobile snippets, add an fdi-version header in the curl command pointing to the latest version.
• [ ] In session verification with JWT, we should say that the signing keys can change and so you should invalidate the cache when you see an access token thats not signed by the current set of keys
• [ ] In migration, we need to also say what steps customers of customers need to take in terms of enterprise SSO
• [ ] Add about JWT verification in python using a lib: https://gist.github.com/rishabhpoddar/ea31502923ec9a53136371f2b6317ffa (similar to how we have a guide for node backend)
• [ ] Migrating out of supertokens - we give db copy on request. Migrating from self hosted to managed and vice versa

[rishabhpoddar]

About unit testing docs

The most common way to do this is to spin up a supertokens core in a docker image using the in memory db. During each test, you would create a new app in the core (https://supertokens.com/docs/multitenancy/new-app) which would essentially create a fresh db for you for that test, and then at the end of the test, you would delete this app. The app ID to use during each test would be the same. This feature is free to use with the in memory db.

If you do not want to spin up a core, then the other way is to override all the recipe functions for the recipes use. For example, below is a snippet for how to mock the updateEmailOrPassword function in the thirdpartyemailpassword recipe:

let userIdInfo: {
    [key: string]: {
        email: string,
        password: string
    }
} = {};

ThirdPartyEmailPassword.init({
    override: {
        // notice that we do not override the apis prop, and just the functions prop. 
        // this is done cause only the functions in the functions prop call the core.
        functions: (oI) => {
            return {
                ...oI,
                updateEmailOrPassword: async (input) => {
                    if (process.env.TEST) {
                        let existingUser = userIdInfo[input.userId];
                        if (existingUser === undefined) {
                            return {
                                status: "UNKNOWN_USER_ID_ERROR"
                            };
                        }
                        userIdInfo[input.userId] = {
                            password: input.password ?? existingUser.password,
                            email: input.email ?? existingUser.email
                        }
                        return {
                            status: "OK"
                        }
                    } else {
                        return oI.updateEmailOrPassword(input);
                    }
                }
            }
        }
    }
})

And then your API calls can just call the SDK functions as usual and it would work without querying the core. A few functions cannot be overriden, and those are present here: https://github.com/supertokens/supertokens-node/blob/13.4/lib/ts/index.ts.

As per the mocking the session object, you can override the session recipe as follows:

Session.init({
    override: {
        functions: (oI) => {
            return {
                ...oI,
                getSession: async (input) => {
                    if (process.env.TEST) {
                        const userId = input.req.getHeaderValue("access_token");
                        if (userId === undefined) {
                            return undefined;
                        }
                        return {
                            getAccessToken: () => "",
                            getAccessTokenPayload: () => null,
                            getExpiry: async () => -1,
                            getHandle: () => "",
                            getSessionData: async () => null,
                            getTimeCreated: async () => -1,
                            getUserId: () => userId,
                            revokeSession: async () => { },
                            updateSessionData: async () => { },
                            mergeIntoAccessTokenPayload: async () => { },
                            updateAccessTokenPayload: async () => { },
                            assertClaims: async () => { },
                            fetchAndSetClaim: async () => { },
                            getClaimValue: async () => undefined,
                            setClaimValue: async () => { },
                            removeClaim: async () => { },
                        }
                    } else {
                        return oI.getSession(input)
                    }
                },
                createNewSession: async (input) => {
                    if (process.env.TEST) {
                        // we set a mock access_token in the header which is the userId
                        input.res.setHeader("access_token", input.userId, false)
                        return {
                            getAccessToken: () => "",
                            getAccessTokenPayload: () => null,
                            getExpiry: async () => -1,
                            getHandle: () => "",
                            getSessionData: async () => null,
                            getTimeCreated: async () => -1,
                            getUserId: () => input.userId,
                            revokeSession: async () => { },
                            updateSessionData: async () => { },
                            mergeIntoAccessTokenPayload: async () => { },
                            updateAccessTokenPayload: async () => { },
                            assertClaims: async () => { },
                            fetchAndSetClaim: async () => { },
                            getClaimValue: async () => undefined,
                            setClaimValue: async () => { },
                            removeClaim: async () => { },
                        }
                    } else {
                        return oI.createNewSession(input)
                    }
                }
            }
        }
    }
})

Here we set the response object to have a header called access_token which is the userId when a new session is created. And then we override the getSession function to read this header and return the session object based on the userId. This is just an example, you can do whatever you want here. We do not override the refreshSession function cause I assume that during unit testing, you won't really run into that scenario.