Skip to main content
important

This is a contributors guide and NOT a user guide. Please visit these docs if you are using or evaluating SuperTokens.

Should recipe check for enabled recipes in the core

Status

This is just a proposal so far, it hasn't been accepted and needs further discussion.

Status:
proposed
Deciders:
rishabhpoddar, sattvikc
Proposed by:
sattvikc
Created:
2022-12-08

Context and Problem Statement#

Multitenancy recipe now supports enabling and disabling of recipes per tenant. But the recipes are also initialized statically in the Supertokens init.

Should each of the recipe check if the recipe is enabled in the core?

Considered Options#

  • Recipe should not check
    • API Should not check
    • Functions should not check
  • Recipes should check
    • API should check
    • Functions should not check

Reason why we don't check in the functions is because it allows the user to use the functions even if that recipe is not enabled for that tenant. This makes the dev experience is better. Furthermore, it does not pose any security risk since these recipe functions are not exposed publicly. However in the case of APIs, we need to check if the recipe is enabled for the tenant because they are publicly exposed and want to avoid a situation in which a tenant can sign up, for example, with emailpassword even though that recipe is not enabled for them in the core.

Decision Outcome#

Chosen option: Recipes should check, because

  • This will ensure consistency in behaviour as per user configuration and SDK behaviour

Pros and Cons of the Options#

Recipes should not check#

Recipes APIs don't check for this flag, and, all the statically configured recipes will function as defined, even if the user has disabled them in the core.

  • Inconsistent SDK behaviour with the user configuration. For example, a user might be able to create an emailpassword account and use the application, which a particular tenant intends to disable, just because it was statically declared for use with a different tenant.

    • Recipes should check#

    The recipe APIs check if the recipe is enabled in the core and then continue it's execution

    • Checks are performed in the recipe APIs as it is public facing and pose security risk
    • Checks are not performed in the recipe functions as they are not public facing and are only used internally
  • Consistent SDK behaviour with the user configuration
    • Which frontend SDK do you use?
    supertokens-web-js / mobile
    supertokens-auth-react