feat: add Before & After user created hooks

Add Before & After user created to pkg internal/hooks/v0hooks.

Author: Chris Stockton

internal/hooks/v0hooks/manager.go

@@ -58,11 +58,33 @@ func configByName(
 		return &cfg.MFAVerificationAttempt, true
 	case PasswordVerification:
 		return &cfg.PasswordVerificationAttempt, true
+	case BeforeUserCreated:
+		return &cfg.BeforeUserCreated, true
+	case AfterUserCreated:
+		return &cfg.AfterUserCreated, true
 	default:
 		return nil, false
 	}
 }
 
+func (o *Manager) BeforeUserCreated(
+	ctx context.Context,
+	tx *storage.Connection,
+	req *BeforeUserCreatedInput,
+	res *BeforeUserCreatedOutput,
+) error {
+	return o.dispatch(ctx, &o.config.Hook.BeforeUserCreated, tx, req, res)
+}
+
+func (o *Manager) AfterUserCreated(
+	ctx context.Context,
+	tx *storage.Connection,
+	req *AfterUserCreatedInput,
+	res *AfterUserCreatedOutput,
+) error {
+	return o.dispatch(ctx, &o.config.Hook.AfterUserCreated, tx, req, res)
+}
+
 func (o *Manager) InvokeHook(
 	conn *storage.Connection,
 	r *http.Request,

internal/hooks/v0hooks/manager_test.go

@@ -13,6 +13,7 @@ import (
 	"github.com/supabase/auth/internal/e2e"
 	"github.com/supabase/auth/internal/hooks/hookshttp"
 	"github.com/supabase/auth/internal/hooks/hookspgfunc"
+	"github.com/supabase/auth/internal/models"
 )
 
 type M = map[string]any
@@ -31,9 +32,13 @@ func TestHooks(t *testing.T) {
 	mr := NewManager(globalCfg, httpDr, pgfuncDr)
 	now := time.Date(2024, time.January, 1, 0, 0, 0, 0, time.UTC)
 
+	httpReq := httptest.NewRequestWithContext(
+		ctx, "GET", "http://localhost/test", nil)
+
 	type testCase struct {
 		desc   string
 		setup  func()
+		run    func(*testCase, *Manager) error
 		sql    string
 		req    any
 		res    any
@@ -218,6 +223,122 @@ func TestHooks(t *testing.T) {
 				$$ language plpgsql;`,
 		},
 
+		{
+			desc: "pass - before_user_created",
+			setup: func() {
+				globalCfg.Hook.BeforeUserCreated =
+					conf.ExtensibilityPointConfiguration{
+						URI: `pg-functions://postgres/auth/` +
+							`v0hooks_test_before_user_created`,
+						HookName: `"auth"."v0hooks_test_before_user_created"`,
+					}
+			},
+			run: func(tc *testCase, mr *Manager) error {
+				return mr.BeforeUserCreated(
+					ctx, db,
+					tc.req.(*BeforeUserCreatedInput),
+					tc.res.(*BeforeUserCreatedOutput),
+				)
+			},
+			req: NewBeforeUserCreatedInput(httpReq, &models.User{}),
+			res: &BeforeUserCreatedOutput{},
+			exp: &BeforeUserCreatedOutput{},
+			sql: `
+				create or replace function
+					v0hooks_test_before_user_created(input jsonb)
+				returns json as $$
+				begin
+					return '{}'::jsonb;
+				end; $$ language plpgsql;`,
+		},
+
+		{
+			desc: "pass - before_user_created reject",
+			setup: func() {
+				globalCfg.Hook.BeforeUserCreated =
+					conf.ExtensibilityPointConfiguration{
+						URI: `pg-functions://postgres/auth/` +
+							`v0hooks_test_before_user_created_reject`,
+						HookName: `"auth"."v0hooks_test_before_user_created_reject"`,
+					}
+			},
+			run: func(tc *testCase, mr *Manager) error {
+				return mr.BeforeUserCreated(
+					ctx, db,
+					tc.req.(*BeforeUserCreatedInput),
+					tc.res.(*BeforeUserCreatedOutput),
+				)
+			},
+			req: NewBeforeUserCreatedInput(httpReq, &models.User{}),
+			res: &BeforeUserCreatedOutput{},
+			exp: &BeforeUserCreatedOutput{Decision: "reject"},
+			sql: `
+				create or replace function
+					v0hooks_test_before_user_created_reject(input jsonb)
+				returns json as $$
+				begin
+					return '{"decision": "reject"}'::jsonb;
+				end; $$ language plpgsql;`,
+		},
+
+		{
+			desc: "pass - before_user_created reject with message",
+			setup: func() {
+				globalCfg.Hook.BeforeUserCreated =
+					conf.ExtensibilityPointConfiguration{
+						URI: `pg-functions://postgres/auth/` +
+							`v0hooks_test_before_user_created_reject_msg`,
+						HookName: `"auth"."v0hooks_test_before_user_created_reject_msg"`,
+					}
+			},
+			run: func(tc *testCase, mr *Manager) error {
+				return mr.BeforeUserCreated(
+					ctx, db,
+					tc.req.(*BeforeUserCreatedInput),
+					tc.res.(*BeforeUserCreatedOutput),
+				)
+			},
+			req: NewBeforeUserCreatedInput(httpReq, &models.User{}),
+			res: &BeforeUserCreatedOutput{},
+			exp: &BeforeUserCreatedOutput{Decision: "reject", Message: "test case"},
+			sql: `
+				create or replace function
+					v0hooks_test_before_user_created_reject_msg(input jsonb)
+				returns json as $$
+				begin
+					return '{"decision": "reject", "message": "test case"}'::jsonb;
+				end; $$ language plpgsql;`,
+		},
+
+		{
+			desc: "pass - after_user_created",
+			setup: func() {
+				globalCfg.Hook.AfterUserCreated =
+					conf.ExtensibilityPointConfiguration{
+						URI: `pg-functions://postgres/auth/` +
+							`v0hooks_test_after_user_created`,
+						HookName: `"auth"."v0hooks_test_after_user_created"`,
+					}
+			},
+			run: func(tc *testCase, mr *Manager) error {
+				return mr.AfterUserCreated(
+					ctx, db,
+					tc.req.(*AfterUserCreatedInput),
+					tc.res.(*AfterUserCreatedOutput),
+				)
+			},
+			req: NewAfterUserCreatedInput(httpReq, &models.User{}),
+			res: &AfterUserCreatedOutput{},
+			exp: &AfterUserCreatedOutput{},
+			sql: `
+				create or replace function
+					v0hooks_test_after_user_created(input jsonb)
+				returns json as $$
+				begin
+					return '{}'::jsonb;
+				end; $$ language plpgsql;`,
+		},
+
 		// fail
 		{
 			desc: "fail - customize_access_token - error propagation",
@@ -404,7 +525,12 @@ func TestHooks(t *testing.T) {
 		}
 
 		htr := httptest.NewRequestWithContext(ctx, "POST", "/api", nil)
-		err := mr.InvokeHook(db, htr, tc.req, tc.res)
+		var err error
+		if tc.run == nil {
+			err = mr.InvokeHook(db, htr, tc.req, tc.res)
+		} else {
+			err = tc.run(&tc, mr)
+		}
 		if tc.errStr != "" {
 			require.Error(t, err)
 			require.Contains(t, err.Error(), tc.errStr)
@@ -433,6 +559,12 @@ func TestConfig(t *testing.T) {
 			PasswordVerificationAttempt: conf.ExtensibilityPointConfiguration{
 				URI: "http:localhost/" + string(PasswordVerification),
 			},
+			BeforeUserCreated: conf.ExtensibilityPointConfiguration{
+				URI: "http:localhost/" + string(BeforeUserCreated),
+			},
+			AfterUserCreated: conf.ExtensibilityPointConfiguration{
+				URI: "http:localhost/" + string(AfterUserCreated),
+			},
 		},
 	}
 	cfg := &globalCfg.Hook
@@ -457,6 +589,10 @@ func TestConfig(t *testing.T) {
 			name: MFAVerification, exp: &cfg.MFAVerificationAttempt},
 		{cfg: cfg, ok: true,
 			name: PasswordVerification, exp: &cfg.PasswordVerificationAttempt},
+		{cfg: cfg, ok: true,
+			name: BeforeUserCreated, exp: &cfg.BeforeUserCreated},
+		{cfg: cfg, ok: true,
+			name: AfterUserCreated, exp: &cfg.AfterUserCreated},
 	}
 	for idx, test := range tests {
 		t.Logf("test #%v - exp ok %v with cfg %v from name %v",

internal/hooks/v0hooks/v0hooks.go

@@ -1,10 +1,14 @@
 package v0hooks
 
 import (
+	"net/http"
+	"time"
+
 	"github.com/gofrs/uuid"
 	"github.com/golang-jwt/jwt/v5"
 	"github.com/supabase/auth/internal/mailer"
 	"github.com/supabase/auth/internal/models"
+	"github.com/supabase/auth/internal/utilities"
 )
 
 type Name string
@@ -15,13 +19,76 @@ const (
 	CustomizeAccessToken Name = "customize-access-token"
 	MFAVerification      Name = "mfa-verification"
 	PasswordVerification Name = "password-verification"
+	BeforeUserCreated    Name = "before-user-created"
+	AfterUserCreated     Name = "after-user-created"
 )
 
-// Hook Names
 const (
 	HookRejection = "reject"
 )
 
+const (
+	DefaultMFAHookRejectionMessage      = "Further MFA verification attempts will be rejected."
+	DefaultPasswordHookRejectionMessage = "Further password verification attempts will be rejected."
+)
+
+type Metadata struct {
+	UUID uuid.UUID `json:"uuid"`
+	Time time.Time `json:"time"`
+
+	// Hook name
+	Name Name `json:"name,omitempty"`
+
+	// IP Address of the request, if present
+	IPAddress string `json:"ip_address,omitempty"`
+}
+
+func NewMetadata(r *http.Request, name Name) *Metadata {
+	return &Metadata{
+		UUID:      uuid.Must(uuid.NewV4()),
+		Time:      time.Now(),
+		IPAddress: utilities.GetIPAddress(r),
+		Name:      name,
+	}
+}
+
+type BeforeUserCreatedInput struct {
+	Header *Metadata    `json:"header"`
+	User   *models.User `json:"user"`
+}
+
+func NewBeforeUserCreatedInput(
+	r *http.Request,
+	user *models.User,
+) *BeforeUserCreatedInput {
+	return &BeforeUserCreatedInput{
+		Header: NewMetadata(r, BeforeUserCreated),
+		User:   user,
+	}
+}
+
+type BeforeUserCreatedOutput struct {
+	Decision string `json:"decision"`
+	Message  string `json:"message"`
+}
+
+type AfterUserCreatedInput struct {
+	Header *Metadata    `json:"header"`
+	User   *models.User `json:"user"`
+}
+
+func NewAfterUserCreatedInput(
+	r *http.Request,
+	user *models.User,
+) *AfterUserCreatedInput {
+	return &AfterUserCreatedInput{
+		Header: NewMetadata(r, AfterUserCreated),
+		User:   user,
+	}
+}
+
+type AfterUserCreatedOutput struct{}
+
 // TODO(joel): Move this to phone package
 type SMS struct {
 	OTP     string `json:"otp,omitempty"`
@@ -90,8 +157,3 @@ type SendEmailInput struct {
 
 type SendEmailOutput struct {
 }
-
-const (
-	DefaultMFAHookRejectionMessage      = "Further MFA verification attempts will be rejected."
-	DefaultPasswordHookRejectionMessage = "Further password verification attempts will be rejected."
-)