From a7ccacbdb717a03716e49682b331bcc75142a40c Mon Sep 17 00:00:00 2001
From: Sattvik Chakravarthy <sattvik@supertokens.com>
Date: Tue, 6 Feb 2024 12:03:48 +0530
Subject: [PATCH] fix: Load only cud (#917)

* fix: update config and validateAndNormalize

* fix: impl

* fix: PR comments

* fix: cleanup

* fix: cleanup

* fix: pr comments

* fix: pr comments

* fix: tests

* fix: changelog

* fix: 400 error

* fix: cuds from db
---
 CHANGELOG.md                                  |   1 +
 config.yaml                                   |   5 +
 devConfig.yaml                                |   4 +
 .../io/supertokens/config/CoreConfig.java     |  19 ++
 .../multitenancy/MultitenancyHelper.java      |  46 +++-
 .../supertokens/webserver/WebserverAPI.java   |  29 +-
 .../api/multitenancy/BaseCreateOrUpdate.java  |  10 +
 .../test/multitenant/ConfigTest.java          |   4 +-
 .../test/multitenant/LoadOnlyCUDTest.java     | 253 ++++++++++++++++++
 9 files changed, 353 insertions(+), 18 deletions(-)
 create mode 100644 src/test/java/io/supertokens/test/multitenant/LoadOnlyCUDTest.java

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 4365d6623..21e63f238 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,6 +8,7 @@ to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 ## [7.0.17] - 2024-02-06
 
 - Fixes issue where error logs were printed to StdOut instead of StdErr.
+- Adds new config `supertokens_saas_load_only_cud` that makes the core instance load a particular CUD only, irrespective of the CUDs present in the db.
 
 ## [7.0.16] - 2023-12-04
 
diff --git a/config.yaml b/config.yaml
index bc6e7cbce..fdb96d4ba 100644
--- a/config.yaml
+++ b/config.yaml
@@ -146,3 +146,8 @@ core_config_version: 0
 # when CDI version is not specified in the request. When set to null, the core will assume the latest version of the
 # CDI.
 # supertokens_max_cdi_version:
+
+
+# (OPTIONAL | Default: null) string value. If specified, the supertokens service will only load the specified CUD even
+# if there are more CUDs in the database and block all other CUDs from being used from this instance.
+# supertokens_saas_load_only_cud:
diff --git a/devConfig.yaml b/devConfig.yaml
index 73ccf220d..276b35d42 100644
--- a/devConfig.yaml
+++ b/devConfig.yaml
@@ -147,3 +147,7 @@ disable_telemetry: true
 # when CDI version is not specified in the request. When set to null, the core will assume the latest version of the
 # CDI.
 # supertokens_max_cdi_version:
+
+# (OPTIONAL | Default: null) string value. If specified, the supertokens service will only load the specified CUD even
+# if there are more CUDs in the database and block all other CUDs from being used from this instance.
+# supertokens_saas_load_only_cud:
diff --git a/src/main/java/io/supertokens/config/CoreConfig.java b/src/main/java/io/supertokens/config/CoreConfig.java
index ba291a4b2..3de06caa7 100644
--- a/src/main/java/io/supertokens/config/CoreConfig.java
+++ b/src/main/java/io/supertokens/config/CoreConfig.java
@@ -30,7 +30,9 @@
 import io.supertokens.pluginInterface.LOG_LEVEL;
 import io.supertokens.pluginInterface.exceptions.InvalidConfigException;
 import io.supertokens.utils.SemVer;
+import io.supertokens.webserver.Utils;
 import io.supertokens.webserver.WebserverAPI;
+import jakarta.servlet.ServletException;
 import org.apache.catalina.filters.RemoteAddrFilter;
 import org.jetbrains.annotations.TestOnly;
 
@@ -197,6 +199,10 @@ public class CoreConfig {
     @JsonProperty
     private String supertokens_max_cdi_version = null;
 
+    @ConfigYamlOnly
+    @JsonProperty
+    private String supertokens_saas_load_only_cud = null;
+
     @IgnoreForAnnotationCheck
     private Set<LOG_LEVEL> allowedLogLevels = null;
 
@@ -254,6 +260,10 @@ public String getBasePath() {
         return base_path;
     }
 
+    public String getSuperTokensLoadOnlyCUD() {
+        return supertokens_saas_load_only_cud;
+    }
+
     public enum PASSWORD_HASHING_ALG {
         ARGON2, BCRYPT, FIREBASE_SCRYPT
     }
@@ -667,6 +677,15 @@ void normalizeAndValidate(Main main, boolean includeConfigFilePath) throws Inval
             host = cliHost;
         }
 
+        if (supertokens_saas_load_only_cud != null) {
+            try {
+                supertokens_saas_load_only_cud =
+                        Utils.normalizeAndValidateConnectionUriDomain(supertokens_saas_load_only_cud, true);
+            } catch (ServletException e) {
+                throw new InvalidConfigException("supertokens_saas_load_only_cud is invalid");
+            }
+        }
+
         access_token_validity = access_token_validity * 1000;
         access_token_dynamic_signing_key_update_interval = access_token_dynamic_signing_key_update_interval * 3600 * 1000;
         refresh_token_validity = refresh_token_validity * 60 * 1000;
diff --git a/src/main/java/io/supertokens/multitenancy/MultitenancyHelper.java b/src/main/java/io/supertokens/multitenancy/MultitenancyHelper.java
index fe9397622..ad0433238 100644
--- a/src/main/java/io/supertokens/multitenancy/MultitenancyHelper.java
+++ b/src/main/java/io/supertokens/multitenancy/MultitenancyHelper.java
@@ -51,9 +51,20 @@ public class MultitenancyHelper extends ResourceDistributor.SingletonResource {
     private Main main;
     private TenantConfig[] tenantConfigs;
 
+    // when the core has `supertokens_saas_load_only_cud` set, the tenantConfigs array will be filtered
+    // based on the config value. However, we need to keep all the list of CUDs from the db to be able
+    // to check if the CUD is present in the DB or not, while processing the requests.
+    private final Set<String> dangerous_allCUDsFromDb = new HashSet<>();
+
     private MultitenancyHelper(Main main) throws StorageQueryException {
         this.main = main;
-        this.tenantConfigs = getAllTenantsFromDb();
+        TenantConfig[] allTenantsFromDb = getAllTenantsFromDb();
+        this.tenantConfigs = this.getFilteredTenantConfigs(allTenantsFromDb);
+        this.dangerous_allCUDsFromDb.clear();
+
+        for (TenantConfig config : allTenantsFromDb) {
+            this.dangerous_allCUDsFromDb.add(config.tenantIdentifier.getConnectionUriDomain());
+        }
     }
 
     public static MultitenancyHelper getInstance(Main main) {
@@ -108,10 +119,11 @@ public List<TenantIdentifier> refreshTenantsInCoreBasedOnChangesInCoreConfigOrIf
             return main.getResourceDistributor().withResourceDistributorLock(() -> {
                 try {
                     TenantConfig[] tenantsFromDb = getAllTenantsFromDb();
+                    TenantConfig[] filteredTenantsFromDb = this.getFilteredTenantConfigs(tenantsFromDb);
 
                     Map<ResourceDistributor.KeyClass, JsonObject> normalizedTenantsFromDb =
                             Config.getNormalisedConfigsForAllTenants(
-                            tenantsFromDb, Config.getBaseConfigAsJsonObject(main));
+                            filteredTenantsFromDb, Config.getBaseConfigAsJsonObject(main));
 
                     Map<ResourceDistributor.KeyClass, JsonObject> normalizedTenantsFromMemory =
                             Config.getNormalisedConfigsForAllTenants(
@@ -129,9 +141,14 @@ public List<TenantIdentifier> refreshTenantsInCoreBasedOnChangesInCoreConfigOrIf
                         }
                     }
 
-                    boolean sameNumberOfTenants = tenantsFromDb.length == this.tenantConfigs.length;
+                    boolean sameNumberOfTenants =
+                            filteredTenantsFromDb.length == this.tenantConfigs.length;
 
-                    this.tenantConfigs = tenantsFromDb;
+                    this.dangerous_allCUDsFromDb.clear();
+                    for (TenantConfig tenant : tenantsFromDb) {
+                        this.dangerous_allCUDsFromDb.add(tenant.tenantIdentifier.getConnectionUriDomain());
+                    }
+                    this.tenantConfigs = filteredTenantsFromDb;
                     if (tenantsThatChanged.size() == 0 && sameNumberOfTenants) {
                         return tenantsThatChanged;
                     }
@@ -190,7 +207,7 @@ public void loadStorageLayer() throws IOException, InvalidConfigException {
     public void loadFeatureFlag(List<TenantIdentifier> tenantsThatChanged) {
         List<AppIdentifier> apps = new ArrayList<>();
         Set<AppIdentifier> appsSet = new HashSet<>();
-        for (TenantConfig t : tenantConfigs) {
+        for (TenantConfig t : this.tenantConfigs) {
             if (appsSet.contains(t.tenantIdentifier.toAppIdentifier())) {
                 continue;
             }
@@ -204,7 +221,7 @@ public void loadSigningKeys(List<TenantIdentifier> tenantsThatChanged)
             throws UnsupportedJWTSigningAlgorithmException {
         List<AppIdentifier> apps = new ArrayList<>();
         Set<AppIdentifier> appsSet = new HashSet<>();
-        for (TenantConfig t : tenantConfigs) {
+        for (TenantConfig t : this.tenantConfigs) {
             if (appsSet.contains(t.tenantIdentifier.toAppIdentifier())) {
                 continue;
             }
@@ -238,4 +255,21 @@ public TenantConfig[] getAllTenants() {
             throw new IllegalStateException(e);
         }
     }
+
+    private TenantConfig[] getFilteredTenantConfigs(TenantConfig[] inputTenantConfigs) {
+        String loadOnlyCUD = Config.getBaseConfig(main).getSuperTokensLoadOnlyCUD();
+
+        if (loadOnlyCUD == null) {
+            return inputTenantConfigs;
+        }
+
+        return Arrays.stream(inputTenantConfigs)
+                .filter(tenantConfig -> tenantConfig.tenantIdentifier.getConnectionUriDomain().equals(loadOnlyCUD)
+                        || tenantConfig.tenantIdentifier.getConnectionUriDomain().equals(TenantIdentifier.DEFAULT_CONNECTION_URI))
+                .toArray(TenantConfig[]::new);
+    }
+
+    public boolean isConnectionUriDomainPresentInDb(String cud) {
+        return this.dangerous_allCUDsFromDb.contains(cud);
+    }
 }
diff --git a/src/main/java/io/supertokens/webserver/WebserverAPI.java b/src/main/java/io/supertokens/webserver/WebserverAPI.java
index a94e04d83..a87130a75 100644
--- a/src/main/java/io/supertokens/webserver/WebserverAPI.java
+++ b/src/main/java/io/supertokens/webserver/WebserverAPI.java
@@ -24,6 +24,7 @@
 import io.supertokens.config.CoreConfig;
 import io.supertokens.exceptions.QuitProgramException;
 import io.supertokens.featureflag.exceptions.FeatureNotEnabledException;
+import io.supertokens.multitenancy.MultitenancyHelper;
 import io.supertokens.multitenancy.exception.BadPermissionException;
 import io.supertokens.output.Logging;
 import io.supertokens.pluginInterface.Storage;
@@ -287,15 +288,18 @@ private String getConnectionUriDomain(HttpServletRequest req) throws ServletExce
         String connectionUriDomain = req.getServerName();
         connectionUriDomain = Utils.normalizeAndValidateConnectionUriDomain(connectionUriDomain, false);
 
-        try {
-            if (Config.getConfig(new TenantIdentifier(connectionUriDomain, null, null), main) ==
-                    Config.getConfig(new TenantIdentifier(null, null, null), main)) {
-                return null;
+        if (MultitenancyHelper.getInstance(main).isConnectionUriDomainPresentInDb(connectionUriDomain)) {
+            CoreConfig baseConfig = Config.getBaseConfig(main);
+            if (baseConfig.getSuperTokensLoadOnlyCUD() != null) {
+                if (!connectionUriDomain.equals(baseConfig.getSuperTokensLoadOnlyCUD())) {
+                    throw new ServletException(new BadRequestException("Connection URI domain is disallowed"));
+                }
             }
-        } catch (TenantOrAppNotFoundException e) {
-            throw new IllegalStateException(e);
+
+            return connectionUriDomain;
         }
-        return connectionUriDomain;
+
+        return null;
     }
 
     @TestOnly
@@ -481,10 +485,13 @@ protected void service(HttpServletRequest req, HttpServletResponse resp) throws
         }
         Logging.info(main, tenantIdentifier, "API ended: " + req.getRequestURI() + ". Method: " + req.getMethod(),
                 false);
-        try {
-            RequestStats.getInstance(main, tenantIdentifier.toAppIdentifier()).updateRequestStats();
-        } catch (TenantOrAppNotFoundException e) {
-            // Ignore the error as we would have already sent the response for tenantNotFound
+
+        if (tenantIdentifier != null) {
+            try {
+                RequestStats.getInstance(main, tenantIdentifier.toAppIdentifier()).updateRequestStats();
+            } catch (TenantOrAppNotFoundException e) {
+                // Ignore the error as we would have already sent the response for tenantNotFound
+            }
         }
     }
 
diff --git a/src/main/java/io/supertokens/webserver/api/multitenancy/BaseCreateOrUpdate.java b/src/main/java/io/supertokens/webserver/api/multitenancy/BaseCreateOrUpdate.java
index ac930fb7b..87bc319b5 100644
--- a/src/main/java/io/supertokens/webserver/api/multitenancy/BaseCreateOrUpdate.java
+++ b/src/main/java/io/supertokens/webserver/api/multitenancy/BaseCreateOrUpdate.java
@@ -19,6 +19,8 @@
 import com.google.gson.JsonElement;
 import com.google.gson.JsonObject;
 import io.supertokens.Main;
+import io.supertokens.config.Config;
+import io.supertokens.config.CoreConfig;
 import io.supertokens.featureflag.exceptions.FeatureNotEnabledException;
 import io.supertokens.multitenancy.Multitenancy;
 import io.supertokens.multitenancy.exception.BadPermissionException;
@@ -49,6 +51,14 @@ protected void handle(HttpServletRequest req, TenantIdentifier sourceTenantIdent
                           HttpServletResponse resp)
             throws ServletException, IOException {
 
+        CoreConfig baseConfig = Config.getBaseConfig(main);
+        if (baseConfig.getSuperTokensLoadOnlyCUD() != null) {
+            if (!(targetTenantIdentifier.getConnectionUriDomain().equals(TenantIdentifier.DEFAULT_CONNECTION_URI) || targetTenantIdentifier.getConnectionUriDomain().equals(baseConfig.getSuperTokensLoadOnlyCUD()))) {
+                throw new ServletException(new BadRequestException("Creation of connection uri domain or app or " +
+                        "tenant is disallowed"));
+            }
+        }
+
         TenantConfig tenantConfig = Multitenancy.getTenantInfo(main,
                 new TenantIdentifier(targetTenantIdentifier.getConnectionUriDomain(), targetTenantIdentifier.getAppId(),
                         targetTenantIdentifier.getTenantId()));
diff --git a/src/test/java/io/supertokens/test/multitenant/ConfigTest.java b/src/test/java/io/supertokens/test/multitenant/ConfigTest.java
index 2885d4318..13cdfe6be 100644
--- a/src/test/java/io/supertokens/test/multitenant/ConfigTest.java
+++ b/src/test/java/io/supertokens/test/multitenant/ConfigTest.java
@@ -1914,6 +1914,7 @@ public void testAllConflictingConfigs() throws Exception {
                 "argon2_memory_kb",
                 "argon2_parallelism",
                 "bcrypt_log_rounds",
+                "supertokens_saas_load_only_cud"
         };
         Object[] disallowedValues = new Object[]{
                 3567, // port
@@ -1930,6 +1931,7 @@ public void testAllConflictingConfigs() throws Exception {
                 87795, // argon2_memory_kb
                 2, // argon2_parallelism
                 11, // bcrypt_log_rounds
+                "mydomain.com", // supertokens_saas_load_only_cud
         };
 
         process.kill();
@@ -1995,7 +1997,7 @@ public void testAllConflictingConfigs() throws Exception {
                 new Object[]{true, false}, // disable_telemetry
                 new Object[]{"BCRYPT", "ARGON2"}, // password_hashing_alg
                 new Object[]{"abcd1234abcd1234abcd1234abcd1234", "qwer1234qwer1234qwer1234qwer1234"}, // firebase_password_hashing_signer_key
-                new Object[]{"2.21", "3.0"} // supertokens_max_cdi_version
+                new Object[]{"2.21", "3.0"}, // supertokens_max_cdi_version
         };
 
         for (int i=0; i<conflictingInSameUserPool.length; i++) {
diff --git a/src/test/java/io/supertokens/test/multitenant/LoadOnlyCUDTest.java b/src/test/java/io/supertokens/test/multitenant/LoadOnlyCUDTest.java
new file mode 100644
index 000000000..053420b04
--- /dev/null
+++ b/src/test/java/io/supertokens/test/multitenant/LoadOnlyCUDTest.java
@@ -0,0 +1,253 @@
+/*
+ *    Copyright (c) 2024, VRAI Labs and/or its affiliates. All rights reserved.
+ *
+ *    This software is licensed under the Apache License, Version 2.0 (the
+ *    "License") as published by the Apache Software Foundation.
+ *
+ *    You may not use this file except in compliance with the License. You may
+ *    obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *    Unless required by applicable law or agreed to in writing, software
+ *    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+ *    License for the specific language governing permissions and limitations
+ *    under the License.
+ */
+
+package io.supertokens.test.multitenant;
+
+import com.google.gson.JsonElement;
+import com.google.gson.JsonObject;
+import io.supertokens.Main;
+import io.supertokens.ProcessState;
+import io.supertokens.cronjobs.CronTask;
+import io.supertokens.cronjobs.Cronjobs;
+import io.supertokens.featureflag.EE_FEATURES;
+import io.supertokens.featureflag.FeatureFlagTestContent;
+import io.supertokens.pluginInterface.STORAGE_TYPE;
+import io.supertokens.pluginInterface.multitenancy.AppIdentifier;
+import io.supertokens.pluginInterface.multitenancy.TenantIdentifier;
+import io.supertokens.pluginInterface.multitenancy.exceptions.TenantOrAppNotFoundException;
+import io.supertokens.storageLayer.StorageLayer;
+import io.supertokens.test.CronjobTest;
+import io.supertokens.test.TestingProcessManager;
+import io.supertokens.test.Utils;
+import io.supertokens.test.httpRequest.HttpResponseException;
+import io.supertokens.test.multitenant.api.TestMultitenancyAPIHelper;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.rules.TestRule;
+
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+
+import static org.junit.Assert.*;
+
+public class LoadOnlyCUDTest {
+    @Rule
+    public TestRule watchman = Utils.getOnFailure();
+
+    @AfterClass
+    public static void afterTesting() {
+        Utils.afterTesting();
+    }
+
+    @Before
+    public void beforeEach() {
+        Utils.reset();
+    }
+
+    @Test
+    public void testAPIChecksForLoadOnlyCUD() throws Exception {
+        String[] args = {"../"};
+        TestingProcessManager.TestingProcess process = TestingProcessManager.start(args, false);
+        FeatureFlagTestContent.getInstance(process.getProcess())
+                .setKeyValue(FeatureFlagTestContent.ENABLED_FEATURES, new EE_FEATURES[]{EE_FEATURES.MULTI_TENANCY});
+        process.startProcess();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STARTED));
+
+        JsonObject coreConfig = new JsonObject();
+        StorageLayer.getStorage(process.getProcess()).modifyConfigToAddANewUserPoolForTesting(coreConfig, 1);
+
+        TestMultitenancyAPIHelper.createConnectionUriDomain(process.getProcess(), TenantIdentifier.BASE_TENANT,
+                "127.0.0.1", true, true, true, coreConfig);
+        StorageLayer.getStorage(process.getProcess()).modifyConfigToAddANewUserPoolForTesting(coreConfig, 2);
+
+        TestMultitenancyAPIHelper.createConnectionUriDomain(process.getProcess(), TenantIdentifier.BASE_TENANT,
+                "localhost", true, true, true, coreConfig);
+
+        process.kill(false);
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STOPPED));
+
+        Utils.setValueInConfig("supertokens_saas_load_only_cud", "127.0.0.1:3567");
+        process = TestingProcessManager.start(args, false);
+        process.startProcess();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STARTED));
+
+        try {
+            TestMultitenancyAPIHelper.epSignUp(new TenantIdentifier("localhost", null, null), "test@example.com",
+                    "password123", process.getProcess());
+            fail();
+        } catch (HttpResponseException e) {
+            assertEquals(400, e.statusCode);
+        }
+
+        // check that it's allowed with 127.0.0.1
+        TestMultitenancyAPIHelper.epSignUp(new TenantIdentifier("127.0.0.1", null, null), "test@example.com",
+                "password123", process.getProcess());
+
+        process.kill();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STOPPED));
+    }
+
+    @Test
+    public void testCreationOfCUDWithLoadOnlyCUD() throws Exception {
+        String[] args = {"../"};
+
+        Utils.setValueInConfig("supertokens_saas_load_only_cud", "127.0.0.1:3567");
+        TestingProcessManager.TestingProcess process = TestingProcessManager.start(args, false);
+
+        FeatureFlagTestContent.getInstance(process.getProcess())
+                .setKeyValue(FeatureFlagTestContent.ENABLED_FEATURES, new EE_FEATURES[]{EE_FEATURES.MULTI_TENANCY});
+        process.startProcess();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STARTED));
+
+        if (StorageLayer.getStorage(process.getProcess()).getType() != STORAGE_TYPE.SQL) {
+            return;
+        }
+
+        try {
+            TestMultitenancyAPIHelper.createConnectionUriDomain(process.getProcess(), TenantIdentifier.BASE_TENANT,
+                    "localhost:3567", true, true, true, new JsonObject());
+            fail();
+        } catch (HttpResponseException e) {
+            assertEquals(400, e.statusCode);
+        }
+
+        JsonObject coreConfig = new JsonObject();
+        StorageLayer.getStorage(process.getProcess()).modifyConfigToAddANewUserPoolForTesting(coreConfig, 1);
+
+        // This should pass
+        TestMultitenancyAPIHelper.createConnectionUriDomain(process.getProcess(), TenantIdentifier.BASE_TENANT,
+                "127.0.0.1:3567", true, true, true, coreConfig);
+
+        process.kill();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STOPPED));
+    }
+
+    @Test
+    public void testThatResourcesAreNotLoadedWithLoadOnlyCUD() throws Exception {
+        String[] args = {"../"};
+        TestingProcessManager.TestingProcess process = TestingProcessManager.start(args, false);
+        FeatureFlagTestContent.getInstance(process.getProcess())
+                .setKeyValue(FeatureFlagTestContent.ENABLED_FEATURES, new EE_FEATURES[]{EE_FEATURES.MULTI_TENANCY});
+        process.startProcess();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STARTED));
+
+        JsonObject coreConfig = new JsonObject();
+        StorageLayer.getStorage(process.getProcess()).modifyConfigToAddANewUserPoolForTesting(coreConfig, 1);
+        TestMultitenancyAPIHelper.createConnectionUriDomain(process.getProcess(), TenantIdentifier.BASE_TENANT,
+                "127.0.0.1", true, true, true, coreConfig);
+
+        StorageLayer.getStorage(process.getProcess()).modifyConfigToAddANewUserPoolForTesting(coreConfig, 2);
+        TestMultitenancyAPIHelper.createConnectionUriDomain(process.getProcess(), TenantIdentifier.BASE_TENANT,
+                "localhost.org", true, true, true, coreConfig);
+
+        process.kill(false);
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STOPPED));
+
+        Utils.setValueInConfig("supertokens_saas_load_only_cud", "127.0.0.1:3567");
+        process = TestingProcessManager.start(args, false);
+        process.startProcess();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STARTED));
+
+        JsonObject result = TestMultitenancyAPIHelper.listConnectionUriDomains(TenantIdentifier.BASE_TENANT,
+                process.getProcess());
+        assertEquals("OK", result.get("status").getAsString());
+        assertEquals(2, result.get("connectionUriDomains").getAsJsonArray().size());
+
+        for (JsonElement elem : result.get("connectionUriDomains").getAsJsonArray()) {
+            assertNotEquals("localhost.org", elem.getAsJsonObject().get("connectionUriDomain").getAsString());
+        }
+
+        process.kill();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STOPPED));
+    }
+
+    @Test
+    public void testCronDoesNotRunForOtherCUDsWithLoadOnlyCUD() throws Exception {
+        String[] args = {"../"};
+        TestingProcessManager.TestingProcess process = TestingProcessManager.start(args, false);
+        FeatureFlagTestContent.getInstance(process.getProcess())
+                .setKeyValue(FeatureFlagTestContent.ENABLED_FEATURES, new EE_FEATURES[]{EE_FEATURES.MULTI_TENANCY});
+        process.startProcess();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STARTED));
+
+        JsonObject coreConfig = new JsonObject();
+        StorageLayer.getStorage(process.getProcess()).modifyConfigToAddANewUserPoolForTesting(coreConfig, 1);
+        TestMultitenancyAPIHelper.createConnectionUriDomain(process.getProcess(), TenantIdentifier.BASE_TENANT,
+                "127.0.0.1", true, true, true, coreConfig);
+
+        StorageLayer.getStorage(process.getProcess()).modifyConfigToAddANewUserPoolForTesting(coreConfig, 2);
+        TestMultitenancyAPIHelper.createConnectionUriDomain(process.getProcess(), TenantIdentifier.BASE_TENANT,
+                "localhost.org", true, true, true, coreConfig);
+
+        process.kill(false);
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STOPPED));
+
+        Utils.setValueInConfig("supertokens_saas_load_only_cud", "127.0.0.1:3567");
+        process = TestingProcessManager.start(args, false);
+        process.startProcess();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STARTED));
+
+        List<List<TenantIdentifier>> uniqueUserPoolIdsTenants = StorageLayer.getTenantsWithUniqueUserPoolId(process.getProcess());
+        Cronjobs.addCronjob(process.getProcess(), LoadOnlyCUDTest.PerAppCronjob.getInstance(process.getProcess(), uniqueUserPoolIdsTenants));
+
+        Thread.sleep(3000);
+        Set<AppIdentifier> appIdentifiersFromCron = PerAppCronjob.getInstance(process.getProcess(), uniqueUserPoolIdsTenants).appIdentifiers;
+        assertEquals(2, appIdentifiersFromCron.size());
+        for (AppIdentifier app : appIdentifiersFromCron) {
+            assertNotEquals("localhost.org", app.getConnectionUriDomain());
+        }
+
+        process.kill();
+        assertNotNull(process.checkOrWaitForEvent(ProcessState.PROCESS_STATE.STOPPED));
+    }
+
+    static class PerAppCronjob extends CronTask {
+        private static final String RESOURCE_ID = "io.supertokens.test.CronjobTest.NormalCronjob";
+
+        private PerAppCronjob(Main main, List<List<TenantIdentifier>> tenantsInfo) {
+            super("PerTenantCronjob", main, tenantsInfo, true);
+        }
+
+        Set<AppIdentifier> appIdentifiers = new HashSet<>();
+
+        public static LoadOnlyCUDTest.PerAppCronjob getInstance(Main main, List<List<TenantIdentifier>> tenantsInfo) {
+            try {
+                return (LoadOnlyCUDTest.PerAppCronjob) main.getResourceDistributor().getResource(new TenantIdentifier(null, null, null), RESOURCE_ID);
+            } catch (TenantOrAppNotFoundException e) {
+                return (LoadOnlyCUDTest.PerAppCronjob) main.getResourceDistributor()
+                        .setResource(new TenantIdentifier(null, null, null), RESOURCE_ID, new LoadOnlyCUDTest.PerAppCronjob(main, tenantsInfo));
+            }
+        }
+
+        @Override
+        public int getIntervalTimeSeconds() {
+            return 1;
+        }
+
+        @Override
+        public int getInitialWaitTimeSeconds() {
+            return 0;
+        }
+
+        @Override
+        protected void doTaskPerApp(AppIdentifier app) throws Exception {
+            appIdentifiers.add(app);
+        }
+    }
+}
\ No newline at end of file