I have an app in which users are invited by an adm...
# support-questions-legacym
miguelstevensbe
04/17/2023, 11:34 AMI have an app in which users are invited by an admin, using an email, now I'm wondering,
- Do I create the Supertokens user first, and then invite the user to register for an account in my app
- Do I create an account in my app's database, and then have the user signup using a special link to fill in his details for Supertokens?
What's the general way of going about something like this? The user account will have to be coupled to a company, for example
r
rp_st
04/17/2023, 11:40 AM> Do I create the Supertokens user first, and then invite the user to register for an account in my app
This is the easiest way. We have a guide for it as well: https://supertokens.com/docs/thirdpartyemailpassword/common-customizations/disable-sign-up/overview
m
miguelstevensbe
04/17/2023, 11:41 AMHi @rp_st , thanks, so I won't be using the EmailPassword recipe, but the ThirdParty one?
r
rp_st
04/17/2023, 11:41 AMyou can use the email password one as well
rp_st
04/17/2023, 11:41 AMup to you
rp_st
04/17/2023, 11:42 AMessentially you have to white list the email ID somehow and then when they sign up, check the whitelist to see if they can sign up
rp_st
04/17/2023, 11:42 AMor let them sign up, but then have their app in a "not approved" state, until you manually approve it.
rp_st
04/17/2023, 11:42 AMdifferent ways of implementing this. Depends on the UX you want
m
miguelstevensbe
04/17/2023, 11:46 AMOkay, and about the meta data, is it worth saving data like the company_id to which the user is invited into Supertokens, or save all of this info in my own database. I'm not sure what the most common way is. Which related data do you keep in Supertokens and which one in my own app?
r
rp_st
04/17/2023, 11:49 AMyou could store in user metadata as long as you want to fetch that info based on user_id. For example, if you want to get all users in a company_id, then you should not use our metadata feature and instead just store in your own db
m
miguelstevensbe
04/17/2023, 11:50 AMRight, good point! Thanks a lot.
miguelstevensbe
04/17/2023, 2:53 PMHey @rp_st I'm sorry, one more question, I'm not sure if I should create a new thread for it but,?
If I want to include my own custom data (from my DB) into the session, do I fetch it in the
Session.init()CreateNewSessionr
rp_st
04/17/2023, 2:58 PMyes it is the best way. Also, questions on new topics should be in a new thread 🙂
m
miguelstevensbe
04/17/2023, 3:01 PMGood! I'll remember, thanks
miguelstevensbe
04/18/2023, 3:33 PMHi @rp_st I've got a follow up question for the user invitation way of doing things, so as you recommended
- I invite a user, which creates a default user in supertokens with a hard-coded password
- I create the user in my local db
- I then send a password reset link to that user so he can choose his password
But I'm wondering, what if the invite has been revoked, when the user sets his new password, can I do a check in my local db to see if the invite is still valid? Thanks!
r
rp_st
04/18/2023, 3:39 PMyea.. you can. To revoke an invite, you can simply create a new password reset token for the user and then call the reset password function with the same hardcoded password. This will revoke all the previously generated password reset tokens.
When the user clicks on the link and tries to enter their new password, it will fail to verify the user's password reset token thereby preventing them from changing the password.
m
miguelstevensbe
04/18/2023, 3:40 PMThis does mean the user will still be around in the system, shouldn't I delete the user better?
r
rp_st
04/18/2023, 3:41 PMoh yea.. sure you can,.
rp_st
04/18/2023, 3:42 PMthat would be better.
m
miguelstevensbe
04/18/2023, 3:42 PMI will test and see what happens when a user that is deleted clicks the link in the email reset password.
r
rp_st
04/18/2023, 3:44 PMcool
m
miguelstevensbe
04/18/2023, 3:50 PMThanks a lot!
9 Views