https://supertokens.com/ logo
Join Discord
Powered by
user roles question
# support-questions
m
Quick Question -> are multiple roles allowed/on by default? Is there a quick way to change the role of a user (while removing all other roles), so making sure the user only ever has one? Thanks!
r
hey @miguelstevensbe yes - you can associate multiple roles per user. When adding a role to a user, you can get all the existing roles and in a loop remove them before adding / changing the role. This will ensure that just one role is added per user.
m
Great! I'll use that method, thanks!
I've got this piece of code that updates the user's session, but in the docs I see another method.
Copy code
for (const handle of sessionHandles) {
        const sessionInformation = await Session.getSessionInformation(handle)
        if (sessionInformation === undefined) {
            throw Error(`No session information found for user ${ userId }`)
        }

        const sessionPayload = sessionInformation.accessTokenPayload;
        await Session.updateAccessTokenPayload(handle,
            { role: updatedRole, ...sessionPayload }
        );
    }
Is this the same as?
Copy code
await session.fetchAndSetClaim(UserRoleClaim)
r
not exactly. The second method changes the session's access token payload for the current session and is reflected in the current session immediately. The first method does an offline change to the sessions and they are reflected on the frontend / post session verification after the session has refreshed.
also the first method uses a custom payload for adding roles, whereas the second one uses our in built claim. The first is just an example of how to add custom stuff to the access token payload..
m
So after changing the role of a user, the second method is enough? Don't I need to change things in the session straight away?
r
the second method changes the current session.
and other sessions will eventually auto update (every 5 mins by default)
m
So you would propose the second method then?
r
yup. That's the recommended way
see our user roles guides
m
Perfect, thanks!
One more question in this regard, what happens in the frontend when I use the 
await session.fetchAndSetClaim(UserRoleClaim)
?
I suppose the user for who the role is changed has to be logged out, for example if the UI is different depending on the role? What's a good practise for this?
r
No logout needed. The session’s access token will change on the frontend
And depending on how you have built the ui, the view can just change
m
Okay great! Thanks
The example with 
session.fetchAndSetClaim(UserRoleClaim)
this assumes it's the current user. In my case I have an admin user changing the role for another user, how can I perform that?
So in short, how do I use the 
session.fetchAndSetClaim(UserRoleClaim)
for another user, not the one that is currently signed in? Thanks @rp!
r
right. In that case, you will have to go with the offline mode for updating the roles - you should just call the 
addRoleToUser
and 
removeUserRole
functions for the target user. And within 5 mins, the user's session would be updated. You can make this 5 mins a lower number by passing the 
maxAgeInSeconds
param to the 
UserRoleClaim
validators. For example, you can use:
Copy code
import { verifySession } from "supertokens-node/recipe/session/framework/express";
import express from "express";
import { SessionRequest } from "supertokens-node/framework/express";
import UserRoles from "supertokens-node/recipe/userroles";

let app = express();

app.post(
    "/update-blog",
    verifySession({
        overrideGlobalClaimValidators: async (globalValidators) => [
            ...globalValidators,
            UserRoles.UserRoleClaim.validators.includes("admin", 10),
        ],
    }),
    async (req: SessionRequest, res) => {
        // All validator checks have passed and the user is an admin.
    }
);
Notice the 
10
in the 
includes
function call above - this will make sure that the roles is synced with the db every 10 seconds.
3 Views
PreviousNext
Powered by