Hello, I recently adopted your new solution for handling sessions with Nest.js, Hasura, and SuperTok...

Lindo (Hannes Colt)

05/22/2023, 8:25 AM

Hello, I recently adopted your new solution for handling sessions with Nest.js, Hasura, and SuperTokens. I have encountered an issue related to one of the claims I add to the token, namely 'x-hasura-company-id'. This claim checks the currently set company for users. However, the user's company can change over time. Initially, when creating an account, users do not have a company assigned. We prompt users to provide their company information at a later stage. Now, I would like to find a way to refresh the data in the JWT and add an 'x-hasura-current-company' claim if the user's company data gets updated in the database. Is this possible?

rp_st

05/22/2023, 8:38 AM

hey @Lindo (Hannes Colt) it is

rp_st

05/22/2023, 8:38 AM

See this: https://supertokens.com/docs/session/common-customizations/sessions/claims/access-token-payload

Lindo (Hannes Colt)

05/22/2023, 8:38 AM

That's so nice to hear, could you point me in the right direction? 🙂

Lindo (Hannes Colt)

05/22/2023, 8:38 AM

Thank you!

Lindo (Hannes Colt)

05/22/2023, 9:01 AM

I am opting for the offline solution so that I am not relying on the client to trigger the update of the JWT. The only issue here for me is this part: "Changes to the access token payload via this method are reflected in the session only once the session is refreshed." I want to expire the session manually from the backend when updating the JWT claim, thus triggering a automatic refresh from the client! But I am unsure which functionality, if any would allow this?

Lindo (Hannes Colt)

05/22/2023, 9:01 AM

To be extra clear, I don't want to cancel the session, thus demanding another login, I just want to demand a refresh.

Lindo (Hannes Colt)

05/22/2023, 9:31 AM

I also have this issue that is a x-hasura-company-id is already present on the payload and it changes in our DB triggering a JWT payload update i get 2x x-hausra-company-id keys in the payload.

rp_st

05/22/2023, 9:41 AM

right. So this can be achieved by setting a small access token lifetime. There is no fullproof way of updating all user's session instantly without having to query the db each time a request is sent via a session (which can slow down your api calls). You could also checkout our docs for custom session claims and build your own custom claim + validator, and then when using the validator in the APIs, set a very slow maxAgeInSeconds value

rp_st

05/22/2023, 9:42 AM

https://supertokens.com/docs/session/common-customizations/sessions/claims/claim-validators

Lindo (Hannes Colt)

05/22/2023, 9:42 AM

Alright, thanks again!

Previous Next

SuperTokens.com

SuperTokens is an open source authentication solution offering features like: Different types of login: Email / password, Passwordless (OTP or Magic link based).