https://supertokens.com/ logo
#support-questions
Title
# support-questions
h

HRP

06/11/2022, 9:20 PM
Hi everyone, I'm new to Super Tokens and what's wondering if there are any docs/examples/pointers on how to - create users and set a temporary password that they are prompted to change after first login - allow admin to reset a user's password or to suspend a user TIA
r

rp

06/12/2022, 5:48 AM
hey @HRP
So we don't have these built in (yet), but you can customise the flow fairly easily to enable these: ------------------------------- For temporary password: - I assume that the user will be created by the admin with a temp password. This can be done by calling our sign up API. You want to override the sign up API and after the original implementation is finished, you want to set the user's metadata to reflect that the password is temporary. - When the user signs in with the temp password, you want to modify the session's access token payload to indicate that the password is still temporary. Then check for this in your APIs (post session verification) and on the frontend - if this the payload indicates that the pass is still temporary, then do not grant access to the user. Instead, redirect them to a page which asks them to change their password (you can build this page or take them through the built in reset password flow here). - You can then override the password reset API on the backend and modify the session's access token payload to indicate that the password is no longer temporary, thereby giving them access to your APIs.
-------------------------------- Allowing admins to reset a user's passsword: - You can see a reset password API example here: https://supertokens.com/docs/emailpassword/common-customizations/change-password. You can modify this API such that instead of verifying the existing password, you can instead check that the current session belongs to the admin
-------------------------- Suspending a user: - Create an API on the backend which will check that the current session belongs to the admin. - Then modify the user's metadata to mark them as suspended. - Then overwrite the createNewSession and refreshSession function on the backend, such that once you check if the user has been suspended and if they have, then: - In the createNewSession function, you want to throw an error preventing them from signing in - In the refreshSession API, you want to throw an UNAUTHORISED error, preventing logging them out (if they already have a session that exists).
Hope this helps @HRP ! Please feel free to ask more questions if needed