https://supertokens.com/ logo
Join Discord
Powered by
Hi, I have a question regards this implementation:...
# support-questions-legacy
i
Hi, I have a question regards this implementation: https://supertokens.com/docs/passwordless/graphql-integration/backend-setup today we are using graphql-shield (https://the-guild.dev/graphql/shield) together with a code we wrote to add the JWT token from the request payload to the context:
Copy code
tokenPayload = await new Promise((resolve, reject) =>
        jwt.verify(token, this.getKey.bind(this), {}, (err, decoded) => {
          if (err) {
            this.logger.error({ msg: 'error verifing token', err });
            reject(err);
          } else {
            resolve(decoded);
          }
        }),
      );
we have a distributed system so each sub-graph is doing its own AuthZ using Shield. We define the roles check using graphql-shield functions that check the claims we overload on the GQL request context. I'm thinking of replacing this local check with: 
let session = await Session.getSession(contextValue.req, contextValue.res)
and overload the claims based on this function response. I just wonder if this will return a new session in case the roles for the user were updated, if yes how should I return it to the client? also wonder what are the default checks this function does and if it always does it with the Supertokens server or if there is any local cache mechanism?
r
hey @idanto
By defualt, getSession only verifies the JWT + checks any global claim validators you may have added to session.init config. You can also add specific validators to each call to getSession to check roles (like shown here: https://supertokens.com/docs/userroles/protecting-routes), in which case it will update the roles claim in the session every 5 mins by default. In case the token has to be updated, it will attach the new tokens in the response headers (As set-cookies in case you are using cookies based auth), which the browser should pick up on its own.
i
so just to make sure I follow, only if I add a validation to check the roles like 
UserRoles.UserRoleClaim.validators.includes("admin")
it will update the token in case it needs to be updated, right? If I still want to use shield so I need to implement the function there using supertokens sdk functions? is there a way to get the most up-to-date claims while validating the session (every 5min is fine)? when you say "getSession only verifies the JWT + checks any global claim validators you may have added to session.init config" do you mean locally or by calling supertokens server?
r
> when you say "getSession only verifies the JWT + checks any global claim validators you may have added to session.init config" do you mean locall locally
you can force update the claim from the session by calling 
await session.setAndFetchClaim(UserRoles.UserRoleClaim)
so you could do:
i
so basically getSession is the same as our existing code
r
- getSession (same as existing code) - check the access token payload's st-roles claim's timestatp to see if it's more than 5 mins ago, and if it is, call 
await session.setAndFetchClaim(UserRoles.UserRoleClaim)
- use shield
> getSession is the same as our existing code If the session has expired, it will not send a 401 directly, but it will throw an error, and that error can be either caught by you and you send a 401, or then it gets caught by our error handler if you have added it.
vs verifySession which also sends the 401 to the frontend directly.
i
thanks, so to do what I want I have to implement the "cache" logic myself practically
r
not really
well, im not sure what i mean by when you say caching logic
but in the steps i highlighted above, there is not cache storage needed
i
to refresh the claims only once in a while and not for every API call
r
the last update time is already stored in the claim in the access tkoen payload
i
not really cache more of a refresh logic
r
session.getAccessTokenPayload().st-roles.t
i
thanks
this is the timestamp, right?
r
yes. time of last update
so it should be updated and relfected in the new access token payload when you call setAndFetchClaim
i
👍 I will play with it and see how it works for me
one more quick question about that, does the /refresh update the claims if they have changed? or for it to do that i need to override some functions/apis
r
it doesn't update the claims if they have changed. Updating the claims like roles only happens via the validators you use (or if you manually call fetchAndSetClaim like we discussed above). You can ofc override the refresh API to update it yourself.
3 Views
PreviousNext
Powered by