https://supertokens.com/ logo
Join Discord
Powered by
After adding `addRolesAndPermissionsToSession` see...
# support-questions-legacy
d
After adding 
addRolesAndPermissionsToSession
seems like is adding the user roles to the token, but im still getting the access denied error
r
hey @drixhua can you show me the access token that is sent to the request in which the claim validation fails?
d
I guess is this one?
And this is stripe calling back my api
r
can you send me the token in text here?
d
sFrontToken=eyJ1aWQiOiI5Y2ViZjk3NC00OWY3LTQ0N2EtOWFmMS01NTZhYWYxMGVkNGUiLCJhdGUiOjE3MDAxMjUzMTUwMDAsInVwIjp7ImlhdCI6MTcwMDEyMTcxNSwiZXhwIjoxNzAwMTI1MzE1LCJzdWIiOiI5Y2ViZjk3NC00OWY3LTQ0N2EtOWFmMS01NTZhYWYxMGVkNGUiLCJ0SWQiOiJwdWJsaWMiLCJyc3ViIjoiOWNlYmY5NzQtNDlmNy00NDdhLTlhZjEtNTU2YWFmMTBlZDRlIiwic2Vzc2lvbkhhbmRsZSI6IjM3NmRjZDIwLTliMTItNDExYS04OTliLTMxYjljZWEyZGU3ZSIsInJlZnJlc2hUb2tlbkhhc2gxIjoiOTNmZDY1MzhjOWJjYWI2YmU4YjNhYzY2YTkxZDE1Yjc4OThkM2FiZmE0YzA4NzY4OWQ1NmVjYjkwOTc1MzBiMCIsInBhcmVudFJlZnJlc2hUb2tlbkhhc2gxIjpudWxsLCJhbnRpQ3NyZlRva2VuIjpudWxsLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjMwMDEvYXV0aCIsInN0LXJvbGUiOnsidiI6W10sInQiOjE3MDAxMjE3MTU2MTl9LCJzdC1wZXJtIjp7InYiOltdLCJ0IjoxNzAwMTIxNzE1NjI3fX19; sAccessToken=eyJraWQiOiJkLTE2OTk4Nzc1NjMwMTkiLCJ0eXAiOiJKV1QiLCJ2ZXJzaW9uIjoiNSIsImFsZyI6IlJTMjU2In0.eyJpYXQiOjE3MDAxMjE3NDQsImV4cCI6MTcwMDEyNTMxNSwic3ViIjoiOWNlYmY5NzQtNDlmNy00NDdhLTlhZjEtNTU2YWFmMTBlZDRlIiwidElkIjoicHVibGljIiwicnN1YiI6IjljZWJmOTc0LTQ5ZjctNDQ3YS05YWYxLTU1NmFhZjEwZWQ0ZSIsInNlc3Npb25IYW5kbGUiOiIzNzZkY2QyMC05YjEyLTQxMWEtODk5Yi0zMWI5Y2VhMmRlN2UiLCJyZWZyZXNoVG9rZW5IYXNoMSI6IjkzZmQ2NTM4YzliY2FiNmJlOGIzYWM2NmE5MWQxNWI3ODk4ZDNhYmZhNGMwODc2ODlkNTZlY2I5MDk3NTMwYjAiLCJwYXJlbnRSZWZyZXNoVG9rZW5IYXNoMSI6bnVsbCwiYW50aUNzcmZUb2tlbiI6bnVsbCwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDozMDAxL2F1dGgiLCJzdC1yb2xlIjp7InYiOlsidHV0b3IiXSwidCI6MTcwMDEyMTc0NDEzM30sInN0LXBlcm0iOnsidiI6WyJyZWFkIiwid3JpdGUiXSwidCI6MTcwMDEyMTc0NDE5OH19.UvDD-oSeOsQ0Ze019Hrr67GvX2VTgKM20tZTidfgfgfPZJmoTWxy6f6ajAQVuG63uobPLG_pFzwi-36BP80SmmX7vBbo1lutKL1HA_m_xWWOSzG-Qt2VaFjyRai_HwbYJUBsK5koULNhN776lm81TL8VezUkS8o_4I-ehDR0cIuW6ZagZHDacX33otak4hj6-9e-mF3f7AVfyretTGIRX2DhWwsAMJHnWq0Ogdhhh9jAU35sf5aZlvckG1v_xMtQH0p46zOxVe7c6q3WaiEKWxtw73nxyyfjqjyUJIpaZqOpOqkuoMIcVy2tuhT-2lWfI6SAT-idnWDEEl4kMG3FkQ
r
right, so this access token does have the right role in it
can i see how you are adding the validator in your API?
d
I think this one doesnt have it right?: sFrontToken=eyJ1aWQiOiI5Y2ViZjk3NC00OWY3LTQ0N2EtOWFmMS01NTZhYWYxMGVkNGUiLCJhdGUiOjE3MDAxMjUzMTUwMDAsInVwIjp7ImlhdCI6MTcwMDEyMTcxNSwiZXhwIjoxNzAwMTI1MzE1LCJzdWIiOiI5Y2ViZjk3NC00OWY3LTQ0N2EtOWFmMS01NTZhYWYxMGVkNGUiLCJ0SWQiOiJwdWJsaWMiLCJyc3ViIjoiOWNlYmY5NzQtNDlmNy00NDdhLTlhZjEtNTU2YWFmMTBlZDRlIiwic2Vzc2lvbkhhbmRsZSI6IjM3NmRjZDIwLTliMTItNDExYS04OTliLTMxYjljZWEyZGU3ZSIsInJlZnJlc2hUb2tlbkhhc2gxIjoiOTNmZDY1MzhjOWJjYWI2YmU4YjNhYzY2YTkxZDE1Yjc4OThkM2FiZmE0YzA4NzY4OWQ1NmVjYjkwOTc1MzBiMCIsInBhcmVudFJlZnJlc2hUb2tlbkhhc2gxIjpudWxsLCJhbnRpQ3NyZlRva2VuIjpudWxsLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjMwMDEvYXV0aCIsInN0LXJvbGUiOnsidiI6W10sInQiOjE3MDAxMjE3MTU2MTl9LCJzdC1wZXJtIjp7InYiOltdLCJ0IjoxNzAwMTIxNzE1NjI3fX19
r
oh yea.. it's the frontend thats failing the validation
right the frontToken is not in sync with the access token
can i see the API response headers of the API that modifies the session to add the role in it?
d
r
can you send the front-token value thats in the response?
d
eyJ1aWQiOiI5Y2ViZjk3NC00OWY3LTQ0N2EtOWFmMS01NTZhYWYxMGVkNGUiLCJhdGUiOjE3MDAxMjUzMTUwMDAsInVwIjp7ImlhdCI6MTcwMDEyMTc0NCwiZXhwIjoxNzAwMTI1MzE1LCJzdWIiOiI5Y2ViZjk3NC00OWY3LTQ0N2EtOWFmMS01NTZhYWYxMGVkNGUiLCJ0SWQiOiJwdWJsaWMiLCJyc3ViIjoiOWNlYmY5NzQtNDlmNy00NDdhLTlhZjEtNTU2YWFmMTBlZDRlIiwic2Vzc2lvbkhhbmRsZSI6IjM3NmRjZDIwLTliMTItNDExYS04OTliLTMxYjljZWEyZGU3ZSIsInJlZnJlc2hUb2tlbkhhc2gxIjoiOTNmZDY1MzhjOWJjYWI2YmU4YjNhYzY2YTkxZDE1Yjc4OThkM2FiZmE0YzA4NzY4OWQ1NmVjYjkwOTc1MzBiMCIsInBhcmVudFJlZnJlc2hUb2tlbkhhc2gxIjpudWxsLCJhbnRpQ3NyZlRva2VuIjpudWxsLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjMwMDEvYXV0aCIsInN0LXJvbGUiOnsidiI6WyJ0dXRvciJdLCJ0IjoxNzAwMTIxNzQ0MTMzfSwic3QtcGVybSI6eyJ2IjpbInJlYWQiLCJ3cml0ZSJdLCJ0IjoxNzAwMTIxNzQ0MTk4fX19
r
right. So this does have the right value. For some reason, this is not being stored on the frontend.
Can i see the request headers of that API call?
i mean all the request headers
d
r
so there is no 
rid
header right?
this means that our frontend sdk is not intercepting the request. Can you enable frontend debug logs and show the output when you make this API call?
d
I've sent the request header for both the stripe api call to my backend endpoint, and the resulting redirect run on that endpoint that goes to the main app
r
oh.. the redirect api is the one that adds the roles in the session?
so then yea.. this is the expected behaviouyr. Since our frontend SDK's interception deos not run, therefore it doesn't save the right value of front-token on the frontend
one solution to this is that you can call the Session.attemptRefreshingSession function right after the success redirection from the frontend
d
yes, this is basically the endpoint
r
another solution is that you make the API call to this endpoint from the frontend via axios or fetch instead of direct redirect from stripe (which is what i would do)
d
Allright, will try both variants. Thank you very much!
3 Views
PreviousNext
Powered by