Hello! If we do any change to what I store in the session payload, the "old" sessions are non-compatible and should be revoked (and user redirected to login to get a fresh session). What is the cleanest way to detect and handle that?

Hey. So you want to achieve this flow where the user gets logged out? Or you want to prevent this from happening?

If my understanding is correct, there is no way to prevent this from happening unless you never ever update what you put in the session payload. Code changed, the payload on the user browser does not match what the code expects. It's like a schema mismatch. So I imagine that a "user gets logged out" flow is better indeed. In the front, whenever I see that session does not have what I require. Where could I check that however? Currently I use built-in SessionAuth to redirect when needed,

so when you update the session on the backend, it does not reflect that on the frontend? How are you updating the session on the backend?

I'm calling session.mergeIntoAccessTokenPayload({ stuff }) after thirdPartySignInUpPOST, emailPasswordSignInPOST and emailPasswordSignUpPOST.

right. Are you awaiting it?

Yes of course. I'm not doing anything specific to refresh a session that the frontend sends that would not have the right payload (which happens when I change the { stuff }.

when you call

mergeIntoAccessTokenPayload

, can i see the API response headers?

Seems never called in my situation. In the backend, login is not called because verifySession is fine and returns true, there is no login triggered, so no merge. On the front end, I get errors because I try to read non-existing properties in

const { accessTokenPayload } = session;

because the session's payload dates from before my code changes. Should I use

mergeIntoAccessTokenPayload

in the AuthGuard to refresh if needed the payload for valid-but-old-payload sessions? If I did that, it would always be up-to-date, and if I understand correctly that method it only updates if necessary.

im not sure what you are trying to do here, nor did I understand the above question. Sorry

I'm trying to find the best moment to update the access token payload. Sign in&up does not seem to be enough as it's possible that the user has a valid session from before deployment of the new change and the payload needs to be updated. I am suggesting to call mergeIntoAccessTokenPayload basically at every call.

you could call an API from the frontend on page load which calls

mergeIntoAccessTokenPayload

.

Ah yes, that would avoid polluting all calls. Thank you rp!