https://supertokens.com/ logo
#support-questions
Title
# support-questions
e

execreate

04/22/2022, 8:31 AM
If I want to be able to update user roles and permissions on each access token refresh request, which method in which recipe should I overwrite? Do you have relevant documentation on that? Is it
regenerate_access_token
method of session recipe?
r

rp

04/22/2022, 8:34 AM
hey!
So ideally, a session refresh should automatically update the access token's content to be in sync with what is in the db.
So you should not have to change how the refresh works.
Can you describe your use case in more detail?
e

execreate

04/22/2022, 8:39 AM
Hey, thanks for swift response:) The thing is that I have a Profile for each
user_id
in the supertokens core, and each Profile has some associated ProfileRoles. I have overriden the
create_new_session
function of the session recipe to include the role mappings for the current user in the access tokens. If I understand it correctly, the
create_new_session
function runs only on login/signup. Taking into account that a user session has a 100 days timeout, they won't login that often but their roles might change during a single session.
So my solution was to update role mappings in the access token on each access token refresh
Access tokens standard lifetime is 1 hour, right? So it would be perfect for my case to check role mappings each hour
r

rp

04/22/2022, 8:43 AM
Right! Yea.. so wherever you update the user role's mapping, you should update all the sessions of that user to change the access token payload as well: https://supertokens.com/docs/session/common-customizations/sessions/update-jwt-payload#method-2-without-session-verification If you see the above link, you can loop through all the session's of a user (using their userId) and then update that session's access token payload. Then whenever that session refreshes, it will automatically get the update.
e

execreate

04/22/2022, 8:45 AM
Cool, thank you:) Last question to get it right -- session refresh also means access token refresh and normally it happens every hour, right?
r

rp

04/22/2022, 8:45 AM
yes
e

execreate

04/22/2022, 8:45 AM
great!
r

rp

04/22/2022, 8:45 AM
well. The older access token would expire every hour. So a session refresh means a new access token + a new refresh token is issued.
e

execreate

04/22/2022, 9:15 AM
I'm a little bit confused reading the documentation 😅 the function in docs iterates over the session handles...but where am I supposed to put that function?🤔 should I override
original_implementation.update_access_token_payload
for the
supertokens_python.recipe.session.interfaces.RecipeInterface
?
I imagine something like this:
Copy code
from typing import Union, Dict, Any

from django.apps import apps
from supertokens_python.recipe.session.interfaces import RecipeInterface
from supertokens_python.recipe.session.asyncio import get_session_information


def override_functions(original_implementation: RecipeInterface):
    original_implementation_update_access_token_payload = original_implementation.update_access_token_payload

    async def update_access_token_payload(session_handle: str,
                                          new_access_token_payload: Dict[str, Any],
                                          user_context: Dict[str, Any]) -> None:
        profile_role_model = apps.get_model('profile', 'ProfileRole')

        user_info = await get_session_information(session_handle)

        if new_access_token_payload is None:
            new_access_token_payload = {}

        new_access_token_payload["roles"] = {}
        profile_roles = profile_role_model.objects.filter(profile__supertokens_user_id=user_info.user_id)
        for profile_role in profile_roles:
            if profile_role.at not in new_access_token_payload["roles"]:
                new_access_token_payload["roles"][profile_role.at] = [profile_role.role]
            else:
                new_access_token_payload["roles"][profile_role.at].append(profile_role.role)

        return await original_implementation_update_access_token_payload(session_handle,
                                                                         new_access_token_payload, user_context)

    original_implementation.update_access_token_payload = update_access_token_payload
    return original_implementation
r

rp

04/22/2022, 9:17 AM
Ah no. You would call those functions in the same place where you are updating the user's role
in your own API
e

execreate

04/22/2022, 9:17 AM
aaah, now I get it!
r

rp

04/22/2022, 9:17 AM
hehe
e

execreate

04/22/2022, 9:17 AM
Thank you😄
4 Views