https://supertokens.com/ logo
Channels
bot-training
community
contributing
general
github-activity
info
introductions
new-releases
random
security
support-questions
welcome-0xdelusion
welcome-aj-ya
welcome-aleksandrc
welcome-alpinjs
welcome-amberlamps1
welcome-andrew-rodriguez
welcome-ankit-choudhary
welcome-anthony-stod-custodio
welcome-call-in
welcome-chwalbox
welcome-claybiokiller
welcome-co7e
welcome-cosmoecwsa
welcome-devdag
welcome-dinso
welcome-drebotelho
welcome-elio
welcome-ernest
welcome-foxbarrington
welcome-fromscratch
welcome-galto4ir
welcome-goetzum
welcome-hay-kot
welcome-himanshu-kukreja
welcome-hossambarakat
welcome-ichikawakazuto
welcome-jahir9991
welcome-jamesl
welcome-jerry123424
welcome-john-oliver
welcome-jonas-alexanderson
welcome-jxyz
welcome-kelvinwop
welcome-kraz
welcome-lancekey
welcome-leoo
welcome-lukeacollins
welcome-m-j-mon
welcome-malik-khoja
welcome-marco
welcome-mardadi
welcome-meshguy
welcome-metamorph
welcome-mike-tectu
welcome-mirzok
welcome-mozomig
welcome-naberyou66_
welcome-nacer
welcome-namratha
welcome-naveenkumar
welcome-nightlight
welcome-nischith
welcome-notankit
welcome-olawumi
welcome-pavan-kumar-reddy-n
welcome-pineappaul
welcome-poothebear
welcome-rick
welcome-samuel-qosenergy
welcome-samuelstroschein
welcome-shubhamgoel23
welcome-shubhamkaushal
welcome-sidebar
welcome-surajsli
welcome-suyash_
welcome-syntaxerror
welcome-tauno
welcome-tawnoz
welcome-teclali
welcome-tls
welcome-turbosepp
welcome-vikram_shadow
Powered by
Title
j

Jake

10/23/2022, 11:04 AM
I update the access token payload in 
createNewSession
, what is the best way to refresh this information? I use 
input.userId
to lookup the info to put into the access token. Also wondering if it's the right spot, I need to access the info on the client and the server
r

rp

10/23/2022, 3:21 PM
hey @Jake
createNewSession is the right place.
You could use a custom claim to refresh the info at a certain time interval since the last refresh. if you can tell me more about the use case, I can share some code
j

Jake

10/23/2022, 11:49 PM
Create new session works, basically storing the roles in the access token. And need to refresh when they are edited
override: {
    functions: (originalImplementation) => {
        return {
            ...originalImplementation,
            createNewSession: async (input) => {
                console.log('creating session', input)
                const queryExecutor = this.options.getQueryExecutor(
                    input.userId,
                )

                const claims = await getClaimsForUser(
                    queryExecutor,
                    input.userId,
                )
                const user = await getUserById(input.userId)
                const accessTokenPayload = {
                    email: user?.email,
                    organizations: claims.existingOrganizationClaims,
                }

                // This goes in the access token, and is availble to read on the frontend
                // This is stored in the db against the sessionHandle for this session
                return originalImplementation.createNewSession({
                    ...input,
                    accessTokenPayload,
                })
            },
        }
    },
},
r

rp

10/24/2022, 4:02 AM
So when you edit the roles, you can use session.mergeIntoAccessTokenPayload function to update the roles in the session. You can do that for the current session, as well as loop through all sessions of the user and update those.
For the other sessions, the update will be automatically reflected when the session refreshes.
A more elegant way of doing this is to build a session claim + validator and use that in your app. A session claim essentially auto refreshes the claims periodically depending on the validator that’s used. But this is only available in the newer versions of the SDK - which version are you using?
j

Jake

10/24/2022, 6:55 AM
I can upgrade to the latest version
I'm pretty recent
r

rp

10/24/2022, 8:38 AM
@porcellus can help here with creating a custom session claim for your use case.
p

porcellus

10/24/2022, 10:36 AM
Hi
A quick run-down, since we haven't produced a full documentation for this yet:
The easiest way to get them is creating an instance of 
PrimitiveClaim
or 
PrimitiveArrayClaim
. I think you'd need 
PrimitiveArrayClaim
(assuming 
existingOrganizationClaims
is an array of strings). This way, you can add validators to 
verifySession
to check the value before it gets to the API implementation (it'll return a 403 if the validator doesn't pass). These validators will refresh the value in the access token if necessary. The 
PrimitiveArrayClaim
constructor takes a few options: `key`: an identifier specifying where we should store the value in the access token. `fetchValue`: an async function that returns the value you want to store (e.g.: 
claims.existingOrganizationClaims
) `defaultMaxAgeInSeconds`: you can specify a claim-level default for the validators that check the last time the claim was fetched. You can add them during session creation like this: 
Session.init({
                        override: {
                            functions: (oI) => ({
                                ...oI,
                                createNewSession: async (input) => {
                                    input.accessTokenPayload = {
                                        ...input.accessTokenPayload,
                                        ...(await CustomClaim.build(input.userId, input.userContext)),
                                    };
                                    return oI.createNewSession(input);
                                },
                            }),
                        },
                    }),
Other than that, you could use it exactly like the 
UserRoleClaim
from the UserRoles recipe. For example check here to see how to check the value in your APIs: https://supertokens.com/docs/emailpassword/user-roles/protecting-routes
I'm happy to elaborate on any part of it, just let me know where you need more detail πŸ™‚
also, any feedback on the interface/usability of this feature would be welcome πŸ™‚
j

Jake

10/25/2022, 3:04 AM
Will digest this and have a crack, then will let you know. Thanks ❀️
The "These validators will refresh the value in the access token if necessary" comment is something i'm interested in
I have adding the claims to the session, and using them on the client/in routes to protect things
The bit I am unsure about is if I can programatically refresh them. My ideal is on the frontend to be able to just call refreshSession then that refreshes those claims in the access token, rather than having to put changes in my code to update it, but I can do that too. I will try that for now
That is, using mergeIntoAccessTokenPayload
p

porcellus

10/25/2022, 12:01 PM
You can refresh it using 
session.fetchAndSet(CustomClaim)
that'll handle mergeIntoAccessTokenPayload
Calling session refresh fills a very different role, so doing that will not refresh the claims. In this case you have to add an endpoint to your API that'll handle this.
The automatic refreshing refers to validators: so if you call an endpoint that has a validator that requires a fresh value (validators have an optional 
maxAgeInSeconds
parameters) that'll refresh it from the DB
I mean using the func you provided as fetchValue.
on the frontend you can achieve a similar thing if you create the claim there as well.
j

Jake

10/25/2022, 12:07 PM
makes sense, what I might do is set a flag on the request then a middleware can call fetchAndSet with the latest claims
is fetchAndSet or mergeIntoAccessTokenPayload the best way to go for this approach?
p

porcellus

10/25/2022, 12:08 PM
I'd say 
fetchAndSet
also, I'm not sure if you need to set a flag on the request or is the refresh time/max age controlled from the frontend?
j

Jake

10/25/2022, 12:12 PM
I don't want to couple my APIs which modify the data which causes the claims to change directly to supertokens
p

porcellus

10/25/2022, 12:13 PM
ah I see. so this isn't a time based refresh.
j

Jake

10/25/2022, 12:13 PM
But I do know the APIs which impact claims. So I can set a flag on the request somewhere which says claimsChanged, then before the response gets sent back I can update the claims
p

porcellus

10/25/2022, 12:13 PM
that makes sense πŸ™‚
j

Jake

10/25/2022, 12:13 PM
Ah, i didn't say that, sorry. Yeah context is adding another organisation or leaving one
Would 
updateAccessTokenPayload
be enough?
or am i just on an older sdk
p

porcellus

10/25/2022, 12:26 PM
If you have access to claims, that should be fairly recent and have a 
fetchAndSetClaim
on the session object.
#support-questionsJoin Discord
Powered by