Hello, I want to implement a ban system on my app, which I know doesn't exist yet but wanted to get some help on implementing it with my app. I have a custom UI, I'm using the web-js SDK and using the Node SDK on Next.js for the backend. Could I have some help in overriding the signin API to prevent banned users from signing in? I have a banned boolean value in my database.

Hi @Noodles

the

emailpassword

recipe

You can refer to this page to know how to override the function: https://supertokens.com/docs/emailpassword/advanced-customizations/apis-override/usage You want to override the

signInPost

API which receives an email as an input which you can use to determine if the user should be allowed to sign in

I see, could you go into more depth about how to do this? Apologies, I'm fairly new to ST

in the refresh override, you first call the original implementation which will return a new session back to you. Then from the session, you get the user ID, and check if they are banned. If they are, do

await session.revokeSession

before returning the response from the override

Would you mind sending over a code snippet when you have time? I was messing around before, but I can't get it to work properly

what did you do? I can maybe correct your snippet

SessionNode.init({
        override: {
          apis: (originalImplementation) => {
            return {
              ...originalImplementation,
              refreshPOST: async function (input) {

                if (originalImplementation.refreshPOST === undefined) {
                    throw Error("Should never come here")
                }

                let response = await originalImplementation.refreshPOST(input);

                const banned = true;
                if (banned) {
                  let userid = response.getUserId();
                  await response.revokeSession(userid);
                }
                return response;
            },
            }
          }
        }
      }),

not sure if it's correct, but happy for corrections

this does seem like it's fine

Doesn't seem to be, no

When you call the refresh api for a banned user, what do you get back?

Oddly not

Hmmm

If I remove the sAccessToken cookie, it returns 200

Right. But it should cause the tokens to the removed from the frontend

I see

Is the original request not happening after the refresh call?

Doesn't seem to be, no

hmm i see.

Briefly, a few APIs return 401 "try refresh token" and then they all return 200 again, but still no redirect to login/signout

hmm. The refresh one should return a 401

Ah I see, I'll fix that one

Supertokens-node

Hey, sorry I've been busy. I wasn't able to solve it unfortunately, I went with another method that checks for banned status on the frontend, although it would be nice to log users out if they have a banned status too. I'll create a GitHub issue once I have some free time, thank you for the help otherwise!

Alright. Thanks