https://supertokens.com/ logo
Join Discord
Powered by
Hello, I want to implement a ban system on my app,...
# support-questions-legacy
n
Hello, I want to implement a ban system on my app, which I know doesn't exist yet but wanted to get some help on implementing it with my app. I have a custom UI, I'm using the web-js SDK and using the Node SDK on Next.js for the backend. Could I have some help in overriding the signin API to prevent banned users from signing in? I have a banned boolean value in my database.
n
Hi @n000dles
What recipe are you using?
n
the 
emailpassword
recipe
n
You can refer to this page to know how to override the function: https://supertokens.com/docs/emailpassword/advanced-customizations/apis-override/usage You want to override the 
signInPOST
API which receives an email as an input which you can use to determine if the user should be allowed to sign in
You can also use 
EmailPassword.getUserByEmail
to get the user id with that email if you use the user id in your database
You will also need to override the 
refreshPOST
API of the Session recipe to check if user is banned and not refresh the session in that case https://supertokens.com/docs/session/advanced-customizations/apis-override/usage
n
I see, could you go into more depth about how to do this? Apologies, I'm fairly new to ST
r
in the refresh override, you first call the original implementation which will return a new session back to you. Then from the session, you get the user ID, and check if they are banned. If they are, do 
await session.revokeSession
before returning the response from the override
n
Would you mind sending over a code snippet when you have time? I was messing around before, but I can't get it to work properly
r
what did you do? I can maybe correct your snippet
n
Copy code
SessionNode.init({
        override: {
          apis: (originalImplementation) => {
            return {
              ...originalImplementation,
              refreshPOST: async function (input) {

                if (originalImplementation.refreshPOST === undefined) {
                    throw Error("Should never come here")
                }

                let response = await originalImplementation.refreshPOST(input);

                const banned = true;
                if (banned) {
                  let userid = response.getUserId();
                  await response.revokeSession(userid);
                }
                return response;
            },
            }
          }
        }
      }),
not sure if it's correct, but happy for corrections
r
this does seem like it's fine
is this not working?
n
Doesn't seem to be, no
I also have a HOC that acts as my authentication wrapper for my pages
Copy code
async function handleUser() {
    try {
      if (await Session.doesSessionExist()) {
        let validationErrors = await Session.validateClaims();
        if (validationErrors.length === 0) {
          setUser(true);
        } else {
          setUser(false);
          Router.push("/auth/login?promptVerifyEmail=true");
        }
      } else {
        Router.push(
          `/auth/login?onLoginRedirectTo=` + window.location.pathname
        );
      }
    } catch (err) {
      alert(err);
    }
  }
assuming I don't need to change anything?
r
When you call the refresh api for a banned user, what do you get back?
I mean what are the response headers? And response status code?
n
r
Right
So this should logout the user
Is that not happening?
n
Oddly not
But do note, I had to call it manually, it didn't call on it's own
r
Hmmm
It should be called on its own if you remove the sAccessToken
On the frontend *
And then just cause the user to go to the login screen
If uou are using the SessionAuth wrapper
Of if you query Session.doesSessionExist, it should return false
n
If I remove the sAccessToken cookie, it returns 200
r
Right. But it should cause the tokens to the removed from the frontend
So that the next request to your api yields a 401
n
I see
Hmm, odd
r
Is the original request not happening after the refresh call?
n
Doesn't seem to be, no
r
hmm i see.
Can you open a github issue about this please? We will have a look. Another question - what happens if after refresh, you reload the page - does your frontend detect that a session deosn't exist and redirect the user to the login screen?
n
Briefly, a few APIs return 401 "try refresh token" and then they all return 200 again, but still no redirect to login/signout
r
hmm. The refresh one should return a 401
Also, in the backend, the 
await response.revokeSession(userid);
line should change to 
await response.revokeSession();
Cause the 
response
is the session object
n
Ah I see, I'll fix that one
Also, which repo should I add the issue on?
r
Supertokens-node
Also note that we may look at this issue in 1-2 weeks time as it’s not super urgent. Especially since it doesn’t server a security risk (given that APIs already reject the session) and that it’s affecting the UX only for banned users
hey @n000dles did you get around to solving the issue?
n
Hey, sorry I've been busy. I wasn't able to solve it unfortunately, I went with another method that checks for banned status on the frontend, although it would be nice to log users out if they have a banned status too. I'll create a GitHub issue once I have some free time, thank you for the help otherwise!
r
Alright. Thanks
2 Views
PreviousNext
Powered by