https://supertokens.com/ logo
Title
n

Noodles

11/01/2022, 10:37 AM
Hello, I want to implement a ban system on my app, which I know doesn't exist yet but wanted to get some help on implementing it with my app. I have a custom UI, I'm using the web-js SDK and using the Node SDK on Next.js for the backend. Could I have some help in overriding the signin API to prevent banned users from signing in? I have a banned boolean value in my database.
n

nkshah2

11/01/2022, 10:38 AM
Hi @Noodles
What recipe are you using?
n

Noodles

11/01/2022, 10:39 AM
the
emailpassword
recipe
n

nkshah2

11/01/2022, 10:40 AM
You can refer to this page to know how to override the function: https://supertokens.com/docs/emailpassword/advanced-customizations/apis-override/usage You want to override the
signInPost
API which receives an email as an input which you can use to determine if the user should be allowed to sign in
You can also use
EmailPassword.getUserByEmail
to get the user id with that email if you use the user id in your database
You will also need to override the
refreshPOST
API of the Session recipe to check if user is banned and not refresh the session in that case https://supertokens.com/docs/session/advanced-customizations/apis-override/usage
n

Noodles

11/01/2022, 11:31 AM
I see, could you go into more depth about how to do this? Apologies, I'm fairly new to ST
r

rp

11/01/2022, 11:38 AM
in the refresh override, you first call the original implementation which will return a new session back to you. Then from the session, you get the user ID, and check if they are banned. If they are, do
await session.revokeSession
before returning the response from the override
n

Noodles

11/01/2022, 12:44 PM
Would you mind sending over a code snippet when you have time? I was messing around before, but I can't get it to work properly
r

rp

11/01/2022, 12:52 PM
what did you do? I can maybe correct your snippet
n

Noodles

11/01/2022, 1:08 PM
SessionNode.init({
        override: {
          apis: (originalImplementation) => {
            return {
              ...originalImplementation,
              refreshPOST: async function (input) {

                if (originalImplementation.refreshPOST === undefined) {
                    throw Error("Should never come here")
                }

                let response = await originalImplementation.refreshPOST(input);

                const banned = true;
                if (banned) {
                  let userid = response.getUserId();
                  await response.revokeSession(userid);
                }
                return response;
            },
            }
          }
        }
      }),
not sure if it's correct, but happy for corrections
r

rp

11/01/2022, 1:08 PM
this does seem like it's fine
is this not working?
n

Noodles

11/01/2022, 1:34 PM
Doesn't seem to be, no
I also have a HOC that acts as my authentication wrapper for my pages
async function handleUser() {
    try {
      if (await Session.doesSessionExist()) {
        let validationErrors = await Session.validateClaims();
        if (validationErrors.length === 0) {
          setUser(true);
        } else {
          setUser(false);
          Router.push("/auth/login?promptVerifyEmail=true");
        }
      } else {
        Router.push(
          `/auth/login?onLoginRedirectTo=` + window.location.pathname
        );
      }
    } catch (err) {
      alert(err);
    }
  }
assuming I don't need to change anything?
r

rp

11/01/2022, 1:44 PM
When you call the refresh api for a banned user, what do you get back?
I mean what are the response headers? And response status code?
Right
So this should logout the user
Is that not happening?
n

Noodles

11/01/2022, 1:53 PM
Oddly not
But do note, I had to call it manually, it didn't call on it's own
r

rp

11/01/2022, 1:56 PM
Hmmm
It should be called on its own if you remove the sAccessToken
On the frontend *
And then just cause the user to go to the login screen
If uou are using the SessionAuth wrapper
Of if you query Session.doesSessionExist, it should return false
n

Noodles

11/01/2022, 1:58 PM
If I remove the sAccessToken cookie, it returns 200
r

rp

11/01/2022, 1:59 PM
Right. But it should cause the tokens to the removed from the frontend
So that the next request to your api yields a 401
n

Noodles

11/01/2022, 2:01 PM
I see
Hmm, odd
r

rp

11/01/2022, 2:03 PM
Is the original request not happening after the refresh call?
n

Noodles

11/01/2022, 2:05 PM
Doesn't seem to be, no
r

rp

11/01/2022, 2:05 PM
hmm i see.
Can you open a github issue about this please? We will have a look. Another question - what happens if after refresh, you reload the page - does your frontend detect that a session deosn't exist and redirect the user to the login screen?
n

Noodles

11/01/2022, 2:08 PM
Briefly, a few APIs return 401 "try refresh token" and then they all return 200 again, but still no redirect to login/signout
r

rp

11/01/2022, 2:08 PM
hmm. The refresh one should return a 401
Also, in the backend, the
await response.revokeSession(userid);
line should change to
await response.revokeSession();
Cause the
response
is the session object
n

Noodles

11/01/2022, 2:12 PM
Ah I see, I'll fix that one
Also, which repo should I add the issue on?
r

rp

11/01/2022, 2:18 PM
Supertokens-node
Also note that we may look at this issue in 1-2 weeks time as it’s not super urgent. Especially since it doesn’t server a security risk (given that APIs already reject the session) and that it’s affecting the UX only for banned users
hey @Noodles did you get around to solving the issue?
n

Noodles

11/03/2022, 4:03 AM
Hey, sorry I've been busy. I wasn't able to solve it unfortunately, I went with another method that checks for banned status on the frontend, although it would be nice to log users out if they have a banned status too. I'll create a GitHub issue once I have some free time, thank you for the help otherwise!
r

rp

11/03/2022, 4:11 AM
Alright. Thanks