Auth hooks updates signed access_token, but not REST response. #1415
Comments
|
Hey! Thanks for the query. Alternatively, you could wait for a refresh event to happen and the new access token should show the claims, providing they were saved to the users table. Hope this helps |
|
I’ll try it with app_metadata.
Are you saying the auth hook should update the claim, or should the auth
hook do an upsert on the auth.users table?
…On Mon, Feb 12, 2024 at 11:17 PM Joel Lee ***@***.***> wrote:
Hey!
Thanks for the query. getSession typically checks for a local token which
might be out of sync with the recently returned token. If you're looking to
obtain an up to date token with custom claims would recommend that you
update app_metadata in the Auth Hook and use getUser to obtain a fresh
access token.
Alternatively, you could wait for a refresh event to happen and the new
access token should show the claims, providing they were saved to the users
table.
Hope this helps
—
Reply to this email directly, view it on GitHub
<#1415 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABGK3LCZV7AGIAHZQNIBX2LYTMHQRAVCNFSM6AAAAABDC2AY46VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNBQGU2TENRUGA>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
|
Hey @mr-menno, Sorry, I spoke with a colleague earlier today who and realized that I misunderstood this query. The REST response indeed does not return the claim but the signed access token does. We'll likely add it in the REST response for the next release Thanks for flagging this! |
|
would like to take this |
|
Thanks Joel! Right now I just created an alternate getSession function in
supabase to inject the decoding of the JWT and overloading the session.user
object.
Would love to keep it beyond user_metadata and app_metadata for any claim
extension.
…On Thu, Feb 15, 2024 at 9:46 AM taytzehao ***@***.***> wrote:
would like to take this
—
Reply to this email directly, view it on GitHub
<#1415 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABGK3LGQ5YCVKNB6PUYA76LYTZCXLAVCNFSM6AAAAABDC2AY46VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNBWG42DGMRSGI>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
@mr-menno , could you show a precise example of it? Currently, when I run const { data2, error2 } = await supabase.auth.updateUser({
data: { hello: 'world5' }
})
|
|
I’m following the hooks doc here:
https://supabase.com/docs/guides/auth/auth-hooks
And the hook user_metadata updates in the signed access_token JWT, but not
in the JSON responses (which includes user_metadata and access_token)
…On Tue, Feb 20, 2024 at 10:36 AM taytzehao ***@***.***> wrote:
@mr-menno <https://github.com/mr-menno> , could you show a precise
example of it? Currently, when I run
const { data2, error2 } = await supabase.auth.updateUser({
data: { hello: 'world5' }
})
data2 is undefined. Do you mean this?
—
Reply to this email directly, view it on GitHub
<#1415 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABGK3LHOMIENYDOMRG3GDQDYUTUKZAVCNFSM6AAAAABDC2AY46VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSNJUHAZTIMZXGI>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
okay, creating the PR |
|
Custom Access Token Hook cannot be used to modify the user metadata, which is common with other similar features in other authentication software. There will be a different hook in the future where you could change the user metadata "before sign up" for example. |
|
This issue is different. The hook already modifies the access token.
However, in the JSON response (which includes the access token), the JSON
response does not line up with any modifications made by the hook to the
token. (This applies to modifications to user or app metadata, or any other
attribute. )
…On Sun, Mar 17, 2024 at 10:54 PM Stojan Dimitrovski < ***@***.***> wrote:
Custom Access Token Hook cannot be used to modify the user metadata, which
is common with other similar features in other authentication software.
There will be a different hook in the future where you could change the
user metadata "before sign up" for example.
—
Reply to this email directly, view it on GitHub
<#1415 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABGK3LDFE5CCMFRVEKOH5WLYYZ6S7AVCNFSM6AAAAABDC2AY46VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMBSHE4DKMBXGU>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
same here |
|
Same issue on our end too. The hook updates the access token,but the resultant json ignores it. |
Bug report
Describe the bug
user_metadatain access token does not match user_metadata in REST response.To Reproduce
Create auth hook in Supabase to update user_metadata.
Expected behavior
Consistency between REST response and access_token.
Other Issue
Gotrue-js issue:
supabase/auth-js#852
System information
The text was updated successfully, but these errors were encountered: