I am using supertokens for authetication. Upon changing another user's permissions, I revoke his session which will cause his role to be updated after his current active token runs it's lifetime limit. This causes the other user to be logged off at that point. I would like his role to be updated (i.e. his session re created), but without logging him out and asking him again for his credentials. Is that possible?

CodePudding user response：

I will answer this question assuming that you are using the NodeJS SDK. If not, the answer overall still applies, but the function's name will change.

What you want is possible. I assume that you are strong that user's role in the access token, so instead of revoking the other user's session, you should use the updateAccessTokenPayload function from the SDK:

import Session from "supertokens-node/recipe/session";


async function updateRoleOfOtherUser(userId: string) {
      // we first get all the sessionHandles (string[]) for a user
      let sessionHandles = await Session.getAllSessionHandlesForUser(userId);

      // we update all the session's Access Token payloads for this user
      sessionHandles.forEach(async (handle) => {
            let currAccessTokenPayload = (await Session.getSessionInformation(handle)).accessTokenPayload;

            await Session.updateAccessTokenPayload(handle,
                  { role: "newRole", ...currAccessTokenPayload }
            );
      })
}

The update the role will take into affect when their session refreshes, and they won't be logged out.

If you want the update to take affect immediately, you can maintain a cache on your side marking all the session handles that need to be refreshed early. On successful verification of of any such session that contains those session handles, you can send a 401 to the frontend forcing a session refresh and causing an update in their role.