Lack of interoperability between custom_access_token_hook
and .getUser()
#26543
Unanswered
geoffreygarrett
asked this question in
Feature Requests
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
The new
ssr
package has made it clear, as indicated by the warnings:The custom claims we set via
custom_access_token_hook
are not propagated to the user whatsoever, even throughapp_metadata
set viacustom_access_token_hook
. In this case how should we rely on permissions defined in theaccess_token
if I can only retrieve it from.getSession()
?Either I'm missing something, or there's no clear established secure method to do what I want to do in SSR & middleware with a user's JWT.
I have tried to resolve this locally, so I apologise if I'm overlooking something. I appreciate any input on whether this warrants a feature request or if this is a case of PEBKAC.
Beta Was this translation helpful? Give feedback.
All reactions