Skip to content
This repository has been archived by the owner on Oct 21, 2020. It is now read-only.

Query Auth0 for accountLinkId in directives if missing #107

Open
Bouncey opened this issue May 3, 2018 · 1 comment
Open

Query Auth0 for accountLinkId in directives if missing #107

Bouncey opened this issue May 3, 2018 · 1 comment

Comments

@Bouncey
Copy link
Member

Bouncey commented May 3, 2018

It is possible for clients to send a token for an existing user that does not have the accountLinkId, even though the user has one assigned to them and an entry in the database.

  • User logs in/creates an account. The token sent to create the account has no accountLinkId
  • As part of creating an account, we assign a uuid as the accountLinkId and update the user record held at Auth0
  • Subsequent requests from this user still holds a token with no accountLinkId
  • Here lies a potential never-ending loop of multiple accounts for the same user, until the user logs out and in again to gain their new token.

There is scope for setting the accountLinkId over in Auth0, so every token has an accountLinkId from the very first login.

Do we still need to handle the case for if we end up setting it here because it is missing? I think it would lead to some crappy UX having to invalidate the token and having new users log out and in again.

I am going to raise a PR that will add the current rules we have set in Auth0 to this repo. Just so we all have some visibility of them and what they are doing.

@Bouncey
Copy link
Member Author

Bouncey commented May 3, 2018

In looking into the accountLinkId issue , I found it was as simple as adding uuid() inside the rule, so I have. See #108 for details on the rule.

As always, I am open to changes.

We still need to discuss how we handle cases for if the accountLinkId is missing. This could happen if the incorrect scope was requested when logging a user in.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

1 participant