Hooks and rules are broken badly?

I went and created a hook, finally got it working after a crazy long time fighting with it. Well, “working” - it worked like a charm in the test engine. However, when I tried it in the real application (which redirects to Auth0.com to actually get the JWT, the JWT didn’t have anything that the rule would add. It was working so well in the test app - it would go off and query our servers for additional claims to pull into the JWT. It even just added one ‘Test’ as true at the beginning of the code. It appears that it doesn’t run - but according to the statement Hooks only run when you POST… so the redirect to your lock page doesn’t do that so the hook is worthless. Nice.

Ok, switching to rules… I tried to create a rule and after a crazy long time getting ‘forbidden’ every time I ran it (Save worked OK), I exited back to the page where it listed the rules and it said “Create your first rule!” Ah, I did that already, so why am I getting asked this? Turns out, no, the save button just lied to me, and the ‘Forbidden’ that was being shown when I ran it was because I wasn’t allowed to save my rules.

Another person that I had made an Admin (invite to be a dashboard admin (like me)) was able to create and save a rule and said that “they work” - I then refreshed the page and sure enough, there was his rule.

I tried to create a blank rule, test it: forbidden.
I tried to edit his rule: forbidden.
I tried to create a blank rule and save it - Success!
I tried to edit that rule: forbidden.
Am I wrong, or is this the most jacked up system in the world?
=== Update
The Forbidden issue seems to be random. (See comment below)
The rules don’t seem to run if you use the redirect method of logging in either. (nice :frowning: )
Test rule leaves JWT (Access) UNCHANGED:
function (user, context, callback) {
context.idToken.test = ‘Hello2’;
context.accessToken.test = ‘hello’;
callback(null, user, context);

Originally, I just changed the accessToken. BTW: The try method shows the accessToken having the test value set to ‘hello’, so it is working “great” - except, that when I logout and back in and examine the token… no changes - except a new ‘iat’ and ‘exp’ value - which show that it was in fact regenerated.
I am out of ideas on where to even look for a clue as to why this isn’t working.

I would assume that most people can use this fine, and that there is something strange going on with my account. I can’t imagine that everyone is getting forbidden like this - if they were surely someone in QA would have caught this.

Great. The Forbidden thing is semi-random. I was just able to edit a rule without any issues. Then I clicked on a rule’s enable/disable switch. It came back ‘forbidden’, I refreshed the page and sure enough, nothing had changed. I clicked again. This time it worked fine and refreshing the page came up OK.

Sounds like something it broken in your Authentication code. That’s a bit ironic isn’t it?


Is there something wrong with the script: (hook)

module.exports = function(client,
scope, audience, context, cb) { var
access_token = {};
access_token.scope = scope;

access_token’Claims’] = ‘Test’;
cb(null, access_token); };

I am having the exact same problem, for what it’s worth.