How to avoid TOCTOU for updating a list field in app_metadata

suguruasai · October 13, 2022, 8:33am

Hello.

I am looking for a way to safely update a list field that exists in app_metadata.

Specifically, let’s assume we have the following app_metadata

type AppMetadata = {
    roles: string[];
};

The contents of roles will be replaced, so for example, to add ‘roleA’, the process would look like this

However, this method causes TOCTOU problem because there is a time lag between acquisition and update.

To resolve this, I tried looking up keywords such as If-Match/If-Modified-Since/Atomic/Lock, but could not find any useful information.

So if there is a way to avoid the above TOCTOU in Auth0’s Management API, I would appreciate it if you could let me know.

Topic		Replies	Views
Management API replace app metadata instead of merge Get Help management-api , metadata , user-metadata	5	4626	March 2, 2018
Is there any way to update the user's app_metadata before login? Get Help app_metadata , roles , authorization-extens , groups , authorization	3	4422	March 2, 2018
Way to update app_metadata using lock widget configuration Get Help auth0-configuration , app_metadata , update	2	4571	July 25, 2019
Unable to PATCH user with app_metadata Get Help management-api , app_metadata , metadata	10	9772	December 17, 2018
PATCH user.app_metadata isn't behaving as documented Get Help bug , management-api , app_metadata , documentation	2	5259	March 2, 2018