How to avoid TOCTOU for updating a list field in app_metadata


I am looking for a way to safely update a list field that exists in app_metadata.

Specifically, let’s assume we have the following app_metadata

type AppMetadata = {
    roles: string[];

The contents of roles will be replaced, so for example, to add ‘roleA’, the process would look like this

  1. Get app_metadata.roles with “Get a user API”
  2. Add roleA to app_metadata.roles obtained above.
  3. Update app_meatdata.roles with “Update a user API”.

However, this method causes TOCTOU problem because there is a time lag between acquisition and update.

To resolve this, I tried looking up keywords such as If-Match/If-Modified-Since/Atomic/Lock, but could not find any useful information.

So if there is a way to avoid the above TOCTOU in Auth0’s Management API, I would appreciate it if you could let me know.

Translated with DeepL