Previously, my API could deliver a list of user to the admin of my app by looking for the value of a property “status” stored in the app_metadata field…
Last weeks I found that the API is always returning an empty list, because app_metadata can’t be queried anymore…
I have a very few informations to store for each users and that’s why I’m using Auth0 as a database for dealing with users (which are my API’s main objects).
My question is : How am I suppose to do now ? Am I forced to store datas somewhere else ? what’s the goal of this field if I can’t query it ? Can I request all my users and then query app_metadata using nodejs ?! :-o
Providing a bit of history on the subject for the purposes of setting up the context. The restrictions on searching over user metadata custom fields was put in place as part of an incident response; the short summary is that the restrictions were needed to ensure stability of the user search functionality. Having said that we understand that existing accounts before the incident may already had a dependency on that functionality and as such we try to accommodate the requests to re-enable the search without restriction from those pre-existing customers as long as the use case is reasonable; see the email address listed in the linked incident that you can use to report such a situation.
In addition, the user metadata still has a valid use case even without the search, in particular, it allows you to associate data to the user profile in way that it can be used to make authentication/authorization decisions during the authentication flow. For example, user metadata is surfaced to rules where you can then perform custom logic to deny a particular authentication request without the overhead of querying information from an external system. However, like you mentioned the user search allowed for some use cases in user management back-end systems that are not available without the unrestricted search. We acknowledge this situation and we want consider and possibly enable these use cases in the future, however, we will want to do it in a way that reduces the likelihood of a similar outcome so at this point there is not yet definitive information about what will be available.
For your particular situation if the data you were storing in association with the user is related to authentication and authorization decisions then it seems a valid use case for metadata (a subscription status that can be used to reject authentication would be an example, but see the following for reference documentation on the topic: https://auth0.com/docs/user-profile/user-data-storage) and I would consider reaching out to the email mentioned before as you already designed your application around that expectation. If you were storing general business data as part of user metadata then my recommendation would be to consider a separate data store.
I chose a pragmatic approach : my function’s now fetching all users with an async loop (because of the per-page limitations) and filters the aggregated result based on my original query (only the ones with app.metadata.status === Status.waiting).
This is the best option, I think, because I don’t have too many users and this API call is made only by the administrators of the app to see which accounts must be reviewed
I hope that the metadata will be searchable again soon !
