setAppMetadata doesn't set data fast enough

jonathan.heinin · September 25, 2024, 7:47am

Hello!

I am migrating Rules into Actions and I am running into an issue when logging in with a fresh user into my Qlik application. Currently, we manually add users into auth0 directly. Thereafter, we use the Auth0 extension to manually add them to a group for which they will access their restricted content. When creating a new user and attempting to log in, it throws a 400 error “Bad Request”.

However, in auth0 it sets the App Metadata correctly when checking it in the User Details of any user. Every attempt after the first one succeeds and never throws an error. I checked the event.user.app_metadata before and after the setAppMetadata call and it shows empty both times as detoned by my comments below.

console.log(JSON.stringify(event.user.app_metadata)); //EMPTY
let policy = await getPolicy(event, api);
if(policy.status !== 200){
api.access.deny("Access Denied");
}
api.user.setAppMetadata("groups", policy.data.groups);
api.user.setAppMetadata("authorization", {groups: mergeRecords(event.user.app_metadata.groups, policy.data.groups)});

console.log("AFTER: " + JSON.stringify(event.user.app_metadata)); //EMPTY

)

Reading about setAppMetadata it seems to always run last to reduce rate limit. Worth noting is that policy.data.groups has data, but event.user.app_metadata.groups is undefined, as well as event.user.app_metadata.authorization.groups. I tried looking into postUserRegistration, but it seems like it doesn’t accept setAppMetadata for the user. Is there a workaround to ensure these values are set before the login is completed?

Thanks!

rueben.tiow · September 25, 2024, 7:43pm

Hi @jonathan.heinin,

Welcome to the Auth0 Community!

Yes, that is by design because the data is set in the app_metadata post login. As a result, the event.user property only updates after the login flow is complete.

You might be able to make it work by setting it directly into the property for that initial login attempt.

event.user.app_metadata.groups = policy.data.groups;

Thanks,
Rueben

jonathan.heinin · September 26, 2024, 8:09am

Thanks for the response!

This seems to cause the same issue. The getPolicy method receives the group data from the Auth0 authorization extension. Both the pre and post user registration triggers will not work as we manually add the user to a group through the extension after we have already created the user.
Is there a different way I can ensure that the app_metadata is populated with this data before the login?

This is the code in the rules that successfully could do this using the data from the getPolicy method.

 function saveToMetadata(user, groups, roles, permissions, cb) {
    user.app_metadata = user.app_metadata || {};
    user.app_metadata.authorization = {
      groups: mergeRecords(user.groups, groups),
    };

    auth0.users.updateAppMetadata(user.user_id, user.app_metadata)
    .then(function() {
      cb();
    })
    .catch(function(err){
      cb(err);
    });
  }

system · October 10, 2024, 8:10am

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.