Problem statement
After setting Delegated Administration Extension (DAE) and the Filter Hook the search function of the extension does not work properly.
When using the Delegated Administration Extension and the provided Filter Hook, it initially seemed possible to filter users listed in the Delegated Admin Extension using this Filter Hook. However, the search function of the extension does not work properly after setting this Hook.
Troubleshooting
Try the following Filter Hook:
function (ctx, callback) {
// Get Client ID of App admin
var apps = ctx.request.user.app_metadata && ctx.request.user.app_metadata.managed_apps;
if (!apps || !apps.length) {
return callback(new Error('app_metadata is not registered in the administrator'));
}
//Create query parameter to passs to Management API
//https://auth0.com/docs/api/management/v2/users/get-users
var query = "";
for (var i = 0; i < apps.length; ++i) {
//Don't add "OR" if the value is the last that is retrieved from array
if (i === apps.length - 1) {
query += 'app_metadata.authorized_apps:"' + apps[i] + '"';
} else {
query += 'app_metadata.authorized_apps:"' + apps[i] + '"' + ' OR ';
}
}
//Get users that have Client ID in app_metadata.authorized_apps;
return callback(null, query);
}
It checks for the app_metadata.managed_apps attribute from the logged in user, so that they will see only users with those apps in their app_metadata.authorized_apps attribute.
It is necessary to set those two app_metadata attributes for the test users.
Cause
For the DAE with the above Filter Hook, the query combines an AND and an OR term which ends up being evaluated as ( A AND B ) OR C, not A AND ( B OR C ).
/api/v2/users?sort=last_login:-1
# query
&q=
# search term
(email.domain:*mail.com) AND
# filter term
app_metadata.authorized_apps:"*********************" OR app_metadata.authorized_apps:"*********************"
&per_page=10
&page=0
&include_totals=true
&fields=user_id,username,name,email,identities,p
Solution
This issue can be fixed if the filter query is amended to wrap the filter terms in parenthesis () in order to distinguish those terms from the search term in the final query.
Note the only changes made to the filter hook is adding the ( on line 9 at the start of the query and the ) on line 13 at the end of the query.
function (ctx, callback) {
// Get Client ID of App admin
var apps = ctx.request.user.app_metadata && ctx.request.user.app_metadata.managed_apps;
if (!apps || !apps.length) {
return callback(new Error('app_metadata is not registered in the administrator'));
}
//Create query parameter to passs to Management API
//https://auth0.com/docs/api/management/v2/users/get-users
var query = "(";
for (var i = 0; i < apps.length; ++i) {
//Don't add "OR" if the value is the last that is retrieved from array
if (i === apps.length - 1) {
query += 'app_metadata.authorized_apps:"' + apps[i] + '")';
} else {
query += 'app_metadata.authorized_apps:"' + apps[i] + '"' + ' OR ';
}
}
//Get users that have Client ID in app_metadata.authorized_apps;
ctx.log(query);
return callback(null, query);
}
This results in a query like this, where the search terms and the filter terms are wrapped in separate parenthesis and therefore separated from each other.
/api/v2/users?sort=last_login:-1
# query
&q=
# search term
(email.domain:*mail.com) AND
# filter term now wrapped in parenthesis
(app_metadata.authorized_apps:"****************" OR app_metadata.authorized_apps:"*******************")
&per_page=10&page=0&include_totals=true&fields=user_id,username,name,email,identities,picture,last_login,logins_count,multifactor,blocked,app_metadata,user_metadata&search_engine=v3
Now when searching for gmail.com, only relevant users are returned.