K
Kinde3w ago
Jenkis Khan

Revok acceess

Hi, I' m working on rbac system with nextjs app router and I want to revok access from a user when it is suspended but it does not work. 
/** My DAO */
async function updateUserStatus(id: string, userbody: UserStatus) {
  try {
    init();
    const response = await Users.updateUser({ id, requestBody: userbody });
    return { data: {id: response.id, is_suspended: response.is_suspended}, status: 200 } as SuccessResponse<UserStatus>;
  } catch (error: unknown) {
    return handleDaoError(error as ApiError);
  }
}
async function revokeUserSession(userId: string) {
  try {
    init();
    await Users.deleteUserSessions({ userId });
    await Users.refreshUserClaims({ userId });
  } catch (error: unknown) {
    return handleDaoError(error as ApiError);
  }
}

/** My service */
export async function updateUserStatus(id: string, userbody: UserStatus) {
  const { checkPermission } = await getServerSession();
  const isAdmin = (await checkPermission("admin:admin"))?.isGranted;
  if(!isAdmin && !(await checkPermission("update:user"))?.isGranted) {
    return handleDaoError(new ValidationError("User does not have permission to update user", "User"));
  }
  const validateId = zodSchemas.IdSchema.safeParse(id);
  if(!validateId.success) {
    return handleDaoError(new ValidationError(validateId.error.errors[0].message, "User"));
  }
  const { is_suspended } = userbody;
  return UserDao.updateUserStatus(validateId.data, { is_suspended });
}

async function revokeUserSession(id: string) {
  return UserDao.revokeUserSession(id);
}

// My route 
export async function PATCH(request: Request, { params }: { params: Promise<{ userId: string }> } ) {
  const { userId } = await params;
  const { is_suspended } = await request.json();
  const user = await UserServices.updateUserStatus(userId, { is_suspended });
  if("data" in user && user.data.is_suspended) {
    await UserServices.revokeUserSession(userId); 
  }
  return NextResponse.json({...user}, { status: user.status });
}
/** My DAO */
async function updateUserStatus(id: string, userbody: UserStatus) {
  try {
    init();
    const response = await Users.updateUser({ id, requestBody: userbody });
    return { data: {id: response.id, is_suspended: response.is_suspended}, status: 200 } as SuccessResponse<UserStatus>;
  } catch (error: unknown) {
    return handleDaoError(error as ApiError);
  }
}
async function revokeUserSession(userId: string) {
  try {
    init();
    await Users.deleteUserSessions({ userId });
    await Users.refreshUserClaims({ userId });
  } catch (error: unknown) {
    return handleDaoError(error as ApiError);
  }
}

/** My service */
export async function updateUserStatus(id: string, userbody: UserStatus) {
  const { checkPermission } = await getServerSession();
  const isAdmin = (await checkPermission("admin:admin"))?.isGranted;
  if(!isAdmin && !(await checkPermission("update:user"))?.isGranted) {
    return handleDaoError(new ValidationError("User does not have permission to update user", "User"));
  }
  const validateId = zodSchemas.IdSchema.safeParse(id);
  if(!validateId.success) {
    return handleDaoError(new ValidationError(validateId.error.errors[0].message, "User"));
  }
  const { is_suspended } = userbody;
  return UserDao.updateUserStatus(validateId.data, { is_suspended });
}

async function revokeUserSession(id: string) {
  return UserDao.revokeUserSession(id);
}

// My route 
export async function PATCH(request: Request, { params }: { params: Promise<{ userId: string }> } ) {
  const { userId } = await params;
  const { is_suspended } = await request.json();
  const user = await UserServices.updateUserStatus(userId, { is_suspended });
  if("data" in user && user.data.is_suspended) {
    await UserServices.revokeUserSession(userId); 
  }
  return NextResponse.json({...user}, { status: user.status });
}
1 Reply
Ages - Kinde
Ages - Kinde3w ago
Hi Ahmat, it sounds like you're trying to revoke access but it's not sticking. To fully revoke a user's session, ensure that you're correctly targeting active sessions and that the deleteUserSessions method is executed properly. Also, double-check that the refreshUserClaims method is not revalidating the user's session. Sometimes, clearing local storage or cached data on the client side can help prevent old session data from persisting. If the issue persists, please reach out again and we can dive deeper.

Did you find this page helpful?