How to invalidate/refresh JWT server-side?

[KazimirPodolski]

Let's look at the docs of Parameter Queries:

request.user_id()
request.jwt() ->> 'sub' -- Same as `request.user_id()
request.parameters() ->> 'param' -- Client parameters

-- Some Supabase-specific examples below. These can be used with standard Supabase tokens,
-- for use cases which previously required custom tokens
request.jwt() ->> 'role' -- 'authenticated' or 'anonymous'
request.jwt() ->> 'email' -- automatic email field
request.jwt() ->> 'app_metadata.custom_field' -- custom field added by a service account (authenticated)

Let's say app_metadata or role or whatever in the JWT payload changed server-side, possibly via other user's interaction (i.e. it's not necessary a user did the change leading to their own current JWT change, it might have been a server-side effect).

How to refresh the JWT for all affected clients?

[simolus3]

How to refresh the JWT for all affected clients?

You can't force clients to refresh their JWTs immediately, but one thing I imagine should work may be to implement these notifications in PowerSync.

A primitive solution: Say you had a table storing user ids and an incrementing integer representing the "version" of their roles / app-specific metadata. Then:

• When you mint a new JWT on your backend, you lookup the current version and include it in the JWT.
• You define a sync rule giving each user access to the version field matching their user id.
• On the client, watch for SELECT version FROM user_id_to_role_version. Whenever the version updates and the one from the token is older, use invalidateCredentials and call disconnect() + connect() on the database. This will make PowerSync request a new JWT that would include the updated roles before resuming sync.

For access control, note that this doesn't invalidate the old JWT immediately. So if e.g. the role of the user changes in a way that a user has access to fewer data afterwards, they can still see the older data set (with updates) until their old token expires (unless the client is cooperative and reconnects after comparing the version field).

[KazimirPodolski]

In my case access control is quite dynamic and actually not easy to put completely into DB, but I'll think about this solution, thanks!