search

supertokens / supertokens-python

Python SDK for SuperTokens
https://supertokens.com
Other
129 stars 38 forks source link

List all tenants for a specific user #514

Closed ocervell closed 4 months ago

ocervell commented 4 months ago

Hi,

Is there a way to list all tenants where a specific user is present ? I've looked at the list_all_tenants function in https://github.com/supertokens/supertokens-python/blob/master/supertokens_python/recipe/multitenancy/asyncio/__init__.py#L72 and there is a user_context but I'm not sure what to pass there, or if it's even the proper thing to do.

Similarly, is there a way to check that a given user has permissions to access a specific tenant ? I see most validator claims use the tID in the access token but what if a user belongs to multiple tenants ?

Thanks ;)

rishabhpoddar commented 4 months ago

The user object for each recipe has a list of tenantIds that they are a part of. For example, here is the user object returned from the emailpassword recipe functions.

A session is created per tenant, so the payload only contains the tenantId that was used to sign in.

rishabhpoddar commented 4 months ago

Since this isn't an issue with our SDK, I am closing it.

ocervell commented 4 months ago

Got it for the first question, however you did not answer the second one.

Currently I've got an endpoint like:

@app.get("/tenant/{tenant_id}")
async def get_tenant(tenant_id: str, s: SessionContainer = Depends(verify_session())):
    """Get an existing tenant."""
    user_id = s.get_user_id()
        roles = (await roles_api.get_roles_for_user(tenant_id, user_id)).roles
        if not 'admin' in roles:
            raise_invalid_claims_exception("User is not an admin", [ClaimValidationError(UserRoleClaim.key, None)])
    result = await multitenancy_api.get_tenant(tenant_id)
    resp = {"status": result.status}
    if result.status == "OK":
        resp.update({
            "tenant": {
                "tenantId": tenant_id,
                "emailPassword": result.emailpassword.to_json(),
                "passwordless": result.passwordless.to_json(),
                "thirdParty": result.third_party.to_json(),
                "coreConfig": result.core_config,
            }
        })
    return resp

that my users can check while being logged in on the "public" tenant.

Ideally I would like to replace the boilerplate code with get_roles_for_user with a claim in the verify_session call, but since the tID in my session is set to public, I can't. Is there a way to override the tID somehow before validating the claim ?