Setting last logged-in timestamp on User table

Ryan Anderson

Every time someone logs in using the default auth/login endpoint I want to update a field on their User record with the current timestamp.

So at the end of the function stack, after the Auth Token has been issued, I have an Add or Update record:
[Screen Shot 2022-10-11 at 4.58.49 pm.png]
The problem is that I get an access denied error – I assume because it's not an authenticated endpoint and the User table requires authentication.

How can I get around this? Do I need a separate table to store all login sessions or is there a simpler way?

cam n

I'd reckon using that auth you've created, perhaps funneling it through a custom function. Custom function is edit/add, requiring Auth - pass in auth and you're good to go.

pete letkeman

I'm not entirely sure of your needs.
However, from what I gather a table is not secure or insecure, but the endpoints are.
Yes there is this option [image.png]and yes you are talking about the user table which you are using but I don't think that is why you are getting a permissions error.
Have you tried disabling this option to see if you get the same result?
What is the exact error message?

All that said, if you need to keep track of sessions then I think it may be better to have a table for that and keep that data separate from the users table.
If you only need to keep track of the last logged in I suggest using the 'Edit' record and not the 'Add/Edit' record operation.

Another item of note, what happens when the same user logs into your system from two different browsers at the same time?

Michael Udinski

 you are probably getting an Access Denied error because you are trying to use auth ID in your function stack. Auth ID is pulled from an Authentication Token passed through a header from an API Endpoint requiring authentication... This is different from your /signup and /login Endpoints, which generate a token.

You already have access to the user object in step 1 (Get Record from user). Use that variable to get the user ID. Lastly, I would use the Edit Record function here. Not Add or Edit... Since on /login the user has to exist anyways for based on the Precondition. 

Ryan Anderson

Thanks  this was it 😅 

Ryan Anderson

Appreciate your thoughts . Tracking the session was overstated... all I'm doing right now is displaying a "last seen" type of feature for admins so no need to worry about multiple browser sessions.

Have updated to use the Edit record function as you suggest.

Ryan Anderson

Thanks for the thoughts  - Michael's suggestion ended up being the simple fix here.

Nour

Hi  correct me if I am wrong, adding the "edit record" here would not really give you a realistic date of the "last seen" unless user logs out and in again. What if the auth token lasts for a month lets say and the user is logged in already but not using the app? "last seen" here would still be pointing at that date the user logged in while he could actually been active last night. Is that something we can still achieve  ? 

Michael Udinski

 in this context "last seen" is different than "last logged in" - so it depends on what the end goal would be

Nour

is there a work around to have the "last seen"?

Ryan Anderson

Right now all I'm after is last logged in. If I wanted a true last seen feature, I'd simply add the step to each authenticated endpoint.

Michael Udinski

 not a work around but just how to go about that: you could implement a "ping" endpoint that just edits the user record with the "last seen" field. Then every 60s call that endpoint while the user is in the app 

Nour

 that probably needs more explaination :-) could u please shed more light on how to implement the "ping". I can understand the automation side of it, but the ping itself needs more explaination.

Michael Udinski

Your front-end calls the "ping" API endpoint every 60s while the user is active