And welcome to The Community
It is correct that the browser-side JWT won’t automatically update even though the roles associated to that user server-side have changed. This is in part due to the nature of distributed auth systems, and it’s designed that way. I don’t necessarily have particular literature to link to at the moment regarding the architecture and nature of JWT and distributed auth, but it should be a brief search away
To the point, when a user logs in and is granted a fresh JWT (And a refresh token which can be used to refresh that JWT), that JWT represents a fully authenticated user and needs no further input from Netlify Identity / GoTrue at that time. The JWT is a stand-alone, valid representation of proof that that user is who they say they are. When that JWT gets sent to a Function, the Function correctly sees the user for who they are based on the valid JWT, but as you’re noticing, the Roles that Function reads are the roles directly within the JWT, not a cross-reference to the roles that are currently stored in GoTrue.
So anyway, all the theory and logistics aside, it’s correct that your external change to a user’s role has no impact on the user’s JWT in-browser.
But there are ways to do what you’re looking to do. I wrote
react-netlify-identity-gotrue and created a specific function just for this case, I called it
This method is a utility to forcibly refresh the local user’s information and authorization. While not ostensibly the most useful functionality, it presents a particular use case for when you know a user’s data has been altered externally. This typically isn’t the case - a user’s own
identity.user data tends to only be changed by that user but if the user kicks off a process that externally alters the user data, this method can be useful.
But be aware that this is not the same method in
gotrue-js or other Netlify Identity libraries (not sure which client library you’re using).
If you can’t / don’t want to wire this up client side, or if your external changes aren’t kicked off from the client/browser at all, then you can use the GoTrue admin methods to actually reach out and get the latest user model from GoTrue whenever that user hits your function… effectively allowing you to both authenticate that the true user called your function and get the latest GoTrue data for that user in the Function before doing other things let me know if that’s the direction you want to go and I can provide some pointers