Netlify Identity user's data edit triggered by Netlify Function

Hello!
I’ve solved the signup-login problem with the Netlify Identity Widget.
However, I would like to have some payment options on my site, and for that I would like to givet Roles to the users, and put in the metadata their last payment time.
I solved the paying with Stripe, and even I’m able to carry details like user id and user email trough the payment processing.

I’m listening on webhook if the user is paid and I’m passing the email, and the user id to the Netlify function which should handle user’s subscription.

And there is my problem.
I’ve checked these resources:

And I’ve trued to use

console.log(netlifyIdentity.currentUser());

But it’s just returning me null.
I’ve not passing context to the handler function but even still I tried like this:

const { identity, _user } = context.clientContext;
  console.log(`identity: ${identity}`);

It’s also undefined.

How could I make sure I can get the user by id or email, or I could pass the access token also if that needed?

I would like to use these functions mainly:

And these are admin functions so only the backend should use them. I shouldn’t let user’s to modify their own profile.

Should I pass my own Bearer token into environment variable and use that? But these are short living tokens and expire quickly, so I’m not sure what would be the correct approach.

I hope someone did something similar and can guide me to the solution :slight_smile:

Okay I found the answer, but I’m still not sure everything is going to be good like this.
The solution is, from the webhook function I should call the one which handling the user’s data. So in webhook.js

response = await fetch(url, {
                                method: 'post',
                                headers: {
                                    Authorization: `Bearer ${checkoutSessionCompleted.metadata["1"]}`,
                                },
                                body: requestBody,
                            });

And after this call I can follow the examples, the another function now have context and everything will working good:

const handler = async (_event, context) => {
  if (_event.httpMethod !== 'POST') return { statusCode: 400, body: 'Must POST to this function' }

const { identity, user } = context.clientContext;
  const userID = user.sub;
  const userUrl = `${identity.url}/admin/users/{${userID}}`;
  const adminAuthHeader = `Bearer ${identity.token}`;

etc
etc

However I’m still not so cool that I have the auth token into Stripe’s metadata to get it out of the response later…

Plus I’m still not sure any user possible could do their data change for themselves if they know to do programatically. So basically they could hack a free roles for themselves in my understanding. Maybe I should add an extra secret into it and check if that is provided by the function caller or not.

I still feel I found a solution, but something what is against the best practices heavilly.

Hi @palinko91,

Have you checked this thread: Updating users roles via Netlify Serverless function (When logged in as another user)

TL;DR: You should not rely on the authorization header if you want to make changes as the user. You should restrict this ability to an admin-only and work using user IDs.