Is it possible to decode a JWT without switching to the user?

[saosebastiao]

I'd like to write a function that creates a new user/role if they do not exist, with default permissions, using data from the JWT. The only way I can see how to do that is to create the user from an anon role, pass the token in the request body (or header but not Authentication header, as that would trigger the role switch), decode the token there, and then create the user if they do not exist. That seems pretty non-trivial and it bypasses all of the built in decoding done in PostgREST. Is there another possible way that I could do this?

[wolfgangwalther]

You could use the same static role: authenticator in each JWT - and then have a second field in the payload which contains the "real" role.

PostgREST would always change to the authenticator role first - which it already has anyway. No-op.

Then create a db-pre-request function, which checks the JWT payload, creates the real role if missing and finally does it's own SET ROLE <real-role>.

[tommyli]

I tried this approach but got error cannot execute INSERT in a read-only transaction. It seems db-pre-request config only supports read-only functions? Or can I override that somewhere? Below are relevant log lines.

2023-08-09 16:05:23.752 GMT [103] kurate 172.20.0.2LOG:  execute 2: select "api"."upsert_user"()
2023-08-09 16:05:23.752 GMT [103] kurate 172.20.0.2ERROR:  cannot execute INSERT in a read-only transaction

[wolfgangwalther]

It seems db-pre-request config only supports read-only functions?

It's not the pre-request function that supports read-only, but the fact that whenever you make a GET request, you end up in a read-only transaction. So this will only work with POST/PATCH/DELETE requests.