Open
Description
return await admin.auth().createCustomToken(account, claims); puts the claims on the token but does save them to the user.
So when the browser refreshes the user's token, they lose these claims until they log back in (which currently requires them to sign another message).
This raises some UX questions around waiting for lock purchases to hit the blockchain.
Saving claims to the User should be the default, but configurable. Should we wrap a method for the browser to request a claims update on the (logged-in) user (and refresh the token if changed)? What are some other approaches? Messaging? We want to avoid requiring the app use RT database and/or Firestore. KISS