I am using firebase AUTH with cloud function the passes the JWT to the client, however there is no logic there of loading permissions since the user is not registerd yet, so he gets the x-hasura-default role. However after I created the user than in my hasura itself I want to add the user to the group manager tables (from the admin console, or from logic, doesn't matter) - so now he should have the role 'manager'. Now when refresh his page, there should be logic that queries the table of managers and loads the manager-role. However this logic of loading the permissions from this table is done when I already received the signed JWT with only the default-role, so the only option I have is to pass the manager role in x-hasura-role in the header of the request, however this is insecure since it is not part of the JWT and it can be altered by smart user.
Is there anything I miss here about the process? or is there another way of doing this?