TOTP for the win

But supporting Google Authenticator is a important step for 2FA

Also, anyway to get all active (logged in) sessions a user has?

i am building an app using supertokens and react-router-dom v6. i've got everything all working to sign in/sign up but now i want to make routes that are protected so that only authenticated users can access them. is this something that exists in the frontend supertokens code today?

nm, i found the doc! https://supertokens.io/docs/thirdparty/common-customizations/sessions/securing-component

Yes. We expose a function in the backend SDK called getAllSessionsForUser (or something like that)

amazing, I'll be building amazing things with SuperTokens in due time

Awesome! Happy to hear that

Hello, I have a question. i want when we call super token signup API. it may create a session at that time but my requirement is when we will signup I don't want to create a user session at that time. it will only happen when the user tries to log in. anyone helps me how I can do this. i read about override method but that is not clear to me

Does Supertokens have a feature where if a user suspects password theft, they can change it and simultaneously log out of all active sessions?

Hi, so I need to manage sessions between a react app, and several node servers. One of these node apps stores data for user authentication, whilst the others store various sets of data for the client. They are all within the same domain. I just need to use supertokens for handling sessions management. If i define a route at an already existing supertokens api path like /auth/signin and do my own authentication, then does that mean I need to use some of supertokens exposed functions to ask for a new pair of tokens

do i need my own logic in the backend to handle the process of interacting with the supertokens core for new login, expiry of access, or expiry of access and refresh,?

in my react app i have a common header bar that contains the user's profile avatar and a dropdown for info. I want to render the header always but the profile avatar and dropdown only if the user is logged in. Can i wrap anything in to hide it if not logged in or will it redirect me away?

i figured this out by using

<ThirdPartyAuth requireAuth={false}>

wrapping my component and using

useSessionContext

in the component itself to see if there is a session

now i just have to figure out how to get email to the front-end so i can display that to the user.

that's exactly the recommended way of doing it 🙂

We don't store that on the frontend by default, but there are a few options

You could add it to the access token payload and use that through

useSessionContext

, but this will get transmitted with every request. (https://supertokens.io/docs/emailpassword/common-customizations/user-roles/assigning-session-roles)

You also get this info when login succeeds so you could store this locally after a login succeeds(https://supertokens.io/docs/emailpassword/common-customizations/handling-signin-success#1-on-the-frontend). If you go with this I'd recommend tying the stored info the the session id, so the if something goes wrong you don't display the wrong email)

Also, you can just add an API endpoint and store the result in memory. Most apps fetch some info about the current user anyway, so you could do it at the same time.

👍

Not necessarily, check out our "session management only" recipe https://supertokens.io/docs/session/quick-setup/frontend You can define your own auth/routes and validate the session on multiple node servers if they have access to the cookie.

Not out of the box. You can implement this by changing the password of the user (

updateEmailOrPassword

), then revoking all their sessions (

revokeAllSessionsForUser

)

Hi, you can do this by overriding

signUpPOST

. Something like this should work:

EmailPassword.init({
        override: {
            apis: (originalImplementation) => ({
                ...originalImplementation,
                signUpPOST: async function (input) {
                    const email = input.formFields.find((f) => f.id === "email").value;
                    const password = input.formFields.find((f) => f.id === "password").value;

                    return EmailPassword.signUp(email, password);
                },
            }),
        },
        // ...
    },

thank you porcellus, i have another question

i want to secure my routes with this method from the session recipe under common customizations

the redirect function i provide just needs to return a react-router-dom redirect component correct?

No, it's a

() => void

function, it needs to do the redirect itself (or do nothing, show a popup, whatever suits your needs)

once i have a user signed up via third party provider, how do i get their email, name, etc?

@User you can get the access token sent by the third party provider like this: https://supertokens.io/docs/thirdpartyemailpassword/post-login/getting-provider-access-token Then you can query the provider and get any info you like.