Hey SuperTokens, I currently have this middleware that runs on every request

export const secureRoute = async (req: any, _res: any, next: any) => {
  const { authorization } = req.headers;

  if (!authorization) {
    throw new Unauthorized();
  }
  try {
    const token = authorization.replace('Bearer ', '');
    const payload: any = await verifyAccessToken(token);
    if (!payload) {
      throw new Unauthorized();
    }

    req.currentUserId = payload.sub;

    return next();
  } catch (err) {
    throw createHttpError(401, { err });
  }
};

Is there any way to put supertoken session in this or do I not need this any more?

you will need a new middleware. An example of that is given here: https://supertokens.io/docs/nodejs/usage-with-express/verify-session#writing-your-own-session-middleware (if you are using express)

What does one usually store in session data? (as jwtPayload is stored on the session)

So jwtPayload is sent to the frontend. Usually u store the userId and then user role in there. (UserId is already stored there for u). But u should not store anything sensitive

Anything sensitive goes in sessionData. Which is only stored in db.

do you have examples of such sensitive data?

just 1 or so

Uhmm not reallly. But it could be whatever u think is sensitive. Like an email ID. Or phone number or shopping cart information etc..

Generally I would avoid storing much in JWT payload. Just the minimum stuff. Or stuff that’s required for all API calls (like userId or user role)

Ahhh I see

But this is debatable. Cause the JWT is not meant to be accessible on the frontend anyway.. but this is what I am conmfortable with

Yeah I too agree, it's a good balance between risk and making things easier for FE

FE?

front end

Hmmm. How frontend?

Cause the frontend can’t access this token anyways

oh but dont you need to access the JWT payload or userid on the front end to show certain data and do certain things

Ah. For that, there is this thing called open ID connect tokens. Which we have not implemented yet

For now, u can just call an API that will send u info about the user to ur frontend

But this JWT should never be accessible from the frontend. Cause it can be stolen via XSS attacks.

And SuperTokens enforces this.

Oh so cookie stored in FE, every request to api sends access token right? doesnt access token have userID?

Yes.

To both ur questions

when you say 'api that will send info about user', what info does the Front End need other than user ID or if I need the user info I can just make a request to /user/:userId? Want to know to understand the different parts of this flow

So u don’t even need an API like /user/:userId (unless u want users to see other user’s info based on their userId).

All u need is a /user GET api which will take the incoming access token, get the userId from it, and return that user’s name profile pic etc...

And u can call that API to get the current user’s info.

So unless u r displaying the current user’s userId to them, ur frontend doesn’t even need the userId