Sun Walker
03/25/2020, 10:26 PMSun Walker
03/25/2020, 11:14 PMlet userId = err.err.userId;
let sessionHandle = err.err.sessionHandle;
// we can now revoke this session or all sessions belonging to this user.
// we can also alert this user if needed.
Here it says we can revoke session, but this is in catch block so session variable is not defined. How is this done?Sun Walker
03/25/2020, 11:15 PMres.send("Successful refreshing of session!");
Sun Walker
03/25/2020, 11:54 PMSun Walker
03/26/2020, 12:19 AMTS2740: Type 'Session' is missing the following properties from type 'Session': id, regenerate, destroy, reload, and 3 more
Sun Walker
03/26/2020, 12:58 AMSun Walker
03/26/2020, 12:58 AMrp
03/26/2020, 5:29 AMgetSession
function.
Since yours is a mobile app, UNAUTHORISED
should send session expired status code (440). In this case, the frontend SDK will throw this status code to your code and then you can take the user back to the login screen.
In case of TRY_REFRESH_TOKEN
, you also need to send 440. The frontendSDK will take care of calling your refresh API and regenerating the session.
If you want to test your middleware via postman, then you have to first create a session by calling you login API. That will return a few tokens (in headers and cookies). You must then pass those tokens to any of your APIs that you this middleware as cookies and headers. Which token goes where can be seen here: https://supertokens.io/docs/nodejs/usage-without-express/verify-session
You can recreate tables without the need for a new license. However of course, your data will be lost.
For options API, you can have something like app.options("*", function...)
. Using *
should make all OPTION calls go to this API. However, you will have to make Access-Control-Allow-Methods
POST
, GET
, etc... depending on how many types of APIs you have.rp
03/26/2020, 5:30 AMrp
03/26/2020, 5:30 AMsessionHandle
as mentioned in this page: https://supertokens.io/docs/nodejs/usage-with-express/user-logout#call-the-revokesessionusingsessionhandle-function-api-reference-api-reference-revoke-session-using-session-handle
> there is no response sent from the /api/session/refresh example except a string saying
Check the headers that are sent from this API call. You will see new tokens there.
> How do I change the 'Signing Key' for the JWT and Refresh tokens, as these are signed with a specific key. How will I be able to set my signing keys for both?
The signing key for access token is managed by our library. You cannot set it to something specific as it is an implementation detail. This key also keeps changing over time as to not bottleneck your entire user security on this part.
The refresh token signing key is not really needed and can be ignored. We intent to remove that signing key as it provides no security benefits.
> I get an error in typescript req.session (session doesnt exist on req) and when npm installing @types/express-session I get error
If you are using SuperTokens, you do not need to use express-session
. Hence you do not need its typing either.
> it makes requests to /categories for example but it fails with "must refresh token" how do I get supertest to work
So when you get the refresh token error, you must call the refresh endpoint. This is something that's taken care by the frontend SDK which we are making for react-native. If you are using postman, to test, then you should manually call the refresh API with the cookies set.rp
03/26/2020, 5:30 AMSun Walker
03/26/2020, 10:48 AMThe refresh token signing key is not really needed and can be ignored. We intent to remove that signing key as it provides no security benefits.
Surely if an intruder has access to the refresh token, they can spawn more access tokens and use those to get access to your API?
So it's better to have a long and secure refresh token key
And also here
I get an error in typescript req.session (session doesnt exist on req) and when npm installing @types/express-session I get error
If you are using SuperTokens, you do not need to use express-session. Hence you do not need its typing either.
I get the error even without espress-session package. Without package it says req.session (session does not exist on type Request)
I see you mention that setting CORS options are not needed for mobile apps, but in the future I will move my app onto the web as well. In this case should I just make app.options("*", function...) with all options specified by supertokens and add POST, GET, PATCH, PUT. DELETE. IE every route will have same options and then never think about it again (unless I need to)?
Lastly: I'm using Express. I now see my access and refresh token in Headers. This is awesome. If I want to make it easy to test in Insomnia/Postman, I can't work it out, any chance you can elaborate?
I've got: Supertokens middleware, supertokens login, supertokens refresh. All work well, login returns res with headers, middleware blocks and refresh makes new session. I just cant put them all together for testing (without front end sdk)
Other than this, the Software is FANTASTIC!Sun Walker
03/26/2020, 10:53 AMrp
03/26/2020, 10:54 AMTOKEN_THEFT_DETECTED_ERROR
.
> I get the error even without espress-session package. Without package it says req.session (session does not exist on type Request)
hmm. This means somewhere you are using that in your code - in supertokens library, there is no such reference to session object inside req object.
> every route will have same options and then never think about it again (unless I need to)?
Yes. That can work.
> If I want to make it easy to test in Insomnia/Postman, I can't work it out, any chance you can elaborate?
I could elaborate here, but it would take me lots of time to type it out. Is it possible we can have a call with screen share so I can show it to you?Sun Walker
03/26/2020, 10:55 AMrp
03/26/2020, 10:55 AMrp
03/26/2020, 10:56 AMSun Walker
03/26/2020, 10:56 AMrp
03/26/2020, 10:57 AMrp
03/26/2020, 10:57 AMSun Walker
03/26/2020, 12:10 PMrp
03/26/2020, 12:13 PMrp
03/26/2020, 12:13 PMrp
03/26/2020, 12:14 PMrp
03/26/2020, 12:15 PMSun Walker
03/26/2020, 12:24 PMrp
03/26/2020, 12:25 PMrp
03/26/2020, 1:51 PMSun Walker
03/26/2020, 2:58 PMrp
03/26/2020, 3:01 PM