that's how the browser works.

Oh,

it doesn't send expired cookies to the API.

now we could set the cookie expiry to be larger than the access token

oh so browser can see expiry of cookie

access token's expiry, but this would not provide much benefit cause we would still want to enforce the fact that we get a new refresh token for each /refreshSession call.

yes. browser has complete access to the cookie (not the JS running on your page), but the browser itself.

> at one point will we be able to replace all of this with redis, as it's faster or is that less secure? We will build redis support soon. But if you are using JWTs, then it would add no performance benefit cause even now, most getSession calls don't even need a network call to anything (not even supertokens core).

How comes they dont always call db?

cause that's how JWT verification works

you have the public key in the node process (in memory). And when you get a JWT, you verify the signature using that public key. If it checks out, and the JWT hasn't expired, and the anti-csrf verification is done, then your good to go!

if any of those fail, then you query the ST core and do whatever that says.

this is what I've got

export const secureRoutesMiddleware = async (req: Request, res: Response, next: NextFunction) => {
  try {
    const session: any = await getSession(req, res, true);
    req.session = session;
    return next();
  } catch (err) {
    const authError = Error.isErrorFromAuth(err);

    if (authError && err.errType === Error.UNAUTHORISED) {
      return res.status(440).send({ mustLogin: true, message: 'Unauthorised. Please Login.' });
    }
    if (authError && err.errType !== Error.GENERAL_ERROR) {
      return res
        .status(440)
        .send({ mustRefresh: true, message: 'Session Expired. Please Refresh Session.' });
    }
    throw createHttpError(500, { err });
  }
};

Doesn't get session take in the req and res and call db, to get the session and check if jwt in session is valid?

Yea. This is what we use for our website too

Somthing very similar

however, you may not want to hard code the anti-csrf 'true' value there. As some APIs (when you have a website), would not require CSRF

so getSession takes the req, gets the JWT from it from cookies Then it takes the JWT and verifies the signature using the public key it already has (which is gets from the core when u start the node process). The JWT contains the userId - so no db call there eigher

either*

Ahhhhh

from the core? what's that

the core is the ST service you are running.

Got ya

I call it the ST core. haha

I like that name lol

haha

thanks

also another important one, I've been getting a response of 'Session Revoked, Please Login' sometimes when I try to /refreshSession with correct details which isnt supposed to happen. This is my function, is there anything wrong with it?

export const attemptRefreshSession = async (req: Request, res: Response) => {
  try {
    const session: Session = await refreshSession(req, res);

    if (!session) {
      throw new Unauthorized();
    }
    return env !== 'development' ? true : developmentCookieResponse(res);
  } catch (err) {
    const authError = Error.isErrorFromAuth(err);

    if (authError && err.errType === Error.UNAUTHORISED) {
      return res.status(440).send({ mustLogin: true, message: 'Unauthorized. Please Login.' });
    }
    if (authError && err.errType !== Error.GENERAL_ERROR) {
      console.log(err, err.errType); // TODO remove
      const sessionHandle = err?.err?.sessionHandle;
      const successfulRevoke = await revokeSessionUsingSessionHandle(sessionHandle);
      return res
        .status(440)
        .send({ mustLogin: true, message: 'Session Revoked. Please Login.', successfulRevoke });
    }
    throw createHttpError(500, { err });
  }
};

was console logging to try to debug