not yet

I currently have this POC code:

js
const express = require('express');
const supertokens = require('supertokens-node');

const app = express();
const port = 3001;

supertokens.init({
    hosts: 'https://try.supertokens.io',
    apiKey: 'key',
    cookieSecure: false,
    cookie_domain: 'localhost:3001',
});

//

app.get('/', (req, res) => res.send('Hello World!'));

app.get('/login', async (req, res) => {
    const userId = 'User1';
    const jwtPayload = { name: 'spooky action at a distance' };
    const sessionData = {
        awesomeThings: ['programming', 'javascript', 'supertokens'],
    };

    await supertokens.createNewSession(res, userId, jwtPayload, sessionData);

    res.send('logged in');
});

app.get('/refresh', supertokens.middleware(), (req, res) => {
    res.send('refresh done');
});

app.get('/dashboard', supertokens.middleware(), (req, res) => {
    const userId = req.session.getUserId();

    res.send(userId);
});

app.use('/logout', supertokens.middleware(), async (req, res) => {
    await req.session.revokeSession();

    res.send('loggoed out');
});

//

app.use(
    supertokens.errorHandler({
        onUnauthorised: (err, req, res, next) => {
            // logging.logError(err); // some logging module
            res.status(440).send('Please login again');
        },
        onTryRefreshToken: (err, req, res, next) => {
            res.status(440).send('Call the refresh API');
        },
        onTokenTheftDetected: async (sessionHandle, userId, req, res, next) => {
            res.status(440).send('You are being attacked');
            await supertokens.revokeSession(sessionHandle);
        },
    }),
);

app.use((err, req, res, next) => {
    res.send(500).send(err);
});

app.listen(port, () => {
    console.log(`listening at http://localhost:${port}`);
});

If I visit http://localhost:3001/login no cookies get set. What did I do wrong?

1) u don't need apiKey for try.supertokens.io 2) cookie_domain should only be localhost and then try again

Nope, still doen't work

in the response from that API, are you getting set-cookie headers?

let me take a look

Yes, but with an warning triangle, the warning says

set cookie was blocked because of samesite being set on a non secure cookie

was blocked or will be blocked in future versions?

message has been deleted

i see. then set sameSite: "lax" in the supertokens.init

nope, same warning

oops. it should be cookieSameSite

and also, it shouldn't be cookie_domain, it should be cookieDomain

See https://supertokens.io/docs/nodejs/api-reference/init

great it works

Thank you for the quick help

ur welcome

@User Would Lumen work with the Laravel version?

I don't think so. That SDK was made specifically for Laravel and we haven't tried it with Lumen. You can try it out and if it works, then great!

Hi @vdvn75

I have a very simple question, couldn't be more sillier maybe. What is the appropriate way for the UI to handle expiry of tokens. Should it be like the API is hit with an expired token, backend throws auth error and then UI hits another API to get refreshed tokens?

that is one way.

Another way is if the frontend knows that the token has expired already, and directly calls the refresh API

how did you find out about us? Through our site or blog?

How does the frontend know the token has expired? By maintaining the expired_at or expired_in sort of a thing? Also a similar thing should be in place for refresh tokens?

And I knew about you guys recently just through searching for good articles on google for user authentication and came across the blog 😄

And ofcourse which one is preferred ?

Yea.. store some value in localstorage or non-httpOnly cookie using which you can know when it expires. We can do that for the refresh token as well.. but that doesn't matter too much cause usage of refresh tokens is relatively rare anyway.