• r

    rp

    1 year ago
    @User thanks for reminding us that we need to write docs for revoking a session. Had missed that.
  • b

    bachras

    1 year ago
    Thank you for prompt reply. Can you elaborate how blacklisting works? Do you store those tokens on database? Can I save them on memory and check on any request or run cron job and writ to memory with 1hour expiration? We are expecting many requests and call to database on every request seems like not the best solution. What would be the best solution as we request to block user immediately? Thank you
  • r

    rp

    1 year ago
    Can you elaborate how blacklisting works? We store the session tokens in the db. When a session is removed, we remove the token from the db. When blacklisting is enabled, for each session verification, we check if the session token exists in the db, if not, we fail the verification.
    This does have a performance penalty as every request will have a db call for session verification. You can optimise this by introducing your own middleware that runs AFTER our session verification middleware. Your middlware can cache blacklisted
    sessionHandle
    (it's a constant string for the lifetime of the session) and check against that blacklist. We also plan on introducing the ability to do session blacklisting on a per API basis. So for GET APIs, you don't need to enable session blacklisting, but for POST or other "sensitive" APIs, you can.
  • b

    bachras

    1 year ago
    Thank you for explanation. Few more questions 🙂 can I attach session to particular device and after allow user to log out particular session/device? I am planning to download supertoken binaries without docker on the server. Can I use it to serve for two different domains? As we will serve two different applications with different domains and ips.
  • r

    rp

    1 year ago
    can I attach session to particular device and after allow user to log out particular session/device? A session is already attached to a specific device. When you revoke that session, you are revoking that user's access on that device. Hence, a user can have multiple sessions at the same time.
    You can also store device info as session data if you need.
    Can I use it to serve for two different domains? You will need to run two different instances of supertokens, each using it's own config file and connected to it's own db.
  • b

    bachras

    1 year ago
    Feels like you thought of everything 🙂 Thank you for explanation once again, I am going to setup supertokens now. If I face any issues setting up I will get back to you if you don't mind. Thank you and have a nice day.
  • r

    rp

    1 year ago
    If I face any issues setting up I will get back to you if you don't mind. Sure!!
    Have a good day to you too @User
  • l

    LaurentS

    1 year ago
    Hi all! I am looking to try out supertokens for a public facing webapp that I'm building with svelte. I took a quick look at your demo, which seems all built for react. Do you have any plain js code examples anywhere?
  • r

    rp

    1 year ago
    Hey @User . Do you want to use login + sessions features or just sessions feature?
  • r

    rp

    1 year ago
    Cause login is only supported on ReactJS at the moment