Verify session question in NextJS

Hi There! Can we customize the response send by supertokens after login/signup?

Hello How can I validate authen with supertokens in gRPC in Go (Gin-gonic)? Thank you

Hey just realize That the data saved in db only providerId and email. So to get another such as user name from third party, do I need to request it using the access token?

What's the best place to put "welcome email for new users" logic? I had it in verifyEmailPOST but now I'm not sure if it would be better in consumeCodePOST 🤔

I just setup Supertokens and got it linked with my db and I got the init command added to my api. Do I have to create all the routes for my API or is there something i'm missing?

I think I found a spelling mistake

"message": "API input error: Please make sure to pass a valid JSON input in thr request body"

im having an issue with the javascript session recipe for some reason, i can see the fetch from signOut to the supertokens backend with a status of ok but the session still exists I have tried changing to supertokens-auth-react and using the corresponding methods for signout and sessionexists and experienced the same issue

Session exists after sign out

spelling error in error message

is there a way to reset user data in Saas, like a restart or some api call? if not, then what data is safe to remove in the PostgresDB to be clean slate?

Deleting user data in SaaS

So my login work in third party then tried to work with my email password login Test it and got 400 bad request, can't find the problem here are the frontend init

js
emailVerificationFeature: {
  mode: "REQUIRED"
 },
signInAndUpFeature: {
  providers: [
    ThirdPartyEmailPasswordReact.Google.init(),
    ThirdPartyEmailPasswordReact.Facebook.init(),
  ],
  signUpForm: {
    formFields: [{
      id: "password",
      label: "Password",
      
      validate: async(value) => {
        const regex = /^(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[@$!%*?&])[A-Za-z\d@$!%*?&]{8,20}$/
        if (regex.test(value)) {
          return undefined
        } else {
          return 'Password must be 8-20 characters long, contain at least one number, one uppercase letter, one lowercase letter, and one special character'
        }
      }
    }, {
      id: "passwordConfirm",
      label: "Confirm your Password",
      placeholder: "Please input your password again",

      validate: async(value) => {
        if (value !== document.querySelector("#supertokens-root").shadowRoot.querySelector('input[name="password"]').value) {
          return "Password does not match"
        }
        return undefined
      }
    }, { 
      id: "name",
      label: "Full Name",
      placeholder: "First name and last name",
    }]
  }
},
override:{
  components:{
    EmailPasswordSignUpForm_Override:({DefaultComponent, ...props}) => {
      useEffect(() => {
        let passwordConfirm = document.querySelector("#supertokens-root").shadowRoot.querySelector('input[name="passwordConfirm"]')
        console.log(passwordConfirm) //for checking purpose
        if (passwordConfirm){
          passwordConfirm.setAttribute("type", "password")
        }
      }, [])
      return <DefaultComponent {...props} />
    }
  }
},

For the third-party auth / passwordless recipe, is there an official way for prompting re-authentication when doing dangerous actions? E.g. Suppose we're an API company, and we want to allow users to revoke API keys. If the user wants to wants to revoke a key, we want to perform some sort of check, such as sending them an OTP via email.

Reeauth

Hi! I'm trying to access the verify email page, but it doesn't seem to exist. What's the setup here? Very few docs on this too.

Is there an SDK to fetch all active session like the one in the Saas? Not based on a single user.

Question I notice in frontend event overide it was using context. and when I inspect it in console there was a userContext object in there. Is that object different than input.userContext in backend? Because when I assign a value there, the frontend context.userContext is empty.

User context across frontend and backend

Quick clarification -- I'm using the Session and Email Verification recipes on the back and ST-website on the front (plain JS). When the user gets an email link to verify their email, I need to code in myself a way to take the token from the url and POST it to my backend through ST's exposed endpoint (

{{apiBasePath}}/auth/user/email/verify

by default)? Or am I misunderstanding and ST-website should be able to process that handshake for me (after the user clicks the verify link)?

Email verification with website sdk

getting this on hitting endpoint using this guide - https://supertokens.com/docs/passwordless/common-customizations/sessions/with-jwt/get-public-key

Redirect to mobile app after post login on web with the tokens

Hello, I am trying to call

SuperTokens.consumeCode()

but I get

consumeCode is not a function

Is there a difference with calling

/signinup/code/consume

directly? Because this works.

I try revoking by creating my own API followed in the ThirdPartyEmailPass for Next JS

js
export default async function logout(req: SessionRequest, res: any) {
    await superTokensNextWrapper(
        async (next) => {
            await verifySession()(req, res, next);
        },
        req,
        res
    )
    // This will delete the session from the db and from the frontend (cookies)
    await req.session!.revokeSession();

But the button that got wrapped in

js
const SessionAuthNoSSR = dynamic(
  new Promise((res) => {
    res(SessionAuth)
  }),
  {ssr: false}
)

Is not updating to no session state. Refreshing the page still have the same output. The only work around for now is to access the page wrapped in ThirdPartyEmailPasswordAuth That will kick user to auth page and then the button above will updated to the right state. The Button check useSessionContext() for updating the correct state

Tried deploying to heroku I can't login with any provider + email passowrd, stuck in /auth attach the heroku log above

Hi friends. Everything is working as expected except GET requests from my frontend do not include the cookies to the backend. Frontend in NextJS, backend FastAPI python. I have cookieDomain set on frontend and backend, that's what made the POST requests include the cookies. The basic issue is this: When a request comes from client side I have a rewrite defined in next.config.js, like this

javascript
const nextConfig = {
  reactStrictMode: true,
  async rewrites() {
    return [
      {
        source: '/api/:path*',
        destination: `${process.env["API_BASE_URL"]}/:path*`,
      },
    ]
  },
  env: {
    BASE_URL: process.env["BASE_URL"],
    API_BASE_URL: process.env["API_BASE_URL"]
  }
}

module.exports = nextConfig

When I make a post request from the client side like:

javascript
export default function Home() {
...
const req = await fetch(`/api/${endpoint}`, {
          method: 'POST',
          headers: {'Content-Type': 'application/json'},
          body: JSON.stringify(body)
          });

The above rewrite, rewrites /api/ to my backend url, cookies are included and I can see that in the backend like this:

INFO:     127.0.0.1:52558 - "POST /auth/signin HTTP/1.1" 200 OK
USER: c4a258b4-d5a8-45cc-9fcf-818af965eee3 creating short code...
INFO:     172.17.0.1:0 - "POST /create_short_code HTTP/1.1" 201 Created

However, when the request comes from the serverside in getserversideprops, like this:

javascript
export async function getServerSideProps({ params }) {
    const req = await fetch(`${process.env.API_BASE_URL}/all_short_codes`);
    const data = await req.json();
    
    return {
        props: { urls: data }
    }
}

The cookies are not included and the request comes from a different IP

INFO:     127.0.0.1:52558 - "POST /auth/signin HTTP/1.1" 200 OK
USER: c4a258b4-d5a8-45cc-9fcf-818af965eee3 creating short code...
INFO:     172.17.0.1:0 - "POST /create_short_code HTTP/1.1" 201 Created
INFO:     127.0.0.1:52567 - "POST /short_code HTTP/1.1" 200 OK
USER: anonymous requesting all short codes...
INFO:     127.0.0.1:52567 - "GET /all_short_codes HTTP/1.1" 200 OK

This could be because I'm developing this locally with docker and I have a host entry in my frontend container that points my api url to the host gateway like this:

bash
docker run --rm -it --add-host localapi.shtl.ink:host-gateway -p 3000:3000/tcp shtl-ink:local-dev

Otherwise, I'm not sure why this is happening, or how to fix it. Help appreciated 🙂

Here is the logs from the backend with the headers included, clearly something is different....

INFO:     Uvicorn running on http://0.0.0.0:8000 (Press CTRL+C to quit)
REQUEST_HEADERS: Headers({'host': 'localapi.shtl.ink:8000', 'connection': 'keep-alive', 'accept': '*/*', 'accept-language': '*', 'sec-fetch-mode': 'cors', 'user-agent': 'undici', 'accept-encoding': 'gzip, deflate'})
USER: anonymous requesting all short codes...
INFO:     127.0.0.1:52862 - "GET /all_short_codes HTTP/1.1" 200 OK
REQUEST_HEADERS: Headers({'x-forwarded-host': 'shtl.ink:3000', 'x-forwarded-proto': 'http', 'x-forwarded-port': '3000', 'x-forwarded-for': '172.17.0.1', 'cookie': 'sIRTFrontend=remove; sAccessToken="ACCESS_TOKEN_REMOVED_FOR_MESSAGE_LENGTH"; sIdRefreshToken=cc5bbc95-50cc-4935-8a8b-fb8c6db19211; sIRTFrontend=cc5bbc95-50cc-4935-8a8b-fb8c6db19211; sFrontToken=eyJhdGUiOjE2NTU2OTEwMjczNDMsInVpZCI6ImM0YTI1OGI0LWQ1YTgtNDVjYy05ZmNmLTgxOGFmOTY1ZWVlMyIsInVwIjp7fX0=', 'accept-language': 'en-US,en;q=0.9', 'accept-encoding': 'gzip, deflate', 'referer': 'http://shtl.ink:3000/', 'origin': 'http://shtl.ink:3000', 'accept': '*/*', 'content-type': 'application/json', 'user-agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36', 'rid': 'anti-csrf', 'content-length': '37', 'connection': 'close', 'host': 'localapi.shtl.ink:8000'})
USER: c4a258b4-d5a8-45cc-9fcf-818af965eee3 creating short code...
INFO:     172.17.0.1:0 - "POST /create_short_code HTTP/1.1" 201 Created

I'm realizing that perhaps this is on purpose, since it doesn't make sense for cookies to be included in a request from the serverside.