https://supertokens.com/ logo
Channels
Powered by
#support-questions
  • r

    rp

    04/30/2021, 12:53 PM
    And are your API and website domain different?
  • m

    michaelzhuk

    04/30/2021, 12:53 PM
    Domains are the same. Let me check regarding interceptors.
  • r

    rp

    04/30/2021, 12:54 PM
    Right. Can I see the frontend and backend config please? Cause you shouldn't be requiring anti-csrf tokens if the domains are the same.
  • m

    michaelzhuk

    04/30/2021, 12:55 PM
    I played with the csrf configuration and then reverted it back. I also cleared cookies/local storage manually.
  • m

    michaelzhuk

    04/30/2021, 12:56 PM
    Copy code
    export let frontendConfig = () => {
  return {
    useReactRouterDom: false,
    appInfo,
    recipeList: [
      ThirdPartyEmailPasswordReact.init({
        signInAndUpFeature: {
          providers: [],
        },
        async getRedirectionURL(context) {
          console.log("> CONTEXT", context)
          if (context.action === "SUCCESS") {
            return "/brand"
          }
        },
        onHandleEvent(context) {
          switch (context.action) {
            case "SUCCESS":
              window.opener?.location.reload()
              window.close()
          }
        },
      }),
      SessionReact.init(),
    ],
  }
}

export let backendConfig = () => {
  return {
    supertokens: {
      connectionURI: process.env.SUPERTOKENS_DOMAIN,
      apiKey: process.env.SUPERTOKENS_API_KEY,
    },
    appInfo,
    recipeList: [
      ThirdPartyEmailPasswordNode.init({
        signUpFeature: {
          handlePostSignUp: async (user) => {
            const { id, email } = user
            try {
              await fetchApi("/api/users/create", { id, email })
            } catch (error) {
              console.log("> Failed to sign up", error)
            }
          },
        },
      }),
      SessionNode.init(),
    ],
    isInServerlessEnv: true,
  }
}
  • r

    rp

    04/30/2021, 12:57 PM
    What is the value of 
    appInfo
    ?
  • m

    michaelzhuk

    04/30/2021, 12:58 PM
    Copy code
    let appInfo = {
  appName: "Off Script",
  websiteDomain: siteUrl,
  apiDomain: siteUrl,
  apiBasePath: "/api/auth/",
}
    siteUrl is the url where my app is running
  • r

    rp

    04/30/2021, 12:58 PM
    got it.
  • r

    rp

    04/30/2021, 12:58 PM
    So you shouldn't be requiring CSRF tokens at all.. can you please try and query again?
  • m

    michaelzhuk

    04/30/2021, 12:59 PM
    yes, few minutes
  • m

    michaelzhuk

    04/30/2021, 1:03 PM
    Here is how it's called in my api route
    Copy code
    supertokens.init(SuperTokensConfig.backendConfig())
  ...
  let session

  try {
    session = await getSession(req, res)
  } catch (error) {
    console.log("> INSERT ERROR", error)
    return res.status(401).json({ error: "Unauthorized" })
  }
  • r

    rp

    04/30/2021, 1:03 PM
    What version of the core are you using?
  • m

    michaelzhuk

    04/30/2021, 1:04 PM
    you mean supertokens version?
  • m

    michaelzhuk

    04/30/2021, 1:04 PM
    Copy code
    "supertokens-auth-react": "^0.9.0",
    "supertokens-node": "^4.3.1",
  • r

    rp

    04/30/2021, 1:04 PM
    the core version (if you visit the supertokens dashboard, you will see the core version)
  • m

    michaelzhuk

    04/30/2021, 1:05 PM
    @User can you check this, please?
  • r

    rp

    04/30/2021, 1:05 PM
    Ah ok.. nvm, it's probably one of the latest versions.
  • m

    michaelzhuk

    04/30/2021, 1:09 PM
    Last week I had another issue. I cleared all cookies but I could still 
    getSession
    on the backend. Wondering how it possible?
  • r

    rp

    04/30/2021, 1:10 PM
    cause there is a refresh cookie which is tied to 
    /api/auth/session/refresh
    which also needs to get cleared. And that can only be accessible if you navigate to that on your browser (if using chrome)
  • r

    rp

    04/30/2021, 1:12 PM
    so if you didn't clear that manually, then there would have been an automatic refreshing giving you a new access token, in which case the 
    getSession
    would work with that
  • r

    rp

    04/30/2021, 1:13 PM
    if the 
    apiDomain
    and 
    websiteDomain
    are the same, i'm not sure how it's possible for antiCsrf to be enabled.. are you sure there is no where else where this anti-csrf is being set to true?
  • m

    michaelzhuk

    04/30/2021, 1:16 PM
    Yes, I'm sure
  • k

    kakashi_44

    04/30/2021, 1:16 PM
    Hey @User , can you try clearing the localstorage and see if the issue persists
  • m

    michaelzhuk

    04/30/2021, 1:17 PM
    but as I said, I played with this param yesterday and then removed it
  • m

    michaelzhuk

    04/30/2021, 1:19 PM
    tried a lot of times 🙂
  • r

    rp

    04/30/2021, 1:29 PM
    Can you try to clear cookies & localstorge on: - {websiteDomain} - {apiDomain/api/auth/session/refresh} - restart your backend process
  • r

    rp

    04/30/2021, 1:29 PM
    So essentailly, when you query 
    getSession
    , you should get unauthorised error. And then create a new session, and try to use that
  • r

    rp

    04/30/2021, 1:37 PM
  • r

    rp

    04/30/2021, 1:37 PM
    Since 
    getSession
    throws multiple types of errors which are all handled by 
    verifySession
  • r

    rp

    04/30/2021, 1:40 PM
    oh right!! I see how this could have happened.. you should remove the file 
    /tmp/supertokens-handshakeInfo
1...899091...343Latest