Channels
#support-questions
- y
yukimat
05/11/2021, 9:12 AMThank you! I understand about flutter. - m
michaelzhuk
05/11/2021, 11:04 AM@rp I investigated the issue a little bit more. I think the issue is related to that our app is running in iframe. Everything seems to be fine outside iframe. Here are cookies I have - m
michaelzhuk
05/11/2021, 11:06 AMAFAIK for cookies to work in iframe they must be
. TheSecure: true; SameSite: none
one doesn't meet this requirement and (my guess) is not used by browser.sIRTFrontend - m
michaelzhuk
05/11/2021, 11:22 AMLooking at /refresh request. I was right regarding the cookie policy. Notice the warning popup - r
rp
05/11/2021, 11:27 AMI see. Those two cookies are set by the frontend, and consumed by the frontend itself. - r
rp
05/11/2021, 11:28 AMSince they have no sameSite set, is it that they are not being set in the first place, and therefore the frontend (code that runs in the iframe) gets a null when reading them? - m
michaelzhuk
05/11/2021, 11:34 AMI can confirm that they are not being sent to the backend. Not sure if they can still be set/used by the frontend. Checking - r
rp
05/11/2021, 11:35 AM> Not sure if they can still be set/used by the frontend They are only needed on the frontend. So that's all that matters really. - m
michaelzhuk
05/11/2021, 11:56 AMWhen I login inside iframe, only these cookies are set - m
michaelzhuk
05/11/2021, 11:57 AMI'd try adding SameSite=none to those cookies - r
rp
05/11/2021, 11:58 AMgot it. So if we set sameSite to be none, that will require the domain to be https right? How would one go about using https in localhost (when developing)? - r
rp
05/11/2021, 11:58 AMand if we set it to lax, then it won't get set either way (since by default it's lax). - m
michaelzhuk
05/11/2021, 12:00 PMI think only
is required if it's going to be used by frontend onlySameSite - r
rp
05/11/2021, 12:01 PMbut doesn't samesite none require that the domain it's under is https? - r
rp
05/11/2021, 12:01 PMand since the domain for these two cookies are the same as the website / iframe domain, those will need to be https? - r
rp
05/11/2021, 12:02 PMi'll try to set it to none and see what happens. - m
michaelzhuk
05/11/2021, 12:03 PMI'm not sure... In our case website/iframe domains are different but they're both using https - r
rp
05/11/2021, 12:04 PMyes that's in production. However in dev, they will be http correct? - m
michaelzhuk
05/11/2021, 12:05 PMI'm using ngrok for development, so it's https too - r
rp
05/11/2021, 12:07 PMoooo! understood. - r
rp
05/11/2021, 12:07 PMWill try and fix this today. - r
rp
05/11/2021, 12:18 PM@User Can you please do the following and then try to use the iframe and see if it works: - Go to supertokens-website folder inside node_modules - In there, open lib > build > fetch.js - For each of the following lines, add
at the end of the string (before the closing "). For example, if a line issamesite=none
, then change it toID_REFRESH_TOKEN_NAME + "=" + cookieVal + ";expires=" + expires + ";path=/";
Lines: - https://github.com/supertokens/supertokens-website/blob/master/lib/build/fetch.js#L1138 - https://github.com/supertokens/supertokens-website/blob/master/lib/build/fetch.js#L1141 - https://github.com/supertokens/supertokens-website/blob/master/lib/build/fetch.js#L1221 - https://github.com/supertokens/supertokens-website/blob/master/lib/build/fetch.js#L1224 - https://github.com/supertokens/supertokens-website/blob/master/lib/build/fetch.js#L1318 - https://github.com/supertokens/supertokens-website/blob/master/lib/build/fetch.js#L1321ID_REFRESH_TOKEN_NAME + "=" + cookieVal + ";expires=" + expires + ";path=/;samesite=none"; - r
rp
05/11/2021, 12:20 PMAlso, you may want to set
value in the backend (Session.init) toantiCsrf
. Since you will be using an iframe."VIA_TOKEN" - m
michaelzhuk
05/11/2021, 12:33 PMYes. I'll get back in a couple of hours with the result of this. - r
rp
05/11/2021, 1:03 PMthanks! - r
rp
05/11/2021, 3:40 PM@User instead of trying the above, please try the following: - Update your supertokens-auth-react dependency to
- Delete yarn.lock file, and runsupertokens/supertokens-auth-react#0.13
. This should install new versions ofyarn install
(0.13.0) andsupertokens-auth-react
(7.1.0). - In the frontend config, changesupertokens-website
toSessionReact.init()
. - In backend config, changeSessionReact.init({ isInIframe: true })
toSessionNode.init({ cookieSameSite: "none" })
- Try logging in via the iframe, and it should work.SessionNode.init({ cookieSameSite: "none", antiCsrf: "VIA_TOKEN" }) - h
Healsies
05/12/2021, 4:14 AMI'm farting about with the supertokens context in react, and i'm finding the variables im getting from useSessionContext() aren't updating when i log in or log out. I am misunderstanding contexts or is this supposed to happen automatically? - r
rp
05/12/2021, 4:43 AM@Healsies yea that’s an open issue at the moment. Have you wrapped your entire app with the auth wrapper? Or just individual routes that need auth to be accessed? - r
rp
05/12/2021, 4:44 AMIf you use them with individual routes that need auth to be accessed, it will work just fine (since logged in status in those routes won’t change). - r
rp
05/12/2021, 4:46 AMthis is the issue to watch for this feature: https://github.com/supertokens/supertokens-auth-react/issues/228