• r

    rp

    2 years ago
    However, with hashicorp vault, even if u store this key in it, u still require another key to actually access the vault. And if you do that, then you are not really solving security. You are just passing on the responsibility from one key to another.
  • Sun Walker

    Sun Walker

    2 years ago
    I've asked this question before but it might be good to have some more clarity: If I authenticate user in supertokens (login), or register, the req.headers have sAccessToken, sRefreshToken, sIdRefreshToken. Therefore these all exist with every request made by user. So is it not dangerous to allow the sRefreshToken and sIdRefreshToken to be sent with every request?
  • Sun Walker

    Sun Walker

    2 years ago
    IE with every request, you must send sAccessToken, sIdRefreshToken, (because if you dont it throws error)
  • Sun Walker

    Sun Walker

    2 years ago
    And Does /refresh work with only sRefreshToken or does it need both? (seems to work with just 1 as well)
  • r

    rp

    2 years ago
    So all APIs except for /refresh need sAccessToken and sIdRefreshToken. sIdRefreshToken by doesn’t give access to anything. So mainly sAccessToken is the critical token here
  • r

    rp

    2 years ago
    only sRefreshToken is needed for the /refresh API.
  • r

    rp

    2 years ago
    The frontend SDK will take care of sending these tokens for you.
  • Sun Walker

    Sun Walker

    2 years ago
    Hey so another question, right now I went into psql and
    drop table sessions;
    and
    drop table past_tokens
    Then I did supertokens stop dev, supertokens start dev
  • Sun Walker

    Sun Walker

    2 years ago
    But the requests I make with old session is still working
  • Sun Walker

    Sun Walker

    2 years ago
    How comes?