Just wanted to confirm somthing. I see supertokens has CSRF built in by default. I personally use this with my Next.JS (app dir) application and external Express.JS API. Both share the same connection uri. I am essentially then allowing users to configure stuff on a dashboard (via the Next.JS application), which typically calls the built in Next.JS API, which then may call my external API. Basically, I am wondering if my external Express.JS API would also be protected from CSRF attacks by default, assuming configs are correct.

Hi Team, We are getting a KeyError 'access_token' on our Flask backend when fetching profile info via Google: supertokens_python/recipe/thirdparty/providers/google.py in get_profile_info at line 58 We think it is likely that the signup API is being called twice and returning a 500 response from Google the second time, which means that the auth_code_response does not have the 'access_token' key, and instead returns the following error: { error: 'invalid_grant', error_description: 'Bad Request' } We have looked at this thread https://discord.com/channels/603466164219281420/1113510798736752692 and its related GH issue (https://github.com/supertokens/supertokens-auth-react/issues/707) but haven't been able to come up with a solution. We also cannot reliably reproduce this error. Could we get some support / should the API be catching this to avoid the KeyError? Thank you in advance!

I'm getting this error: SuperTokens core threw an error for a POST request to path: '/recipe/session/regenerate' with status code: 400 and message: The user payload contains protected field My code looks like this:

await session.mergeIntoAccessTokenPayload({ sessionHandle: session.getHandle() });

How can I go about debugging this?

Hey all. My company is looking to transition over to SuperTokens. After looking at some things we see that our current auth solution uses PKCE, but it appears that SuperTokens does not support OAuth 2.0 flows, but that does not seem quite right to me. Would someone be able to point me towards the proper documentation to answer this question?

I just started getting these error messages:

No instance of EmailPassword found.

Hi, I am trying to integrate Supertokens with echo-labstack. I followed this example https://github.com/supertokens/supertokens-golang/blob/master/examples/with-labstack-echo/main.go. Echo advocates to return errors from your Handlers, which will then be handled by their HTTP Error Handler (which you can customize). This works fine until I introduce the session.VerifySession in my middleware, as per the example (wrap it to turn it into a echo.MiddlewareFunc). As soon as I use this middleware on my routes, they always return

200

(empty body), no matter how may errors I return from my handlers. As soon as I remove the session.VerifySession echo'fied middleware, I get the actual errors. It seems as if the session.VerifySession middleware is swallowing the echo error and just returning a

200

instead. Anybody any idea what could be causing this?

Hi, I'm looking for some clarification on the pricing change that seemed to happen March 18th. Is multi-factor authentication support via SMS something that we will be charged for even if we aren't using SuperToken's sending services? We're using our own service to send the text message after overriding the

smsDelivery

function, under the

Passwordless

recipe, and we were not expecting the new $100/month price minimum.

I've got a super weird problem trying to implement Supertokens in a NextJS app for the first time. Using a NestJS backend and everything appears to be configured properly but when I try to sign up with Nest it hits my NestJS backend and then returns a 404. If I hit the exact same URL from the failed network request using CURL it works just fine eg:

http://localhost:3000/api/auth/signup/email/exists?email={email}

returns the expected result. If I visit the email exists URL directly in the browser it also prints the expected JSON. For some reason though the fetch that's getting triggered from the Next app always returns 404 🤔 Its not a CORS error... just a 404 as if the endpoint doesn't exist. I can log and see it hitting the supertokens middleware in all cases

What's the best way to manage users (updating user information, resetting passwords) when there are many users? The dashboard doesn't appear to support search and we can't page through 1000s of users…

Hey, i have a auth web set up with react and i want to redirect upon successful sign in to a different url (my app) The auth web and the app web are in the same subdomain so i have like for example https://auth.my.subdomain.com and https://app.my.subdomain.com I tried using getRedirectionURL

getRedirectionURL: async (context) => {
                if (context.action === "SUCCESS") {
                    let redirectUrl = context.redirectToPath

                    if (redirectUrl !== undefined) {
                        console.log("yoo redirected path");
                        console.log(redirectUrl)
                        // we are navigating back to where the user was before they authenticated
                        return redirectUrl
                    }
                }
                return undefined;
            },

I call the sign in with redirectToPath in the url like so https://auth.my.subdomain.com/auth?redirectToPath=https://www.app.my.subdomain.com and i get that the context.redirectToPath is empty and it just redirects me to the home page of my auth web instead to my web app. When i tried setting the web app url hardcoded in the return of getRedirectionURL it works like a charm and redirected me to the web app. Any idea if this is possible? or only paths are allowed to be redirected to? (Thanks for the help so far you have given me)