I have another Apple issue. This time it's using the "native" flow, meaning on iPhone it shows an interactive FaceID prompt. I think Apple calls it 'popup'. Web works. The requests appear to be the same. I'm getting the following error:

Auth state verification failed. The auth provider responded with an invalid state

In my /api/auth/...path.js file the body comes in as empty. Is there any middle ware firing before this that I should look at?

export default async function superTokens(req, res) {
    console.log("API req.query: ", req.query)
    console.log("API req.url: ", req.url)
    console.log("API req.body: ", req.body)

    // NOTE: We need CORS only if we are querying the APIs from a different origin
    await NextCors(req, res, {
        methods: ["GET", "HEAD", "PUT", "PATCH", "POST", "DELETE"],
        origin: websiteDomain,
        credentials: true,
        allowedHeaders: ["content-type", ...supertokens.getAllCORSHeaders()]
    })

    await superTokensNextWrapper(
        async (next) => {
            // This is needed for production deployments with Vercel
            res.setHeader("Cache-Control", "no-cache, no-store, max-age=0, must-revalidate")
            await middleware()(req, res, next)
        },
        req,
        res
    )
    if (!res.writableEnded) {
        res.status(404).send("Not found")
    }
}

hey @davido_k

Sorry, I don’t mean “native” but web-based with the iOS “pop up”. Does that still apply here? I can’t find the docs but will take another look.

Right. Perhaps @nkshah2 can help here.

Hi @davido_k , Just want to make sure I understand correctly. You are using face id on the web to log users into your app and thats failing with the SuperTokens web SDK?

@nkshah2 correct. I’m calling getAuthorisationURLWithQueryParamsAndSetState on button click. It’ll redirect via Web in most browsers but iOS or Safari will trigger the popup flow. Both versions redirect back to /api/auth/callback/apple but the popup version has no state or code. I don’t know why. My suspicion is there’s a middleware invalidating it before it gets to the method above but haven’t found it yet.

what does the popup version send to /api/auth/callback/apple?

I put it in the second message. I think it was outside the thread. Let me find it.

What happens after it calls the api on the backend? There seems to be some redirection happening (308 status code). Where is that from?

hey @davido_k we could go through your setup on a call to see what's going on. please use this link to book a comfortable time - https://calendly.com/sattvik-supertokens/30min

Sorry I’ve been away for a couple of days. I’ll find some time with this link. The redirect is from next.js and has been a little bit of a pain. I’ll disable it to make sure it’s not the issue. I didn’t consider this since it looks like a good redirect and works with the other flow.