Hi; After moving around some code (some currifying, refactors and middlewares extraction); I'm gett...

Chimanos

04/03/2023, 9:37 AM

Hi; After moving around some code (some currifying, refactors and middlewares extraction); I'm getting a strange behavior with

verifySession

- For `GET`s, I'm getting a 200 - For anything but a

GET

, I'm getting a

{ message: "Try refresh token" }

Any known issues of this sort ?

rp_st

04/03/2023, 9:40 AM

hey @Chimanos this usually happens when the anti-csrf token is missing from the request, as that's only needed for non GET requests. Our frontend SDK should take care of adding the anti-csrf token on its own, but if you are using postman, then you will need to add it to request yourself. You can find the anti-csrf token in the response headers for the sign in API and / or session refresh API calls.

Chimanos

04/03/2023, 9:40 AM

> Our frontend SDK should take care of adding the anti-csrf token on its own, but if you are using postman, then you will need to add it to request yourself. Great catch. Thanks

Chimanos

04/03/2023, 9:42 AM

------------- For reference in this thread : https://supertokens.com/docs/emailpassword/testing/testing-with-postman#2-session-verification

Chimanos

04/03/2023, 9:53 AM

If I'd like to disable entirely anti-csrf for development only; can you confirm I should set (here https://supertokens.com/docs/emailpassword/common-customizations/sessions/anti-csrf) -

"NONE"

for development -

"VIA_TOKEN"

(or maybe just

undefined

?) for producton

rp_st

04/03/2023, 10:14 AM

Yea - that works. Set

undefined

for production.

rp_st

04/03/2023, 10:15 AM

And

"NONE"

for development

5 Views

Previous Next

SuperTokens.com

SuperTokens is an open source authentication solution offering features like: Different types of login: Email / password, Passwordless (OTP or Magic link based).