SuperTokens is an open source authentication solution offering features like: Different types of login: Email / password, Passwordless (OTP or Magic link based).

SuperTokens.com

Hi;

After moving around some code (some currifying, refactors and middlewares extraction); I'm getting a strange behavior with `verifySession`
- For `GET`s, I'm getting a 200
- For anything but a `GET`, I'm getting a `{ message: "Try refresh token" }`

Any known issues of this sort ?

hey <@184027357550608385> this usually happens when the anti-csrf token is missing from the request, as that's only needed for non GET requests.

Our frontend SDK should take care of adding the anti-csrf token on its own, but if you are using postman, then you will need to add it to request yourself.

You can find the anti-csrf token in the response headers for the sign in API and / or session refresh API calls.

> Our frontend SDK should take care of adding the anti-csrf token on its own, but **if you are using postman**, then you will need to add it to request yourself.

Great catch. Thanks

-------------
For reference in this thread : https://supertokens.com/docs/emailpassword/testing/testing-with-postman#2-session-verification

If I'd like to disable entirely anti-csrf for development only; can you confirm I should set (here https://supertokens.com/docs/emailpassword/common-customizations/sessions/anti-csrf)
- `"NONE"` for development
- `"VIA_TOKEN"` (or maybe just `undefined` ?) for producton

Yea - that works. Set `undefined` for production.