Hi there, I have a react app using supertokens. I ...
# support-questions-legacyb
bitcoinrippin
04/22/2023, 2:04 PMHi there, I have a react app using supertokens. I have a settings page where my users can update their account settings. The route is like so:
http://localhost:3000/settings/aaron17
I need to make sure that user A cannot navigate to the settings for user B. How can I ensure that users can only navigate to their own settings page?
I think on the back end, I can just 1) make sure the user is logged in, 2) compare their username to the username they are requesting data for 3) return an error if theyre requesting data for a user that is not themselves
r
rp_st
04/22/2023, 2:11 PMhey @bitcoinrippin yea that works! You can also store the user's username in their session and check the access token payload on the frontend when they navigate to the their settings page, and if the user name in the path doesn't match that in the access token payload, redirect them to the right page
b
bitcoinrippin
04/22/2023, 2:17 PMthis is my front end
https://cdn.discordapp.com/attachments/1099334875519127682/1099338118009733170/image.png▾
bitcoinrippin
04/22/2023, 2:17 PMback end
https://cdn.discordapp.com/attachments/1099334875519127682/1099338168509136917/image.png▾
bitcoinrippin
04/22/2023, 2:17 PMwhich is for some reason causing an infinite loop
https://cdn.discordapp.com/attachments/1099334875519127682/1099338277888208896/image.png▾
r
rp_st
04/22/2023, 2:18 PMdon't send a 401
rp_st
04/22/2023, 2:18 PMsend a 403
b
bitcoinrippin
04/22/2023, 2:18 PMdo you know if supertokens is intercepeting the 401 and trying to refresh the session?
r
rp_st
04/22/2023, 2:18 PM401 is for session refreshing
b
bitcoinrippin
04/22/2023, 2:18 PMawesome
r
rp_st
04/22/2023, 2:18 PM403 is for bad permission
b
bitcoinrippin
04/22/2023, 2:18 PMyoure a beast
bitcoinrippin
04/22/2023, 2:19 PMyeah that worked.
bitcoinrippin
04/22/2023, 2:19 PMlegendary support at supertokens 🙂