I ve got a particular workflow in mind


04/24/2023, 7:40 PM
I've got a particular workflow in mind here and maybe this is not supported by Supertokens -- I figure asking might save me a lot of guessing or frustration. Here's the basic idea: - Client is a desktop (electron app) so it should be possible to build the login stuff into this - There's an API gateway on the backend that sends the API call rest/v1/auth/... to the backend golang service that's based on the generated example code - I would like this backend service to issue (and eventually enrich) a JWT that other backend services will use - Said other backend services are Kotlin/JVM so they'll want to verify and decode the JWT to check that user A is authorized to access the data of company X, but that's fairly straightforward. So that's the goal, broadly, and generally I think I can do it but I'm open to hearing I'm wrong 😅 But here's the problem: I'm stuck in trying to run the backend service on anything other than my dev machine. It's because of CORS issues: because hypothetically client origins could be anywhere, I think I want allow-origin to be
but that leads to errors about
Credential is not supported if the CORS header ‘Access-Control-Allow-Origin’ is '*'
. And the docs say to add the origin location, but I think I want to allow login from the wider world of clients. Or do I need to rewrite the origin of the request in the API gateway level? Or maybe I'm missing something obvious. Thanks and sorry this is long!
I think I solved it by changing the calling client to use
Session.init({ tokenTransferMethod: 'header', autoAddCredentials: false }
but we'll see if that works!


04/25/2023, 6:35 AM
yea. this should work. But i would recommend setting a specific domain list in CORS and also using cookie based auth instead of header based (this setup is more secure)


04/26/2023, 3:26 PM
Thanks for verifying. I was able to make it work by asking the supertokens authorizer app (frontend jwt client) to go through the API and use https with there, even though it lives in the subnet with the backend
I can probably switch back to cookie based rather than header based at this point. The JWT is what I really want. 🙂