DLighten08
04/25/2023, 2:07 PMdaledigital
04/25/2023, 10:33 PMSession.attemptingRefreshingSession()
from the browser (supertokens-web-js package) which fails to find the access token in the cookie. As far as I can tell, it looks like the cause is the API not being able to find the sAccessToken
cookie, which isn't part of the request as it is httpOnly
DLighten08
04/26/2023, 4:49 AMrp
04/26/2023, 5:22 AM401
is called.
- The sign in response headers (Screenshot from chrome's network tab)Session.attemptingRefreshingSession()
manually. Our network interceptors on the frontend should do auto refreshing - is that not happening?DLighten08
04/26/2023, 5:31 AMhttps://cdn.discordapp.com/attachments/1100422802256969788/1100655294759043153/Screenshot_2023-04-26_at_10.57.00_AM.png▾
https://cdn.discordapp.com/attachments/1100422802256969788/1100655294985539584/Screenshot_2023-04-26_at_10.57.29_AM.png▾
https://cdn.discordapp.com/attachments/1100422802256969788/1100655295233019934/Screenshot_2023-04-26_at_10.59.04_AM.png▾
https://cdn.discordapp.com/attachments/1100422802256969788/1100655504931434526/Screenshot_2023-04-26_at_11.01.36_AM.png▾
rp
04/26/2023, 5:32 AMDLighten08
04/26/2023, 5:40 AMrp
04/26/2023, 5:47 AMUNAUTHORISED
error, but the golang server is still returning a 200
.
Have you followed our guides properly? Seen the golang example apps: https://github.com/supertokens/supertokens-golang/tree/master/examplesDLighten08
04/26/2023, 5:49 AMrp
04/26/2023, 5:49 AMmayankgopronto
04/26/2023, 5:57 AMr := chi.NewRouter()
r.Use(cors.Handler(cors.Options{
AllowedOrigins: append([]string{ar.cfg.WebsiteDomain}, ar.cfg.CORSDomains...),
AllowedMethods: []string{"GET", "POST", "PUT", "DELETE", "OPTIONS"},
AllowedHeaders: append([]string{"Content-Type"}, supertokens.GetAllCORSHeaders()...),
AllowCredentials: true,
}))
r.Use(supertokens.Middleware)
r.Get("/session-info", session.VerifySession(nil, ar.GetSessionInfo))
rp
04/26/2023, 7:21 AMDLighten08
04/26/2023, 7:21 AMrp
04/26/2023, 7:23 AMmayankgopronto
04/26/2023, 8:03 AMsupertokens.Init()
I had passed custom ErrorHandlers
. But I hadn't set 401
in OnUnauthorised()
override. Thats why it returned 200
as the default.
Thanks, fun debugging excercise anyway. 🙂rp
04/26/2023, 8:08 AMdaledigital
04/26/2023, 8:25 AM/auth/refresh-session
when TRY_REFRESH_TOKEN
or UNAUTHORISED
is returned by the server-side SessionNode.getSession
rp
04/26/2023, 8:29 AMattemptingRefreshingSession
. But is that not working?daledigital
04/26/2023, 8:42 AMSessionWeb.attemptRefreshingSession
works correctly as far as I can see. It successfully finds the refresh token in the cookie then attaches the refreshed session as a cookie in its response.
The problem appears to be in the invocation of SessionNode.getSession
. This always results in UNAUTHORISED
after executing milliseconds after the client-side refresh.UNAUTHORISED
, I redirect back to the client-side refresh route and that creates the loop.rp
04/26/2023, 8:55 AMSessionNode.getSession
returns UNAUTHORISED
(after client refresh)daledigital
04/26/2023, 8:57 AMSessionNode.getSession
)rp
04/26/2023, 8:59 AMSending response to client with status code: 200
, there are no more logs from getSession
?daledigital
04/26/2023, 9:00 AMrp
04/26/2023, 9:03 AMdaledigital
04/26/2023, 9:04 AMappInfo: {
appName: "My Site",
apiDomain: process.env.VERCEL_URL ?? "http://localhost:5173",
websiteDomain: process.env.VERCEL_URL ?? "http://localhost:5173",
},
http://localhost:5173/auth/[...]
and the client-side session handling is also there: http://localhost:5173/auth/callback/linkedin
and http://localhost:5173/auth/refresh-session
rp
04/26/2023, 9:11 AM/api/auth
or somethingdaledigital
04/26/2023, 9:12 AMrp
04/26/2023, 9:13 AMhttp://localhost:5173/auth/...
should our middleware handle it? Or should the webserver route?daledigital
04/26/2023, 9:19 AMhttps://cdn.discordapp.com/attachments/1100422802256969788/1100712683986239610/image.png▾
rp
04/26/2023, 9:21 AMdaledigital
04/26/2023, 9:22 AMrp
04/26/2023, 9:22 AMdaledigital
04/26/2023, 9:23 AMhttps://cdn.discordapp.com/attachments/1100422802256969788/1100714076469993512/image.png▾
rp
04/26/2023, 9:26 AMdaledigital
04/26/2023, 9:27 AMhttps://cdn.discordapp.com/attachments/1100422802256969788/1100714883315679262/image.png▾
rp
04/26/2023, 9:28 AMdaledigital
04/26/2023, 9:29 AMrp
04/26/2023, 9:30 AMdaledigital
04/26/2023, 9:34 AMreq
and res
are not compatible with ExpressJS req
and res
- I've (horribly) built custom request and response objects to pass to the middleware.
Quite possible that the cookie setter has a bug....
https://cdn.discordapp.com/attachments/1100422802256969788/1100716522642608188/image.png▾
/auth/[...]
endpoint handlerrp
04/26/2023, 9:35 AMdaledigital
04/26/2023, 9:36 AMsAccessToken
to be set in the refresh response? I'll comb through supertokens-node
to see what method it's doing to set the cookierp
04/26/2023, 9:37 AMdaledigital
04/26/2023, 9:39 AMhttps://cdn.discordapp.com/attachments/1100422802256969788/1100717802521890896/image.png▾
rp
04/26/2023, 9:39 AMdaledigital
04/26/2023, 12:18 PM=
is problematic when retrieving the value from a cookie.
Here's my access token from SuperTokens:
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsInZlcnNpb24iOiIyIn0=.eyJzZXNzaW9uSGFuZGxlIjoiNGIzNjlmZTQtNGQxNC00ODI1LTliYjgtZjM0MWQxMmZlZWM2IiwidXNlcklkIjoiMzYzYzIxNDctMzU5Zi00ODllLWE5YWQtNWY4M2FhMmI1YWZkIiwicmVmcmVzaFRva2VuSGFzaDEiOiJjZTAxZTcwNTFiM2ZiYjgyOTQ3MzM0NmY0N2ViM2MyMWY0MmZiYzkxNDFkMDIxM2M4ZWQ1YWQ1YjZlNTQwZjEzIiwicGFyZW50UmVmcmVzaFRva2VuSGFzaDEiOiI0NDM0OGY3ZjgzMDI2ZjlkNjZjNDMyNjVhMzM1MDJiZWM3MzRiZGRkNzUxMzEwNDdhYjNhNGQyNTVmZmM4NWM2IiwidXNlckRhdGEiOnt9LCJhbnRpQ3NyZlRva2VuIjpudWxsLCJleHBpcnlUaW1lIjoxNjgyNTE0NTkyNDkyLCJ0aW1lQ3JlYXRlZCI6MTY4MjUxMDk5MjQ5MiwibG1ydCI6MTY4MjUxMDk5MjQ5Mn0=.p5z2/F7RjUSVmFWrICLQbl06mL9a6IxEQKrr+14gjdYfRlvg5ODJQxABSvrjZsPv9kxo3mayANffPlzsaMgRMTuSAgTM5NbdXeh0XKWl6WVfA6CAtke9HnHRJPWtK5UnkN2el+puqPGQYECKJJ5M0oeo6zwI4HwtWnMGLFNuWLH8t5CwT/9aKKbOGiROCEB/41YL1+To8FB6zBXmSMn5a4h3Burf2SE9PNjraaxNKSW5LA+x9LiBNKKbaafAGMHTlNos1qNi+tPlf+o//qKGchmZYpnMzx+ny0XQB5iX4Rfp8V7zAlf41jrO+BR92MCX1U98m8qarU10RZeZQQoGwQ==
When fetching the access token from the Qwik City framework, the value is:
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsInZlcnNpb24iOiIyIn0
Qwik City is parsing the cookie from the header and splitting the cookie key-values by =
rp
04/26/2023, 12:21 PMhttps://cdn.discordapp.com/attachments/1100422802256969788/1100758609647902730/Screenshot_2023-04-26_at_17.51.25.png▾
daledigital
04/26/2023, 12:24 PM=
: bug in their approach on line 63
https://cdn.discordapp.com/attachments/1100422802256969788/1100759385296355459/image.png▾
rp
04/26/2023, 12:25 PMDLighten08
04/28/2023, 10:17 AMrp
04/28/2023, 10:17 AMDLighten08
04/28/2023, 10:17 AM