https://supertokens.com/ logo
Infinite refresh loop in react native
m

Malik Khoja

04/26/2023, 4:24 PM
@nkshah2 Can you please help?
n

nkshah2

04/26/2023, 4:44 PM
Hi @Malik Khoja What backend sdk and version are you using?
r

rp

04/26/2023, 6:21 PM
This is the original question (for reference): We are using SuperToken(3.2.0) in our React Native Application(0.70.6) Android. We encountered an ANR issue in few of the devices where SuperToken goes in loop to get the access token and which results in ANR. One Scenario we encountered is if user changes the date or time it occurs
m

Malik Khoja

04/27/2023, 4:23 AM
Ok
r

rp

04/27/2023, 5:34 AM
@Malik Khoja which backend SDk are you using?
m

Malik Khoja

04/27/2023, 6:00 AM
supertoken/node - 12.1.5
Sorry for the late reply
We can see in our backend, that multiple sessions are been created for same user. Can this be a reason for ANR?
@nkshah2 @rp Please let us know as this is creating lot of issues at our end in Production environment
r

rp

04/27/2023, 6:28 AM
which frontend sdk are you using? ANd which version?
> that multiple sessions are been created for same user. What do you mean? There should only be one session per user login right?
m

Malik Khoja

04/27/2023, 6:51 AM
Yes there should be
We are using SuperToken(3.2.0) in our React Native Application(0.70.6) Android.
Can you help us understand what can cause multiple session to be created?
r

rp

04/27/2023, 7:07 AM
which version of our frontend SDK are you using?
and which frontend SDK?
> Can you help us understand what can cause multiple session to be created? One use login should create one session for them. So if a user logs into many devices at the same time, they will have multiple sessions - one per device.
m

Malik Khoja

04/27/2023, 7:21 AM
Ohk
SuperToken(3.2.0)
Front end sdk version
r

rp

04/27/2023, 7:23 AM
which sdk is this?
android? ios? react native
"SuperToken(3.2.0)" -> whats this?
> if user changes the date or time it occurs This can cause issues in which the backend and frontend go out of sync.. so if the date / time is not the real time, it can cause this.
does the infinite loop happen even if the user does not change the date / time?
m

Malik Khoja

04/27/2023, 7:31 AM
react native
r

rp

04/27/2023, 7:32 AM
you are not being very helpful. Im sorry - can't really help out here without more info on what might be wrong
m

Malik Khoja

04/27/2023, 7:33 AM
What info do you need?
r

rp

04/27/2023, 7:33 AM
- how to reproduce the issue. - If you have any backend debug logs. - If you have any backend error stack trace relevant to this issue.
m

Malik Khoja

04/27/2023, 7:35 AM
For all of my customers, device id is empty in supertoken. We believe this is causing multiple sessions.
Can you help me understand from where does SuperToken picks Device ID?
r

rp

04/27/2023, 7:35 AM
it doesn't
im not sure what you mean by device ID
m

Malik Khoja

04/27/2023, 7:36 AM
Ok, so how does super token identifies unique user? As you mentioned earlier, it will create a unique session for one device
r

rp

04/27/2023, 7:36 AM
based on the login method
m

Malik Khoja

04/27/2023, 7:36 AM
there is a table passwordless_devices
What do u mean by Login Method?
r

rp

04/27/2023, 7:37 AM
that table is only used during login.. it stores the passwordless login session.
m

Malik Khoja

04/27/2023, 7:37 AM
we are only using passwordless login method
r

rp

04/27/2023, 7:37 AM
right..
m

Malik Khoja

04/27/2023, 7:37 AM
and we can see multiple session created for same user
So we need to understand the root cause that why it would be happening
r

rp

04/27/2023, 7:38 AM
are they logging into multiple devices?
m

Malik Khoja

04/27/2023, 7:38 AM
No
r

rp

04/27/2023, 7:38 AM
is your session flow even working?
refreshing / sign out etc.
m

Malik Khoja

04/27/2023, 7:38 AM
Also, how do u even identify unique devices?
r

rp

04/27/2023, 7:38 AM
when you sign out, does it clear the session from the database?
> how do u even identify unique devices? We don't need to!
this issue has nothing to do with passwordless login
first we need to make sure that session works
does sign out work as expected?
m

Malik Khoja

04/27/2023, 7:39 AM
Yes it works
Signout is working fine
r

rp

04/27/2023, 7:39 AM
it clears the session from the db?
whats this issue about? infnite refresh loop or something else?
im quite confused.
m

Malik Khoja

04/27/2023, 7:40 AM
Yes it does. When user doesnt do signout and the session is still open
r

rp

04/27/2023, 7:40 AM
hmm. okay
m

Malik Khoja

04/27/2023, 7:40 AM
So for example. if I login today with password less method and then next day if I open my app then it doesnt gets opened
and multiple sessions are created
no Signout done
here
r

rp

04/27/2023, 7:40 AM
hm
you can reproduce this issue?
m

Malik Khoja

04/27/2023, 7:41 AM
Yes we can as it causes ANR
r

rp

04/27/2023, 7:41 AM
whereall are you creating a session on the backend?
m

Malik Khoja

04/27/2023, 7:41 AM
Android Not Responding and it crashes the app
r

rp

04/27/2023, 7:41 AM
whereall are you creating a session on the backend?
m

Malik Khoja

04/27/2023, 7:41 AM
Only when the user logs in
r

rp

04/27/2023, 7:42 AM
right. So you are saying after one day or logging in, when i visit the app, it causes multiple sessions to be created? Does this happen if i visit the app lesser than one day after logging in?
m

Malik Khoja

04/27/2023, 7:42 AM
No it doesnt
r

rp

04/27/2023, 7:42 AM
hmm.
m

Malik Khoja

04/27/2023, 7:42 AM
It happens after one day only
r

rp

04/27/2023, 7:42 AM
24 hours? Or just past midnight?
m

Malik Khoja

04/27/2023, 7:42 AM
and when I clear my app data, everything works as it clears all the token from the cookies
past midnight
r

rp

04/27/2023, 7:43 AM
i see.
m

Malik Khoja

04/27/2023, 7:43 AM
as we have tested this with less than 24hrs also
r

rp

04/27/2023, 7:43 AM
what are the API calls that are made when this happens? Do you have logs for that?
m

Malik Khoja

04/27/2023, 7:44 AM
Unfortunately no
r

rp

04/27/2023, 7:44 AM
if you can reproduce it, then maybe you can see the backend logs at the time this happens? I would need more info
m

Malik Khoja

04/27/2023, 7:45 AM
hmm ok
We are just trying to understand why multiple sessions are created
as we revoked all session of a internal user except one, latest session and it works
r

rp

04/27/2023, 7:46 AM
we can get there.. let;s first see which APis are being called. Then we can see what those APIs are doing.
m

Malik Khoja

04/27/2023, 7:49 AM
Ok
auth/signinup/code auth/signinup/code/consume
1st one to create the otp and second one to verify it
r

rp

04/27/2023, 7:49 AM
right. So each time the
auth/signinup/code/consume
is called, it will create a new session (if the request body is right)
do these APIs get called on their own? How does the consume API know what the code is without the user entering it?
m

Malik Khoja

04/27/2023, 7:50 AM
No it wont get called automatically
One scenario can be, if a user log's in by calling consume api, then does clear data so all session is broken and then user enters the mobile no and otp by calling consume
a new session would be created and this will lead to multiple session
as logout was never been called
ideally if there is a valid session exists then consume should return the same session rather than creating a new session. Correct me if wrong
r

rp

04/27/2023, 8:07 AM
not really.. consume should create a new session. It's better from a security point of view.
The scenario you describe makes sense, but it;s not in line with what you said earlier where it causes an infinite refresh loop and that after midnight, somehow new sessions are created.,
I think you need to get clarity on what's happening.. only then i can help (since this is free). Good luck
m

Malik Khoja

04/27/2023, 8:13 AM
Thanks for the quick revert. We understand that we have been discussing multiple scenarios here as our whole agenda is to find the issue. As we feel discussing multiple issues would help you understand our problem better and help us understand what we are doing it wrong.
r

rp

04/27/2023, 8:13 AM
let's try and solve one issue at a time.
m

Malik Khoja

04/27/2023, 8:13 AM
Sure
r

rp

04/27/2023, 8:13 AM
The consume code API creating a new session is expected.
m

Malik Khoja

04/27/2023, 8:13 AM
Yes
r

rp

04/27/2023, 8:14 AM
if the user clears their app data, they will be logged out, and when the login again, it will get them a new session - this is expected. You could override the createNewSession on the backend to revoke other sessions belonging to this user if you want, but this would also mean that if the user has indeed logged into another device, their previous devices would be logged out.
m

Malik Khoja

04/27/2023, 8:15 AM
Ohk
supertoken-reactnative - 3.2.0 supertoken/node - 12.1.5 supertoken docker - 4.4.1
Just for information, sharing the version no used across all the end
As consume will create a new session every time - expected behaviour, then how does SuperToken identify unique user or devices? or it doesnt?
r

rp

04/27/2023, 9:15 AM
it doesn't need to
consume should only be called when the user is logging in
which should only happen if the user is not already logged in
m

Malik Khoja

04/27/2023, 9:15 AM
Also, docker server was started again a month ago, and when we started it pulls up a new image of the version and we can see the increase in this issues since march. Do you think this can be because of the updated version or version mismatch?
Ok so in case of clear data you recommend to clear previous user session(if any)
r

rp

04/27/2023, 9:26 AM
The new core should be working with the version of the SDK you are using. But you should ideally not have it auto pull the latest core. That’s generally a bad idea.
Not really. I would say keep it as is. But you could clear older sessions when a new one is created (as I said before)
m

Malik Khoja

04/27/2023, 10:06 AM
Ok