https://supertokens.com/ logo
Join Discord
Powered by
My team is using SuperTokens to implement authenti...
# support-questions-legacy
u
My team is using SuperTokens to implement authentication for a website which will be used by 2 sets of users, i.e., consumers and partners. For consumers, we want to use passwordless logins, and we want the session to only be valid for a short duration of inactivity. For partners, we want to use email/password logins and we want the session to be valid for a day of inactivity. We have managed to implement authentication for consumers. Now, we are wanting to implement it for partners, but we are unsure how we can achieve our intent. I know that an additional recipe can be included in the implementation so both passwordless recipe and email/password recipe will be available to both sets of users, but the UI for each will only present the method that is earmarked for their type of user. So far so good. How do we tweak the session duration and period of inactivity, etc. for each type of user?
r
hey @umarfkhawaja
u
Hi @rp_st
r
you can add a custom payload prop in the session's access token like 
customExpiry
value when the session is created. The value of this will depend on the type of user. Then you can make your own verify session middleware which calls our getSession function first, and after successful verification, it will check the 
customExpiry
and if it's past this time, send back a 401. Finally, you override the refresh API to call our refresh function, and then check the same 
customExpiry
in the returned session object. If that's past the expiry, then you would also revoke the session before returning the response. This would work as long as the timeout set in the core is the larger value of the two types of session timeouts you want.
u
where is session created?
r
createNewSession function override
the createNewSession is called internally when the user signs in via any login method
u
out of curiosity, is it possible for a service to use 2 instances of SuperTokens to authenticate a user?
I think I understand what you have described above regarding overriding the 
createNewSession
can I combine emailpassword recipe and thirdpartyPasswordless recipe?
r
> out of curiosity, is it possible for a service to use 2 instances of SuperTokens to authenticate a user? It's not cause the backend SDK is a singleton > can I combine emailpassword recipe and thirdpartyPasswordless recipe? In what way? From a UI point of view?
u
in SuperTokens
fuller picture is that we have a mobile app for the consumers, and a website for partners
consumers will be logging in via passwordless method
partners will be logging in via email/password method
obviously, we can make the UI appropriate for each method in both the consumer app and the partner website
but the auth service that is shared by both will have to be configured for both methods
as I understand it, there is a recipe list, we can just include the recipes for both email/password and passwordless in the list in the auth service
and then we do the same in the API gateway (which verifies the session)
r
yes - correct. So you just need to add emailpassword and thirdpartypasswordles to the recipe list on the backend and frontedn
and on the forntend show the relevant UI based on who the user is
u
that makes sense
r
@rp_st @umarfkhawaja Are you initialising a separate frontend config for both kind of recipes. Or you managing both at the same time?
u
We are managing both at the same time
2 Views
PreviousNext
Powered by