https://supertokens.com/ logo
500 error
i

ikak

05/12/2023, 7:36 AM
Hey @rp I am getting a 500 internal server error if the authtoken is expired. So it should give a needs refresh response instead. I have two different services, in one it is working fine, but it is giving 500 error in one.
r

rp

05/12/2023, 7:37 AM
hey @ikak have you added our error handler in the one that's giving you a 500 error?
i

ikak

05/12/2023, 8:39 AM
I am using FastAPI and hence have just used
session: SessionContainer = Depends(verify_session()
to check for seesion. WHere do I have to add an error handler?
r

rp

05/12/2023, 10:10 AM
Right. Do you see any backend error logs?
i

ikak

05/12/2023, 10:13 AM
The backend is giving this error:
raise TryRefreshTokenError(ex) from None
supertokens_python.recipe.session.exceptions.TryRefreshTokenError: Access token expired
r

rp

05/12/2023, 11:16 AM
have you added
app.add_middleware(get_middleware())
to your backend?
i

ikak

05/12/2023, 12:38 PM
Ohhh sorry about that somehow I missed adding the middleware. Thanks a lot.
@rp I have one more question, can we do something like if a user needs to refresh his token, instead of sending an error, refresh the token and then send the required response.
r

rp

05/12/2023, 1:04 PM
can't. Cause the refresh token is only on the frontend
i

ikak

05/12/2023, 5:33 PM
Okay so my understanding is that in the frontend first we have to send a request, if it returns a 401 status code with message needs refresh (we have to check the message because in case of unauthorized also the status code will be 401), then use Session.attemptRefreshingSession() to refresh session and then send the request again?
r

rp

05/12/2023, 5:46 PM
well, our frontend sdk should auto refresh for you.
is that not happening?
i

ikak

05/12/2023, 6:23 PM
Well as I told you I have two backend services (one made by me -> was giving 500 error and one by my friend -> was giving 401 error). When I make an axios call to his service, then first I get a 401 error response, and then a 200 okay response with correct data (I think the SDK is refreshing the cookie). But if i hit my service I just get the 401 error response in the catch block of the axios call, and the refreshing does not happen. The axios calls for both the requests is written by me and there is no differnce between them.
r

rp

05/12/2023, 6:24 PM
Oh I see. Are they two on different domains? What are the domains?
i

ikak

05/12/2023, 6:25 PM
Currently both the backends are running on localhost, only thier ports are different.
One is running on 8000, and one on 8001.
r

rp

05/12/2023, 6:28 PM
Hmmm. For the other backend, you may want to get the access token on the frontend and add it as an authorizarion header to your request. This will ensure that the access token is always refreshed.
So you won’t get any 401 from your other backend in this case
i

ikak

05/12/2023, 6:31 PM
But I am already sending the auth token with my request cookie header (in both the requests)
Here is the request that I am making :
axios
              .get(`http://localhost:8001/`, {
                withCredentials: true,
              })
              .then((res) => {
                console.log("res0", res);
              })
              .catch((err) => {
                console.log("err0", err);
              });
          }}
it is same for both the requests, just the port id different.
r

rp

05/12/2023, 6:33 PM
right. The interception isn't applied to different port
which is why the frontend sdk doesn't auto refresh
what you need to do is to read the access token on the frontend and then add it as authorization bearer token to your requests
when reading the access token on the frontend, our sdk will ensure that it's refreshed
so you won't have to deal with refreshing manually
but yea.. if you want, you can do what you were saying - detect a 401 and then call the attemptRefresh function
i

ikak

05/12/2023, 6:38 PM
Also one thing that I noticed is that when I hit 8001 request, the frontend receives 401 and executes the catch block of the axios call, but in case of 8000 request, the frontend receives 401 and then receives the data (it might be hitting the refresh endpoint in between) and hence executes the normal then block, which is weird.

https://cdn.discordapp.com/attachments/1106485064361054208/1106651714657976350/image.png

So what it won't work if the port is any other than 8000?
But we wont be able to read that because it is stored in a httpOnly:true cookie, so I won't be able to access it in the frontend.
r

rp

05/12/2023, 6:49 PM
Yea cause you have set the website domain to localhost:8000 correct?
There is a setting on the backend which exposes the accesss token to the frontend but keeps the refresh token has httpOnly cookie.
i

ikak

05/12/2023, 6:50 PM
Yeah thats correct
r

rp

05/12/2023, 6:51 PM
The use case you are trying to implement is best done if the 2 backend apis have the same domain or if they r on a sub domain. This way, you can share the cookie across the domains and won’t need to expose the access token to the frontend (plus auto refreshing will work)
The issue is with using localhost
And different ports
i

ikak

05/12/2023, 6:54 PM
Okay and just one more question, so suppose we have two different backend services running on different ports, so how do you suggest I authenticate and authorize a user (with the automatic refresh token functionality). Should I send request from one backend to the one running on port 8000 to validate the user and then it will send a response if a user is valid or not and if he needs to refresh his token.
r

rp

05/12/2023, 6:54 PM
No. Just expose the access token to the frontend and add it to each request.
i

ikak

05/12/2023, 6:55 PM
Okay thanks a lot for your help sir.