Channels
bot-training
community
contributing
general
github-activity
info
introductions
new-releases
random
security
support-questions
welcome-0xdelusion
welcome-aj-ya
welcome-aleksandrc
welcome-alpinjs
welcome-amberlamps1
welcome-andrew-rodriguez
welcome-ankit-choudhary
welcome-anthony-stod-custodio
welcome-call-in
welcome-chwalbox
welcome-claybiokiller
welcome-co7e
welcome-cosmoecwsa
welcome-devdag
welcome-dinso
welcome-drebotelho
welcome-elio
welcome-ernest
welcome-foxbarrington
welcome-fromscratch
welcome-galto4ir
welcome-goetzum
welcome-hay-kot
welcome-himanshu-kukreja
welcome-hossambarakat
welcome-ichikawakazuto
welcome-jahir9991
welcome-jamesl
welcome-jerry123424
welcome-john-oliver
welcome-jonas-alexanderson
welcome-jxyz
welcome-kelvinwop
welcome-kraz
welcome-lancekey
welcome-leoo
welcome-lukeacollins
welcome-m-j-mon
welcome-malik-khoja
welcome-marco
welcome-mardadi
welcome-meshguy
welcome-metamorph
welcome-mike-tectu
welcome-mirzok
welcome-mozomig
welcome-naberyou66_
welcome-nacer
welcome-namratha
welcome-naveenkumar
welcome-nightlight
welcome-nischith
welcome-notankit
welcome-olawumi
welcome-pavan-kumar-reddy-n
welcome-pineappaul
welcome-poothebear
welcome-rick
welcome-samuel-qosenergy
welcome-samuelstroschein
welcome-shubhamgoel23
welcome-shubhamkaushal
welcome-sidebar
welcome-surajsli
welcome-suyash_
welcome-syntaxerror
welcome-tauno
welcome-tawnoz
welcome-teclali
welcome-tls
welcome-turbosepp
welcome-vikram_shadow
500 error
i
ikak
05/12/2023, 7:36 AMHey @rp I am getting a 500 internal server error if the authtoken is expired. So it should give a needs refresh response instead. I have two different services, in one it is working fine, but it is giving 500 error in one.
r
rp
05/12/2023, 7:37 AMhey @ikak have you added our error handler in the one that's giving you a 500 error?
i
ikak
05/12/2023, 8:39 AMI am using FastAPI and hence have just used
session: SessionContainer = Depends(verify_session()r
rp
05/12/2023, 10:10 AMRight. Do you see any backend error logs?
i
ikak
05/12/2023, 10:13 AMThe backend is giving this error:
raise TryRefreshTokenError(ex) from None
supertokens_python.recipe.session.exceptions.TryRefreshTokenError: Access token expiredr
rp
05/12/2023, 11:16 AMhave you added
app.add_middleware(get_middleware())i
ikak
05/12/2023, 12:38 PMOhhh sorry about that somehow I missed adding the middleware. Thanks a lot.
@rp I have one more question, can we do something like if a user needs to refresh his token, instead of sending an error, refresh the token and then send the required response.
r
rp
05/12/2023, 1:04 PMcan't. Cause the refresh token is only on the frontend
i
ikak
05/12/2023, 5:33 PMOkay so my understanding is that in the frontend first we have to send a request, if it returns a 401 status code with message needs refresh (we have to check the message because in case of unauthorized also the status code will be 401), then use Session.attemptRefreshingSession() to refresh session and then send the request again?
r
rp
05/12/2023, 5:46 PMwell, our frontend sdk should auto refresh for you.
is that not happening?
i
ikak
05/12/2023, 6:23 PMWell as I told you I have two backend services (one made by me -> was giving 500 error and one by my friend -> was giving 401 error). When I make an axios call to his service, then first I get a 401 error response, and then a 200 okay response with correct data (I think the SDK is refreshing the cookie). But if i hit my service I just get the 401 error response in the catch block of the axios call, and the refreshing does not happen. The axios calls for both the requests is written by me and there is no differnce between them.
r
rp
05/12/2023, 6:24 PMOh I see. Are they two on different domains? What are the domains?
i
ikak
05/12/2023, 6:25 PMCurrently both the backends are running on localhost, only thier ports are different.
One is running on 8000, and one on 8001.
r
rp
05/12/2023, 6:28 PMHmmm. For the other backend, you may want to get the access token on the frontend and add it as an authorizarion header to your request. This will ensure that the access token is always refreshed.
So you won’t get any 401 from your other backend in this case
i
ikak
05/12/2023, 6:31 PMBut I am already sending the auth token with my request cookie header (in both the requests)
Here is the request that I am making :
axios
.get(`http://localhost:8001/`, {
withCredentials: true,
})
.then((res) => {
console.log("res0", res);
})
.catch((err) => {
console.log("err0", err);
});
}}r
rp
05/12/2023, 6:33 PMright. The interception isn't applied to different port
which is why the frontend sdk doesn't auto refresh
what you need to do is to read the access token on the frontend and then add it as authorization bearer token to your requests
when reading the access token on the frontend, our sdk will ensure that it's refreshed
so you won't have to deal with refreshing manually
but yea.. if you want, you can do what you were saying - detect a 401 and then call the attemptRefresh function
i
ikak
05/12/2023, 6:38 PMAlso one thing that I noticed is that when I hit 8001 request, the frontend receives 401 and executes the catch block of the axios call, but in case of 8000 request, the frontend receives 401 and then receives the data (it might be hitting the refresh endpoint in between) and hence executes the normal then block, which is weird.
https://cdn.discordapp.com/attachments/1106485064361054208/1106651714657976350/image.png▾
So what it won't work if the port is any other than 8000?
But we wont be able to read that because it is stored in a httpOnly:true cookie, so I won't be able to access it in the frontend.
r
rp
05/12/2023, 6:49 PMYea cause you have set the website domain to localhost:8000 correct?
There is a setting on the backend which exposes the accesss token to the frontend but keeps the refresh token has httpOnly cookie.
i
ikak
05/12/2023, 6:50 PMYeah thats correct
r
rp
05/12/2023, 6:51 PMThe use case you are trying to implement is best done if the 2 backend apis have the same domain or if they r on a sub domain. This way, you can share the cookie across the domains and won’t need to expose the access token to the frontend (plus auto refreshing will work)
The issue is with using localhost
And different ports
i
ikak
05/12/2023, 6:54 PMOkay and just one more question, so suppose we have two different backend services running on different ports, so how do you suggest I authenticate and authorize a user (with the automatic refresh token functionality). Should I send request from one backend to the one running on port 8000 to validate the user and then it will send a response if a user is valid or not and if he needs to refresh his token.
r
rp
05/12/2023, 6:54 PMNo. Just expose the access token to the frontend and add it to each request.
i
ikak
05/12/2023, 6:55 PMOkay thanks a lot for your help sir.