https://supertokens.com/ logo
Channels
bot-training
community
contributing
general
github-activity
info
introductions
new-releases
random
security
support-questions
welcome-0xdelusion
welcome-aj-ya
welcome-aleksandrc
welcome-alpinjs
welcome-amberlamps1
welcome-andrew-rodriguez
welcome-ankit-choudhary
welcome-anthony-stod-custodio
welcome-call-in
welcome-chwalbox
welcome-claybiokiller
welcome-co7e
welcome-cosmoecwsa
welcome-devdag
welcome-dinso
welcome-drebotelho
welcome-elio
welcome-ernest
welcome-foxbarrington
welcome-fromscratch
welcome-galto4ir
welcome-goetzum
welcome-hay-kot
welcome-himanshu-kukreja
welcome-hossambarakat
welcome-ichikawakazuto
welcome-jahir9991
welcome-jamesl
welcome-jerry123424
welcome-john-oliver
welcome-jonas-alexanderson
welcome-jxyz
welcome-kelvinwop
welcome-kraz
welcome-lancekey
welcome-leoo
welcome-lukeacollins
welcome-m-j-mon
welcome-malik-khoja
welcome-marco
welcome-mardadi
welcome-meshguy
welcome-metamorph
welcome-mike-tectu
welcome-mirzok
welcome-mozomig
welcome-naberyou66_
welcome-nacer
welcome-namratha
welcome-naveenkumar
welcome-nightlight
welcome-nischith
welcome-notankit
welcome-olawumi
welcome-pavan-kumar-reddy-n
welcome-pineappaul
welcome-poothebear
welcome-rick
welcome-samuel-qosenergy
welcome-samuelstroschein
welcome-shubhamgoel23
welcome-shubhamkaushal
welcome-sidebar
welcome-surajsli
welcome-suyash_
welcome-syntaxerror
welcome-tauno
welcome-tawnoz
welcome-teclali
welcome-tls
welcome-turbosepp
welcome-vikram_shadow
Powered by
session refreshing
l

Luxaaa

05/24/2023, 6:11 AM
Do i have to retresh the session manually if i am using a custom ui with the supertokens web sdk?
r

rp

05/24/2023, 6:22 AM
you don't have to. Our web-js SDK should do it for you as long as you have correctly configured the apiDomain
l

Luxaaa

05/24/2023, 6:23 AM
@rp The api domain is correct (now). But i cannot see any refresh requests
Also, if a use header as tokenTransferMethod, the headers are not included in the request.
r

rp

05/24/2023, 6:25 AM
this means the api domain is not correctly configured.
what API are you quering?
And what's the value of apiDomain that you have set?
l

Luxaaa

05/24/2023, 6:35 AM
Its a public ngrok domain. I double checked the values which i have set in backend and frontend end they are equal. both https.
its works with cookies.
r

rp

05/24/2023, 6:38 AM
whats the request and response headers from the sign in API when you set tokenTransferMethod to header?
l

Luxaaa

05/24/2023, 6:41 AM

https://cdn.discordapp.com/attachments/1110812370114191420/1110819799728148520/Bildschirmfoto_2023-05-24_08-40-39.png

r

rp

05/24/2023, 6:41 AM
and the response headers?
l

Luxaaa

05/24/2023, 6:42 AM

https://cdn.discordapp.com/attachments/1110812370114191420/1110820130209923174/Bildschirmfoto_2023-05-24_08-42-10.png

r

rp

05/24/2023, 6:43 AM
ok so this is working as expected. Now, when an API call is made, can you show me the request headers?
l

Luxaaa

05/24/2023, 6:46 AM

https://cdn.discordapp.com/attachments/1110812370114191420/1110821224877133824/Bildschirmfoto_2023-05-24_08-46-40.png

r

rp

05/24/2023, 6:48 AM
can you send me a screenshot of the cookie store on the browser post login?
l

Luxaaa

05/24/2023, 6:50 AM

https://cdn.discordapp.com/attachments/1110812370114191420/1110822085648986142/Bildschirmfoto_2023-05-24_08-50-01.png

r

rp

05/24/2023, 6:51 AM
can you open package-lock.json and tell me which version of the supertokens-website SDK you are using?
Also, could you open an issue about this on our github here: https://github.com/supertokens/supertokens-website/issues Explaining your setup (apiDomain + session.init configs)
(And also attach these screenshots please)
l

Luxaaa

05/24/2023, 6:54 AM
I am using supertokens-web-js 0.5.0
r

rp

05/24/2023, 6:54 AM
right. That uses supertokens-website internally
so can you open package-lock.json and tell us which version of supertokens-website is being used
l

Luxaaa

05/24/2023, 6:56 AM
16.0.0
r

rp

05/24/2023, 6:57 AM
ok can you update it to using 
16.0.10
(which is the latest version) and see if that fixes the issue?
tagging @porcellus here to help as well.
l

Luxaaa

05/24/2023, 7:06 AM
i upgraded to 16.0.10. Same result.
r

rp

05/24/2023, 7:06 AM
ok. I'll let @porcellus help you when he is online
oh right. I see the issue.
do you have some cors setting on the backend about access-control-expose-headers?
like in an api gateway or something?
l

Luxaaa

05/24/2023, 7:15 AM
i am using ngrok
could that cause the issue?
r

rp

05/24/2023, 7:19 AM
no. It's an issue with the cors config. Where you have set the value of 
id-refresh-token
on the backend for access-control-expose-headers?
l

Luxaaa

05/24/2023, 7:22 AM
Heres my cors config: 
python

api = CORSMiddleware(
    app=api,
    allow_origins=[
       ...
    ],
    allow_credentials=True,
    allow_methods=["GET", "PUT", "POST", "DELETE", "OPTIONS", "PATCH"],
    allow_headers=["Content-Type", 'org-profile-id'] + get_all_cors_headers(),
    expose_headers=['id-refresh-token', 'front-token'] + get_all_cors_headers()
)
r

rp

05/24/2023, 7:23 AM
right. So add 
st-access-token
and 
st-refresh-token
to expose_headers as well.
and then it should all start to work
l

Luxaaa

05/24/2023, 7:25 AM
Okay, now i can query my api. Thanks.
Should this also fix the refresh-issue?
r

rp

05/24/2023, 7:26 AM
yes
get_all_cors_headers
should return the proper list. So it should have worked.
can you print out the value of 
get_all_cors_headers()
?
l

Luxaaa

05/24/2023, 7:27 AM
['anti-csrf', 'authorization', 'fdi-version', 'rid', 'st-auth-mode']
r

rp

05/24/2023, 7:28 AM
which version of the python SDK version are you using?
l

Luxaaa

05/24/2023, 7:28 AM
0.14.0
r

rp

05/24/2023, 7:33 AM
ok thanks. It should be fine now
l

Luxaaa

05/24/2023, 7:51 AM
I still cannot see any refresh requests. How often does the refresh request run?
r

rp

05/24/2023, 7:51 AM
depends on the access token's lifetime
set the access token's lifetime to 2 mins on the core, and then relogin. Wait for 2 mins, and you will see it refresh
l

Luxaaa

05/24/2023, 7:56 AM
I edited the access token lifetime. still no refresh requests.
r

rp

05/24/2023, 7:56 AM
are you getting back 401 try refresh token error when calling the API?
l

Luxaaa

05/24/2023, 7:56 AM
There is a refresh request after reloading the page. But no periodic requests.
yes
r

rp

05/24/2023, 8:00 AM
can i see the request headers for that API call which gives back a 401?
and also the subsequent network calls
l

Luxaaa

05/24/2023, 8:01 AM
:method: POST
:path: /user/
:scheme: https
accept: */*
accept-encoding: gzip, deflate, br
accept-language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7
authorization: Bearer eyJraWQiOiJkLTE2ODQ2MDExNzIyMTQiLCJ0eXAiOiJKV1QiLCJ2ZXJzaW9uIjoiMyIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiI2YzRmOWMwYi1jNzQwLTQ1N2UtOWI5YS01MmNiZWRhYWEyYWUiLCJleHAiOjE2ODQ5MTUxMTIsImlhdCI6MTY4NDkxNDk5Miwic2Vzc2lvbkhhbmRsZSI6IjhkMTg1NjhhLTlmMmQtNDEzZC1hMmZiLTMyZDczNmFhNTQ5YSIsInJlZnJlc2hUb2tlbkhhc2gxIjoiYTY3YjI4YTYzM2FmNDgzZTVhNjA5OTc3N2RmMGEzY2Q3MDk0MjEzZGE1ZGFkNTZlZGEzOGVkMzBkODlkM2QwYiIsInBhcmVudFJlZnJlc2hUb2tlbkhhc2gxIjpudWxsLCJhbnRpQ3NyZlRva2VuIjpudWxsLCJpc3MiOiJodHRwczovL2FwaS1jb3Vyc2VtYW5hZ2VyLm5ncm9rLmRldi9hdXRoIiwic3QtZXYiOnsidiI6dHJ1ZSwidCI6MTY4NDkxNDgxMTg3N319.YutojwTKG6anyxeDSc3Wm1LGkM5gtCT87iuSI1AYeR5SRl-1_jj8in4pxmxFf5y6rP4jmulA0hpcm_9gurOLo-UD-VRytfrzjwIGBxfxYAaEbVtgySL1UwW3si3P_l_ucFb9cMbNIGmWRVxjCwrI6kDLNPw8P6tn9hzJbZ8dFc6gsrzXZsy7XCYr9xq9jwbYHMEouFiJCbu6hIMnMDOdgAKjyu5O-UETrrQpHhkxbZ3mMifrbfsKI-fIg0dt0WZA8LSQFVe3x6zwgnEQJ7KhS4OQLYpqtq3O-tPpRrpe4sS5R77U8kC4wqgIfFEiLQ1Zkkb-2SYeIy1Y8q3vDmFmdw
content-length: 422
content-type: application/json
org-profile-id: null
origin: https://dev-coursemanager.ngrok.dev
referer: https://dev-coursemanager.ngrok.dev/
rid: anti-csrf
sec-ch-ua: "Not:A-Brand";v="99", "Chromium";v="112"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: same-site
st-auth-mode: header
user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36
Response 
access-control-allow-credentials: true
access-control-allow-origin: https://dev-coursemanager.ngrok.dev
access-control-expose-headers: id-refresh-token, front-token, st-access-token, st-refresh-token, authorization, rid, anti-csrf, fdi-version, st-auth-mode
content-length: 21
content-type: text/plain; charset=utf-8
date: Wed, 24 May 2023 07:58:39 GMT
ngrok-trace-id: 4c8a6860f38ee27f526619fb3c3a701e
server: uvicorn
vary: Origin
r

rp

05/24/2023, 8:02 AM
can i see the network tab screenshot?
l

Luxaaa

05/24/2023, 8:03 AM

https://cdn.discordapp.com/attachments/1110812370114191420/1110840472093610034/Bildschirmfoto_2023-05-24_10-03-06.png

r

rp

05/24/2023, 8:04 AM
you aren;t getting a 401
you are getting a 400
please see your API.
l

Luxaaa

05/24/2023, 8:04 AM

https://cdn.discordapp.com/attachments/1110812370114191420/1110840850726006877/Bildschirmfoto_2023-05-24_10-04-34.png

r

rp

05/24/2023, 8:05 AM
are you using some sort of custom error hadling?
cause try refresh should send a 401. Not a 400
l

Luxaaa

05/24/2023, 8:05 AM
yes
Refreshing is working with my main frontend.
r

rp

05/24/2023, 8:06 AM
im not sure why your api is sending a 400 instead of a 401
can i see your session.init on the backend?
l

Luxaaa

05/24/2023, 8:11 AM
def init_supertokens():
    init(
        app_info=InputAppInfo(
            app_name="CM",
            api_domain=API_HOST,
            website_domain=FRONTEND_MANAGER_HOST,
            api_base_path="/auth",
            website_base_path="/auth",

        ),
        supertokens_config=SupertokensConfig(
            connection_uri=SUPERTOKENS_CONNECTION_URI,
            api_key=SUPERTOKENS_API_KEY
        ),
        framework='fastapi',
        recipe_list=[
            session.init(
                cookie_secure=True,
            ),
            emailverification.init(
                mode='REQUIRED',
                email_delivery=EmailDeliveryConfig(
                    override=email_delivery_override
                )
            ),
            thirdpartyemailpassword.init(
                sign_up_feature=thirdpartyemailpassword.InputSignUpFeature(
                    form_fields=[InputFormField(id='name')]
                ),
                providers=[

                ],
                email_delivery=EmailDeliveryConfig(
                    override=email_delivery_override
                ),
                override=thirdpartyemailpassword.InputOverrideConfig(
                    apis=override_thirdparty_email_password_apis
                )
            )
        ],
        mode='wsgi'
    )
r

rp

05/24/2023, 8:11 AM
do u have some custom error handler anywhere?
also, how are you protecting that api route?
l

Luxaaa

05/24/2023, 8:14 AM
I have a custom auth backend
a starlett auth middleware.
r

rp

05/24/2023, 8:15 AM
i don't quite know what effect that will have.
you may wanna investigate why it's returning a 400 instead of a 401.
l

Luxaaa

05/24/2023, 8:17 AM
Because i am returning an Exception instead of an auth error. I will fix this. But like i sad before: The refreshing is working on my other frontend. It uses the same backend.
r

rp

05/24/2023, 8:18 AM
once you fix this, let's see what happens. If the issue is still there, we will investigate.
l

Luxaaa

05/24/2023, 8:36 AM
Now refresh is running after the request has failed with status 401
r

rp

05/24/2023, 8:40 AM
yup.
#support-questionsJoin Discord
Powered by