SuperTokens is an open source authentication solution offering features like: Different types of login: Email / password, Passwordless (OTP or Magic link based).

SuperTokens.com

Hey rp, I'm implementing a solution for session management where we have the login authentication handled externally as well as two-factor authentication. I've been able to get everything working but can't seem to get antiCsrf showing in the Token or in the header. The purpose of this server is to be used for a mobile application

are you using header based or cookie based auth?

can i see the response headers for the API that creates a new session?


https://cdn.discordapp.com/attachments/1110837886921756683/1110838435209560115/image.png

eyJraWQiOiJkLTE2ODQ3MTYwNzE3ODIiLCJ0eXAiOiJKV1QiLCJ2ZXJzaW9uIjoiMyIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiIwMDExczAwMDAxaWQyNHkiLCJleHAiOjE2ODQ5MTg1MDYsImlhdCI6MTY4NDkxNDkwNiwic2Vzc2lvbkhhbmRsZSI6IjY4ZGI4ZjYwLWFmYTAtNGVjNS05OGZkLWNlMjZiY2NjOTlhYSIsInJlZnJlc2hUb2tlbkhhc2gxIjoiYTc1OGIyY2Q5OTc4YTJmNjE3NWNkMDZhZWRmNjlmY2FhOTM3MjUwMGIzMGY4NjRlZDZjOTY2ZGQ3MTM2ZWU1YiIsInBhcmVudFJlZnJlc2hUb2tlbkhhc2gxIjpudWxsLCJhbnRpQ3NyZlRva2VuIjpudWxsLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjcyNzIvYXV0aCIsIjJmYS1jb21wbGV0ZWQiOnsidiI6ZmFsc2UsInQiOjE2ODQ5MTQ5MDY5Mjd9fQ.Vs5wp96PZqwL-s368uao3FIpUcyYHucfSaQYXdhvjv017mroxTtiMx-7DUw9r4INZP7xswX1_yVadKFj3wa3KQ44ghGfZuLhpw3pbI0eqKngR12IXXeCUd5RS098wnICubairXRpSLNc4K6AVcMfp0e_TaJ1bg0amSCepM0UxwlJ9SZ3YBqugDGxIooG3oeE8SSS4b7tf0nWIOa7ix5uuourRxuHcj5QPIibDW1C4TY483gTDjlI_sK7JCf46-FgvRmQEI2FQGZj9hUVM8r4K3rscRBVYv1nMBHS-SM3eQ8L7qc2J2DbgmNIsdkvcJPSYKL1AO7Oh8blW_rkRkCBAw

This is the access token which still requires a claim

the fastify route for the endpoint is:
```
fastify.route({
        method: "POST",
        url: "/login",
        handler: dataController.login,
    });
```

and the respective method

```
const login = async (req, res) => {
    requestOptions.body = JSON.stringify(req.body);
    try {
        let response = await fetch(
            `${process.env.EXTERNAL_BASE_URI}/auth/login`,
            requestOptions
        );

        let responseBody = await response.json();
        if (responseBody.success) {
            await session.createNewSession(
                req,
                res,
                `${responseBody?.data.account}~login`
            );
            return res.code(200).send({
                success: true,
                data: responseBody.data,
            });
        }
        return res.code(400).send({
            success: false,
            message: `${responseBody.message}`,
        });
    } catch (error) {
        throw error;
    }
};
```

right. So by default, we protect against CSRF using custom header (in this case it's the `rid` header in the request)

if you want to explicitly enable CSRF, you can set the CSRF mode to `VIA_TOKEN` in the session.init on the backend

right ok, so I was currently setting rid to 'session', if I adjust that to some v4 uuid for example that will make the csrf effective?

I suppose im confused at how the antiCsrf token is actually being checked in this situation

i mean for mobile apps, you don't really need anti-csrf anyway

Hm, it is react-native so I had some concern

mobile apps don't need anti-csrf protection