https://supertokens.com/ logo
Join Discord
Powered by
Hiii, I have an architecture where I use example.c...
# general
h
Hiii, I have an architecture where I use example.com for authentication and any.example.com can access my protected resources for both example.com and api.example.com. The issue is once I had added the email allow list then later decided to drop it, after that, I cannot refresh my tokens from any.example.com. My app calls for refresh token, it generates new tokens. But again accessing the app throws refresh token. And the interesting part is that it is happening for only previously logged-in accounts, so there is no way to access resources using that accounts. But when I tried with a fresh new account everything is working well. I tried deleting the supertokens db as well as starting a new fresh supertokens core server. Note: While I cannot access resources from api.example.com, I can access resources from example.com. By accessing resources I mean, verifying sessions.
r
Hey @hehohesda_12345
What are the request headers of the organisation API call?
h
GET /organization HTTP/1.1 Accept: application/json, text/plain, / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Cache-Control: no-cache Connection: keep-alive Cookie: sAccessToken=; st-last-access-token-update=1690908509650; sFrontToken=; sAccessToken=Token3 Host: any.example.com Origin: https://any.example.com Pragma: no-cache Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site Sec-GPC: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 sec-ch-ua: "Not/A)Brand";v="99", "Brave";v="115", "Chromium";v="115" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows"
I have removed the token from here, I have sent you a pm with raw request headers.
This is my cookie from app-beta.example.com
r
So it does have the access token. Can you enable backend debug logs and show the output when the orginazation API is called? What happens?
h
I will try it and drop the logs here.
This are the logs for api.
at api.example.com
r
When the refresh api finishes, does the subsequent call to organisations use the newer access token?
h
Hiii, When I tried to reproduce the issue again, everything is working great. I don't know what happened, I haven't changed anything. Anyways thank you so much for your support. If I encounter this again, I will drop a message. ๐Ÿ˜„
Hi the issue occured again.
I debugged and found out that there two access tokens attached when a request is being send to api.example.com, one is for domain example.com and the other one for app.example.com. When the tokens are refresh, they are refreshed for only example.com. So in the next request for resource I again get 403 error. And one more thing I can only see the token for domain example.com only, but not the other one in the cookie section. Now I have few questions, How two sAccessToken are present at the same instance? How would I refresh the other token? Is there an issue in my configs?
r
can i see the request headers?
and which backend SDK are you using?
h
Sure
"supertokens-node": "^14.1.1", This is the exact version of nodejs sdk.
You want request header for any specific request? In the mean time I will prepare a small text file to show you my configurations and headers.
r
> you want request header for any specific request? The one that has 2 access tokens
h
Ohk
GET /organization HTTP/1.1 Accept: application/json, text/plain, / Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.9 Connection: keep-alive Cookie: _ga=; sAccessToken=; sAccessToken=; sFrontToken=eyJ1aWQiOiJhMmFiOTU5MC0zMmM5LTQzNmQtYWJkZC01YjUzMmY0ZjE3NGIiLCJhdGUiOjE2OTIwNDI1NDUwMDAsInVwIjp7ImlhdCI6MTY5MjAyNDU0NSwiZXhwIjoxNjkyMDQyNTQ1LCJhbnRpQ3NyZlRva2VuIjpudWxsLCJzdWIiOiJhMmFiOTU5MC0zMmM5LTQzNmQtYWJkZC01YjUzMmY0ZjE3NGIiLCJzdC1ldiI6eyJ2Ijp0cnVlLCJ0IjoxNjkyMDIzNjgyNjc5fSwiaXNzIjoiaHR0cHM6Ly90aGVkaWdpdGFscG91bHRyeS5saXZlL2FwaS9hdXRoIiwic2Vzc2lvbkhhbmRsZSI6IjkxZDk0MzZmLWY5NTAtNGY2MS1iNTkzLTJjNDBiYjBjNzg4YyIsInBhcmVudFJlZnJlc2hUb2tlbkhhc2gxIjpudWxsLCJyZWZyZXNoVG9rZW5IYXNoMSI6IjRjYjUzNTA3ZmMyODY0MDg2OWJjZThjZWI0MWEwZGJjMzllOGI3MGIyY2M3MGQxZmEzOTM1NGExNGRlYjIxODQifX0=; _ga_Y0TWFES7YK= Host: api-beta.thedigitalpoultry.live If-None-Match: W/"22c-Yl7jw3I0e8IDPlAKlz3L++4vPtk" Origin: https://app.example.live Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-site User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 sec-ch-ua: "Not/A)Brand";v="99", "Google Chrome";v="115", "Chromium";v="115" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows"
I have just replace actual value for security purpose. If you want to see actual value I can dm you.
r
im not sure how this is possible at the moment.
I'll have to get back
h
๐Ÿ˜„
Its okay, take your time.
I will dm you, additional information as soon as I can.
r
do you have multiple login forms?
h
No, I use only google sso.
But I have thirdPartyEmailPasswordRecipe
r
@porcellus
have you changed the cookieDomain value on the backend?
h
Yes, I have changed it.
cookieDomain: ".example.com", I have set this in my app, that is running in example.com
r
right. So this can cause an issue where you have two sAccessToken s as you are seeing
just clear your cookies manually and try again
h
No, that didn't work
r
whats the issue now? At least you must not have 2 sAccessTokens right?
h
I still have two sAccessToken now.
r
whats your api domain?
h
api.example.com
r
navigate to api.example.com, and then clear all cookies.
h
But all the authentication happens on example.com
Oh
r
also, navigate to api.example.com/api/auth/session/refresh and also clear the refresh token
and then try again
h
Just a min
Wow, that worked. Thanks a lot!!
r
Great
h
BUt how did the cookie were set up on api.example.com ?
r
Cause these are backend cookies.
They get attached to the api domain
Thatโ€™s how httpOnly cookies work
h
Ohhkay, I see I didn't knew this
Thanks again
Do I need to change my config to prevent this from happening again? Or everything is good?
r
It should be fine.
h
Great!!
message has been deleted
Hiii @rp_st , It happened again.
r
Two access tokens? That only happens if you change the cookieDomain
h
Yup
The cookieDomain is same as before .example.com
There is one more thing, For first time user will login at example.com, then he will visit app.example.com When the accessToken expires, the I try to refresh the session at app.example.com only. So, is my approach correct? Or do I need to refresh session at example.com?
r
You can refresh on any of the domains.
Do you now have two access tokens as well?
Also, do you have different api domains or different frontend domains?
h
One is an angular spa (app.example.com), another is a nodejs api (api.example.com), And the last one is angular ssr (nodejs mcv, both ui and api) (example.com)
Yes there were two access token, Yesterday I manually cleared the cookies so I cannot show you now, I guess we have to wait. Or I can reduce the access token validity.
I added the ACCESS_TOKEN_VALIDITY as 60, it seems to have no effect. I am using mysql with docker. Now when I checked the cookies at api.example.com, I see the accessToken with domain .example.com, I guess this should be fine, right?
r
Yea it should be. You just need to make sure if you have two backends where you do supertokens init, that in both, you have set the same value for cookieDomain
h
Okay, I guess I have set it on one backend only.
I will update that
r
sounds good.
h
The issue hasn't occured till now.
Thank you for your assisstance Sir :).
PreviousNext
Powered by