hello.@rp_st when resetting password, how can I detect if newPassword is the same as old one? supertokens server is selfhosted, and is seperated from api backend. the only receives when resetting password are just password and token.

hey @tomita0022 you can override the reset password API on the backend, and then before calling the original implementation, call the verifyCredentials function from out node sdk (https://supertokens.com/docs/nodejs/modules/recipe_emailpassword.html#verifyCredentials-1) with the input password. If this function succeeds, it means that the password is the same, and you can reject. Now, this function also needs the email ID. You can get that by customising the reset password link on the backend to include the email in the query param. This customisation can be done in the sendEmail function of the emailDelivery config. Once the link is clicked, and the user enters the new password, you can use the pre API Hook feautre on the frontend to get the email from the query params of the URL,and add it to the request body, and then consume that custom property in your reset password override. Maybe this link will help: https://supertokens.com/docs/emailpassword/advanced-customizations/user-context/custom-request-properties

thank you @rp_st

whats the input you are sending in the post body?

i called submitNewPassword of emailpassword recipe module.

right. So you added a new item in the formFields array right?

what do you mean? so I have to inject email info into request body manually in preAPIHook?

yes

In preAPIhook, how can I get email info via funtion's parameter?, and even if i inject it into request body, seems like it outputs the same error message, saying sending too many/ few arguments, i guess.

Well, if you see our docs for pre api hook, you can add the hook when you c all the submitNewPassword function. So the email variable is right there

I injected email data into request body, but still get the same result. Do i have to use request header?

ah yea. Dont use request header

as you can see the above commented code, i injected email info into formFields, is it right?

something like:

let body = JSON.parse(requestInit.body)
requestInit.body = JSON.stringify({
  ...body,
  email
})

will give it a try.

so we are adding email at the root of the body. Not in the formFiels

thank you @rp_st it works.

nice

one question. Let's assume that I have several supertokens backend servers handling different authentication methods, email password, passwordless, sso. and they have one DB. it is possible?

Yes. It is.

so three servers must have the same supertokens core application.

Not necessary that they must, but they can

I already made three servers, they have their own core app, and those core apps use one DB for sharing. What I consider most, is JWKs. Is it possible to get the same JWKS data for those servers?

Not with different apps in one core. You must use the same app across all the backend and then you have the same jwks

So supertokens core app should be placed with DB and three auth servers should interact with that core app. right?

Yes.

In passwordless authentication, If i create several magic link cods, they are all available to consume?

yes.

so those invalid codes are removed?

yes