Hi Everyone, I have a "BFF" with nextjs where the ...
# support-questions-legacy
d
Hi Everyone, I have a "BFF" with nextjs where the user authenticates and from there I'm proxying some API calls to some services where I need some kind of security, as the proxy sends the cookies I could use the backend SDK to validate and secure this services but I was thinking on just sending the jwt token (is that sAccessToken?) but I found that I do not have the user id in it, where is it stored ? in the session ? What would be a best practice, addit to the super token payload ?
did anyone implemented something like this?
c
have you exposed the jwt to the frontend in the backend config?
backendConfig ^
add thaat
then on the frontend you could do smth like this
the jwt should have the userId in it I believe...
d
I think I do not need to expose it on the frontend as the front end is not directly querying the services and the request is being proxied on the BFF, however I did find the user Id inside the jwt token under the "sub" (subject) property. So I think I will get the token and validate it on the services using https://supertokens.com/docs/thirdpartypasswordless/common-customizations/sessions/with-jwt/jwt-verification Thanks for the answer.
One problem I found is that as I want to implement this on a middleware in nextjs I only have the request object and I do not have response and with the backend SDK I didn't find any way to obtain the session, so I can get the token, without it, as the verify session and check session functions both require the response object. So even if I don't like it I will en up getting the token from the sAccessToken cookie or is there any better way of doing this ? @rp_st or anybody know a better way ?
d
But this way I need the access token, and that's what I'm trying to get.
r
the link i sent shows you how to get the session obj without the req / res object
isn't that what you want?
oh right
i mean, you can get the access token from the request cookies
the key of the cookie is sAccessToken
d
yes, thanks, that's what I did, but it feels that the sdk should provide a way to get it as I shouldn't be knowing the name of the cookie.
r
well, yeaa.. we could add a function. You can open an issue about this, and if enough interest, we can add it
d
or maybe documenting it on that page ?
anyway thanks for the help!
6 Views