Hi Everyone, I have a "BFF" with nextjs where the ...
# support-questions-legacyd
dfliess
09/16/2023, 4:12 PMHi Everyone, I have a "BFF" with nextjs where the user authenticates and from there I'm proxying some API calls to some services where I need some kind of security, as the proxy sends the cookies I could use the backend SDK to validate and secure this services but I was thinking on just sending the jwt token (is that sAccessToken?) but I found that I do not have the user id in it, where is it stored ? in the session ? What would be a best practice, addit to the super token payload ?
dfliess
09/17/2023, 6:21 PMdid anyone implemented something like this?
c
ceriddenn
09/17/2023, 7:18 PMhave you exposed the jwt to the frontend in the backend config?
ceriddenn
09/17/2023, 7:18 PMceriddenn
09/17/2023, 7:18 PMbackendConfig ^
ceriddenn
09/17/2023, 7:18 PMadd thaat
ceriddenn
09/17/2023, 7:18 PMthen on the frontend you could do smth like this
ceriddenn
09/17/2023, 7:18 PMceriddenn
09/17/2023, 7:19 PMthe jwt should have the userId in it I believe...
d
dfliess
09/18/2023, 6:50 AMI think I do not need to expose it on the frontend as the front end is not directly querying the services and the request is being proxied on the BFF, however I did find the user Id inside the jwt token under the "sub" (subject) property. So I think I will get the token and validate it on the services using https://supertokens.com/docs/thirdpartypasswordless/common-customizations/sessions/with-jwt/jwt-verification
Thanks for the answer.
dfliess
09/18/2023, 7:06 AMOne problem I found is that as I want to implement this on a middleware in nextjs I only have the request object and I do not have response and with the backend SDK I didn't find any way to obtain the session, so I can get the token, without it, as the verify session and check session functions both require the response object. So even if I don't like it I will en up getting the token from the sAccessToken cookie or is there any better way of doing this ? @rp_st or anybody know a better way ?
r
rp_st
09/18/2023, 7:53 AMd
dfliess
09/18/2023, 10:51 AMBut this way I need the access token, and that's what I'm trying to get.
r
rp_st
09/18/2023, 10:58 AMthe link i sent shows you how to get the session obj without the req / res object
rp_st
09/18/2023, 10:58 AMisn't that what you want?
rp_st
09/18/2023, 10:58 AMoh right
rp_st
09/18/2023, 10:58 AMi mean, you can get the access token from the request cookies
rp_st
09/18/2023, 10:58 AMthe key of the cookie is sAccessToken
d
dfliess
09/18/2023, 12:12 PMyes, thanks, that's what I did, but it feels that the sdk should provide a way to get it as I shouldn't be knowing the name of the cookie.
r
rp_st
09/18/2023, 12:13 PMwell, yeaa.. we could add a function. You can open an issue about this, and if enough interest, we can add it
d
dfliess
09/18/2023, 5:27 PMor maybe documenting it on that page ?
dfliess
09/18/2023, 5:27 PManyway thanks for the help!
6 Views