https://supertokens.com/ logo
Join Discord
Powered by
Hey, we recently changed the domain our app is hos...
# support-questions-legacy
v
Hey, we recently changed the domain our app is hosted on and we've started to a get a bunch of fairly mysterious 403s?
r
Hey.
What’s the response body?
@vivalapanda ?
v
Can't reproduce it on my machine, I'm in the process of adding logging to the supertokens middleware to catch it right now
r
Okay
v
I can DM you the tokens though
r
Sure.
seems like that user's email is not verified
which is why they are getting a 403 - makes sense
if you are using SessionAuth wrapper on the frontend, it should redirect the user to the email verification page
if the email verification recipe on the frontend is in required mode
v
Hmm, wonder why it started happening a bunch after the domain change
I guess the domain would have invalidated old cookies and forced a re-auth
I'll take another look at our frontend to see what might be missing
r
which domains did you change? frontend of backend? or both?
v
both
Though old f.e. sessions don't have their APIs redirected
intentionally
r
did you change the base domain entierly? Or just a sub domain?
v
base domain entirely
beta.elicit.org -> elicit.com
r
so the older cookies shouldn't matter
v
yeah
r
so this means, that for some reason, post login, the frontend isn't redirecting to the email verification screen anymore.
or something else is wrong.. not sure. DOn't have too much info
v
Here's my current thinking: - change was made a ~bit ago that caused a potential error with how 403s get handled - not detected because we don't have that many people doing email verification - the new domain caused everyone to have to re-auth (also just potentially many more people signing up/doing email verification) - this caused the downstream issue of the 403s that we're seeing in our frontend
I think you can ignore this for now, I'll @ if it does seem to be something on Supertokens end
Thanks for the fast response!
r
uhmm. The thing is, when people reauth, and if you have emailverification as required on the frontend, post login, it should just redirect the user to the email verification screen. So you should not be seeing any 403s at all
i just signed up, and i saw the email verification screen
right
so i can reproduce it
post sign up, i get an email verification email.
But if i ignore it, and manua.ly go to your domain again, then i start seeing 403
So the issue is on your frontend code somewhere. Make sure that the mode for email verification on the frontend is set to REQUIRED. Also, make sure to use SessionAuth for protected pages - that should redirect to the email verification screen on its own. If you are not using SessionAuth, and checking for session manually via doesSessionExist, or via the sessionContext, then check for the email verification claim yourself and redirect to the email verification page if the claim value is false: https://supertokens.com/docs/thirdpartyemailpassword/common-customizations/email-verification/protecting-routes.
2 Views
PreviousNext
Powered by