Hello everyone I have a question regarding the session refre SuperTokens.com #support-questions-legacy

Hello everyone. I have a question regarding the se...

nicktgn

07/16/2023, 8:24 AM

Hello everyone. I have a question regarding the session refresh. I've recently observed a peculiar behaviour in my ST deployment: 1. After a fresh

/signInUp

with third party provider and getting the new

St-Access-Token

I can use that token to hit my protected APIs and the ST does not change the

St-Access-Token

during token verification. 2. But if I do

/session/refresh

and use the new

St-Access-Token

from it to hit my protected APIs, ST sends new

St-Access-Token

every time I use the

St-Access-Token

from the refresh call. But if I use the updated one (obtained after verification), it stops updating access token on any subsequent calls to my APIs (and thus calls to

verifySession()

). To better illustrate what's happening, here are two sample sequences: Sequence 1: 1. call

/signInUp

-> get

access token 1

and

refresh token 1

2. call

<protected API>

with

access token 1

-> call

verifySession()

-> all good, no access token updates 3. .... repeat 2 any number of times -> still no access token updates produced by

verifySession()

Sequence 2: 1. call

session/refresh

with

refresh token 1

-> get

access token 2

and

refresh token 2

2. call

<protected API>

with

access token 2

-> call

verifySession()

-> verified, but also get

access token 3

3. call

<protected API>

with

access token 2

-> call

verifySession()

-> verified, but also get

access token 4

....repeat n. call

<protected API>

with

access token 2

-> call

verifySession()

-> verified, but also get

access token n+1

n+1. call

<protected API>

with

access token n+1

-> call

verifySession()

-> verified and NO more access token updates Is this an intended behaviour? Thanks in advance.

4 Views

Previous Next