Channels
bot-training
community
contributing
general
github-activity
info
introductions
new-releases
random
security
support-questions
welcome-0xdelusion
welcome-aj-ya
welcome-aleksandrc
welcome-alpinjs
welcome-amberlamps1
welcome-andrew-rodriguez
welcome-ankit-choudhary
welcome-anthony-stod-custodio
welcome-call-in
welcome-chwalbox
welcome-claybiokiller
welcome-co7e
welcome-cosmoecwsa
welcome-devdag
welcome-dinso
welcome-drebotelho
welcome-elio
welcome-ernest
welcome-foxbarrington
welcome-fromscratch
welcome-galto4ir
welcome-goetzum
welcome-hay-kot
welcome-himanshu-kukreja
welcome-hossambarakat
welcome-ichikawakazuto
welcome-jahir9991
welcome-jamesl
welcome-jerry123424
welcome-john-oliver
welcome-jonas-alexanderson
welcome-jxyz
welcome-kelvinwop
welcome-kraz
welcome-lancekey
welcome-leoo
welcome-lukeacollins
welcome-m-j-mon
welcome-malik-khoja
welcome-marco
welcome-mardadi
welcome-meshguy
welcome-metamorph
welcome-mike-tectu
welcome-mirzok
welcome-mozomig
welcome-naberyou66_
welcome-nacer
welcome-namratha
welcome-naveenkumar
welcome-nightlight
welcome-nischith
welcome-notankit
welcome-olawumi
welcome-pavan-kumar-reddy-n
welcome-pineappaul
welcome-poothebear
welcome-rick
welcome-samuel-qosenergy
welcome-samuelstroschein
welcome-shubhamgoel23
welcome-shubhamkaushal
welcome-sidebar
welcome-surajsli
welcome-suyash_
welcome-syntaxerror
welcome-tauno
welcome-tawnoz
welcome-teclali
welcome-tls
welcome-turbosepp
welcome-vikram_shadow
Title
i
IaS1506
10/04/2022, 8:09 PMHi @rp , I have a problem with getting 502 error for POST /session/refresh, so i want to resolve this problem, can you help me?
r
rp
10/05/2022, 3:53 AMHey! Does the core throw this error?
i
IaS1506
10/05/2022, 6:41 AMNo, its from nginx, core throws 404
r
rp
10/05/2022, 6:42 AMAre you querying the core directly?
i
IaS1506
10/05/2022, 6:45 AMI use middleware in app, session recipe has init. So Post /session/signout works fine. But for /session/refresh i get 404.... It strange for me
And bc of this, nginx proxy answers with 502
r
rp
10/05/2022, 6:46 AMcan you enable the backend debug logs and then query session refresh?
i
IaS1506
10/05/2022, 6:51 AMHmm, I can try
And one another question, I have done dinamic get origin from userContext, can i put websiteDomain like this😄?
r
rp
10/05/2022, 6:53 AMyea you can
i
IaS1506
10/05/2022, 6:55 AMBut how, there is no userContext in supertokens init in appInfo)
r
rp
10/05/2022, 6:56 AMoh.. i misunderstood. You should set the websiteDomain to any one of the domains in this case.. doesn't really matter. The websiteDomain is used to generate the reset password link for example, which you are changing anyway
i
IaS1506
10/05/2022, 6:56 AMAh, ok
this is log for session refresh
r
rp
10/05/2022, 7:55 AMso the core is throwing a 500 error?
i
IaS1506
10/05/2022, 7:57 AMCore throw badtagexception, do you see that?
r
rp
10/05/2022, 7:57 AMyea. Does that yield a 500 error from the core?
i
IaS1506
10/05/2022, 7:58 AMMaybe yes
I dont really know
Proxy returns 502, maybe bc of 500 on core
r
rp
10/05/2022, 8:01 AMWhats the value of the input refresh token?
i
IaS1506
10/05/2022, 8:06 AMone moment
this is error, when i make front access token expired
unknown api is strange bc it use this api for other operations and its works fine
srefresh token is 9hXe/BscCVehdUCeT5M96CW56R6knQxP4R0rJJ/JAX/pTbdJuR0u2rXhAfJ0S+9wjpH9wb9Hlpi+QytOkXOYoCWiD7UDjwuV/7SXiI7CCwz/cSG2IDKd/8xIgpb5p9WEpX+q6/7N9KSA52yGdyohwKTLKGi0HFjUUKKvfll4eUpFP+z518PgL5k6JhPfQLIXeGcYr2cKbKtZy6cqThdt8Morw/2U4Mz1KsBCepEanxiN9c7fp0EVXEM+tplJ4ac4c0wLgpcPTEIn0r5xn1JQ.ea821154d86377cb94bb78908aa863ad6e3baabfabb2ffd0a065ddca5c0061c6.V2
I describe my algo to make it clear
i login with yandex for example. in the frontend i see sFrontToken and sIRTFrontend. I make sFrontToke expired and reload page. So now it throws unknown api called. And page is in infinity reloading. Then I clear cookies and it sends me to login page. I login with yandex, and only on this moment it does the refresh session action and put me to the same page with new tokens. And when i reload page, I get my profile with a new session
Do you understand what reasons can cause this problem?
r
rp
10/05/2022, 8:24 AMSo you are providing an invalid refresh token to the core. This would yield the following response from the core:
{
"status": "UNAUTHORISED",
"message": "javax.crypto.AEADBadTagException: Tag mismatch!"
}i
IaS1506
10/05/2022, 8:27 AMHmm, I don't really understand, why is refresh token is invalid, and what i have to do to fix this problem
r
rp
10/05/2022, 8:27 AMwell, does this happen all the time on login? Maybe something on your end is modifying the refresh token somehow
like some proxy server in the middle
i
IaS1506
10/05/2022, 8:28 AMThe main problem is that it is happen every times
r
rp
10/05/2022, 8:28 AMthen you should check your ngix.. maybe that's doing something weird to the headers
i
IaS1506
10/05/2022, 8:30 AM2 month ago it has blocked by logout user from site, when it starts spam 401 for session refresh
Now I am trying to avoid so bad way of logic, bc we go to release
r
rp
10/05/2022, 8:31 AMMaybe try removing Nginx and seeing if this type of error still happens?
i
IaS1506
10/05/2022, 8:35 AMAnd for this request srefresh token go as header?
r
rp
10/05/2022, 8:36 AMto the core or to the backend SDK?
i
IaS1506
10/05/2022, 8:36 AMTo core maybe, im not sure
Or to sdk
r
rp
10/05/2022, 8:37 AMto the sdk, it goes as cookies (from the frontend)
to the core, it goes in JSON body
i
IaS1506
10/05/2022, 9:18 AMit puts tokens without nginx for first time, then i make accessToken expired, then reload and access token and refresh token is gone. So for the second time i met old problem
r
rp
10/05/2022, 9:18 AMIf you make the access token expired, a refresh should give you new tokens. Is that not happening?
i
IaS1506
10/05/2022, 9:21 AMyes
there no tokens after that
r
rp
10/05/2022, 9:21 AMWhat happens when you call the refresh api? What’s the input and what’s the output?
Can you show me the request and response headers. All of it. Along with the response status code
i
IaS1506
10/05/2022, 9:23 AMsignin
refresh
r
rp
10/05/2022, 9:24 AMThe refresh token is not being sent by the browser
What’s the set-cookie header response in sign in?
Can you show me the set-cookie header in full?
In this one, are these all the request headers?
Also what’s weird is that the browser is not sending the refresh token in that request
Does it have a preflight OPTIONS request? What are the response headers in there?
i
IaS1506
10/05/2022, 9:33 AMmoment
r
rp
10/05/2022, 9:35 AMAnd you have removed nginx completely right?
i
IaS1506
10/05/2022, 9:37 AMyes
i go to host without enabled nginx
r
rp
10/05/2022, 9:38 AMHow are you calling the refresh api?
Cause the access token is getting sent to it as well
Can we get on a call?
i
IaS1506
10/05/2022, 9:39 AMyeah, i will write when i can call
r
rp
10/05/2022, 9:40 AMI’m free now
i
IaS1506
10/05/2022, 9:40 AMGo
now
r
rp
10/05/2022, 9:41 AMi
IaS1506
10/05/2022, 10:54 AMok, it works now, thank you very much. Last thing is question about how i can clear frontend tokens when backend expires?
r
rp
10/05/2022, 12:44 PMDo you mean that how to clear tokens on the frontend if the backend revokes the session without the frontend calling sign out explicitly?
i
IaS1506
10/05/2022, 2:07 PMYeah
r
rp
10/05/2022, 2:08 PMyou can't clear the frontend tokens that way.. they will auto clear when they try and refresh
i
IaS1506
10/05/2022, 2:08 PMOk