https://supertokens.com/ logo
Join Discord
Powered by
Hi <@498057949541826571> , I have a problem with g...
# support-questions
i
Hi @rp , I have a problem with getting 502 error for POST /session/refresh, so i want to resolve this problem, can you help me?
r
Hey! Does the core throw this error?
i
No, its from nginx, core throws 404
r
Are you querying the core directly?
i
I use middleware in app, session recipe has init. So Post /session/signout works fine. But for /session/refresh i get 404.... It strange for me
And bc of this, nginx proxy answers with 502
r
can you enable the backend debug logs and then query session refresh?
i
Hmm, I can try
And one another question, I have done dinamic get origin from userContext, can i put websiteDomain like this😄?
r
yea you can
i
But how, there is no userContext in supertokens init in appInfo)
r
oh.. i misunderstood. You should set the websiteDomain to any one of the domains in this case.. doesn't really matter. The websiteDomain is used to generate the reset password link for example, which you are changing anyway
i
Ah, ok
this is log for session refresh
r
so the core is throwing a 500 error?
i
Core throw badtagexception, do you see that?
r
yea. Does that yield a 500 error from the core?
i
Maybe yes
I dont really know
Proxy returns 502, maybe bc of 500 on core
r
Whats the value of the input refresh token?
i
one moment
this is error, when i make front access token expired
unknown api is strange bc it use this api for other operations and its works fine
srefresh token is 9hXe/BscCVehdUCeT5M96CW56R6knQxP4R0rJJ/JAX/pTbdJuR0u2rXhAfJ0S+9wjpH9wb9Hlpi+QytOkXOYoCWiD7UDjwuV/7SXiI7CCwz/cSG2IDKd/8xIgpb5p9WEpX+q6/7N9KSA52yGdyohwKTLKGi0HFjUUKKvfll4eUpFP+z518PgL5k6JhPfQLIXeGcYr2cKbKtZy6cqThdt8Morw/2U4Mz1KsBCepEanxiN9c7fp0EVXEM+tplJ4ac4c0wLgpcPTEIn0r5xn1JQ.ea821154d86377cb94bb78908aa863ad6e3baabfabb2ffd0a065ddca5c0061c6.V2
I describe my algo to make it clear
i login with yandex for example. in the frontend i see sFrontToken and sIRTFrontend. I make sFrontToke expired and reload page. So now it throws unknown api called. And page is in infinity reloading. Then I clear cookies and it sends me to login page. I login with yandex, and only on this moment it does the refresh session action and put me to the same page with new tokens. And when i reload page, I get my profile with a new session
Do you understand what reasons can cause this problem?
r
So you are providing an invalid refresh token to the core. This would yield the following response from the core:
Copy code
{
  "status": "UNAUTHORISED",
  "message": "javax.crypto.AEADBadTagException: Tag mismatch!"
}
With a 200 status code. Now the backend SDK would process this response and return a 401 to the frontend clearing the cookies and logging out the user.
i
Hmm, I don't really understand, why is refresh token is invalid, and what i have to do to fix this problem
r
well, does this happen all the time on login? Maybe something on your end is modifying the refresh token somehow
like some proxy server in the middle
i
The main problem is that it is happen every times
r
then you should check your ngix.. maybe that's doing something weird to the headers
i
2 month ago it has blocked by logout user from site, when it starts spam 401 for session refresh
Now I am trying to avoid so bad way of logic, bc we go to release
r
Maybe try removing Nginx and seeing if this type of error still happens?
i
And for this request srefresh token go as header?
r
to the core or to the backend SDK?
i
To core maybe, im not sure
Or to sdk
r
to the sdk, it goes as cookies (from the frontend)
to the core, it goes in JSON body
i
it puts tokens without nginx for first time, then i make accessToken expired, then reload and access token and refresh token is gone. So for the second time i met old problem
r
If you make the access token expired, a refresh should give you new tokens. Is that not happening?
i
yes
there no tokens after that
r
What happens when you call the refresh api? What’s the input and what’s the output?
Can you show me the request and response headers. All of it. Along with the response status code
i
signin
refresh
r
The refresh token is not being sent by the browser
What’s the set-cookie header response in sign in?
Can you show me the set-cookie header in full?
In this one, are these all the request headers?
Also what’s weird is that the browser is not sending the refresh token in that request
Does it have a preflight OPTIONS request? What are the response headers in there?
i
moment
r
And you have removed nginx completely right?
i
yes
i go to host without enabled nginx
r
How are you calling the refresh api?
Cause the access token is getting sent to it as well
Can we get on a call?
i
yeah, i will write when i can call
r
I’m free now
i
Go
now
r
i
ok, it works now, thank you very much. Last thing is question about how i can clear frontend tokens when backend expires?
r
Do you mean that how to clear tokens on the frontend if the backend revokes the session without the frontend calling sign out explicitly?
i
Yeah
r
you can't clear the frontend tokens that way.. they will auto clear when they try and refresh
i
Ok
PreviousNext
Powered by