https://supertokens.com/ logo
p

PitchAsh

03/30/2022, 12:33 PM
How is the sIdRefreshToken used? Is it essential? Docs don’t give much detail
r

rp

03/30/2022, 12:53 PM
Hey! This is used by the verifySession function to know if a session exists or not in case the access token is missing (since that might have expired). If the sIdRefreshToken is there, the session does exist, in which case the function will return a try_refresh_token exception, else it will return an unauthorised exception. The lifetime of the sIdRefreshToken == lifetime of refresh token. So if sIdRefreshToken is not there, it means the session is not there.
p

PitchAsh

03/30/2022, 12:54 PM
Thank you. That’s clear
What does verify do if sIdRefreshToken cookie is not there but access token is and the access token is valid ?
r

rp

03/30/2022, 1:14 PM
It will give unauthorised
p

PitchAsh

03/30/2022, 1:16 PM
Refresh token will also require sIdRefreshToken?
r

rp

03/30/2022, 1:17 PM
yes
both should be sent automatically by the browser anyway
p

PitchAsh

03/30/2022, 1:18 PM
I’m having to switch from cookies to retuning the tokens in the response bodies.
r

rp

03/30/2022, 1:19 PM
Ohh I see
why though?
there is an example app that uses localstorage instead of cookies as the session token store: https://github.com/supertokens/supertokens-auth-react/tree/master/examples/with-localstorage
p

PitchAsh

03/30/2022, 1:20 PM
Several developers on the fe web and mobile apps much prefer tokens from confirm step and refresh token step to be in the response body.
r

rp

03/30/2022, 1:20 PM
Hmmm i see.
p

PitchAsh

03/30/2022, 1:21 PM
The local storage example was a good starting point, but that also returns them in a header. Returning the tokens in the Json payload is a bit more hassle
r

rp

03/30/2022, 1:21 PM
Fair enough. Also, the verifySession may change the access token as well. So if that happens, you need to return the new access token to the frontend
Which means, any API that uses verifySession can potentially return a new access token
So i would really avoid using the response body for the tokens
p

PitchAsh

03/30/2022, 1:22 PM
Ok thanks. I didn’t realise that. I assumed only refresh token did that.
r

rp

03/30/2022, 1:23 PM
verify does that whenever: - The user update the access token payload in their API; OR - The first verifySession call after a refresh token call changes the access token too
p

PitchAsh

03/30/2022, 1:24 PM
Does this mean that refresh tokens get extended on all api requests ?
r

rp

03/30/2022, 1:24 PM
nope
the lifetime of the token is unaffected
11 Views