rp
02/15/2022, 3:58 AMscherbatsky.jr
02/15/2022, 3:59 AMrp
02/15/2022, 4:00 AMscherbatsky.jr
02/15/2022, 4:00 AMrp
02/15/2022, 4:02 AMscherbatsky.jr
02/15/2022, 4:03 AMrp
02/15/2022, 4:04 AMscherbatsky.jr
02/15/2022, 4:11 AMrp
02/15/2022, 4:12 AMscherbatsky.jr
02/15/2022, 4:17 AMrp
02/15/2022, 4:17 AMscherbatsky.jr
02/15/2022, 4:18 AMrp
02/15/2022, 4:18 AMscherbatsky.jr
02/15/2022, 4:23 AMrp
02/15/2022, 4:24 AMscherbatsky.jr
02/15/2022, 4:28 AMrp
02/15/2022, 4:29 AMscherbatsky.jr
02/15/2022, 4:29 AMrp
02/15/2022, 4:29 AMscherbatsky.jr
02/15/2022, 4:35 AMrp
02/15/2022, 4:35 AMscherbatsky.jr
02/15/2022, 4:41 AMrp
02/15/2022, 4:45 AMscherbatsky.jr
02/15/2022, 4:46 AMrp
02/15/2022, 4:47 AMscherbatsky.jr
02/15/2022, 4:57 AMrp
02/15/2022, 4:58 AMscherbatsky.jr
02/15/2022, 4:59 AMrp
02/15/2022, 5:00 AMscherbatsky.jr
02/15/2022, 6:07 AMrp
02/15/2022, 6:07 AMscherbatsky.jr
02/15/2022, 6:07 AMrp
02/15/2022, 6:07 AMscherbatsky.jr
02/15/2022, 6:08 AMrp
02/15/2022, 6:11 AMscherbatsky.jr
02/15/2022, 6:14 AMrp
02/15/2022, 6:17 AMwindow.location.origin
- On the backend, you can set the websiteDomain as your top level domain for the website.
- On the backend, you want to provide some callbacks to return the right sub domain for the user for things like creating a password reset link or email verification link. I can give you a list of which callbacks to provide if you tell me which recipe(s) you are using on the backend.scherbatsky.jr
02/15/2022, 6:18 AMrp
02/15/2022, 6:21 AMresetPasswordUsingTokenFeature.getResetPasswordURL
function: https://supertokens.com/docs/emailpassword/common-customizations/reset-password/embed-in-page#step-3-changing-the-website-path-for-reset-password-ui-optional
And you want to provide the emailVerificationFeature.getEmailVerificationURL
function: https://supertokens.com/docs/emailpassword/common-customizations/email-verification/embed-in-page#step-a-on-the-backend
In both these functions, you will want to fetch the right sub domain for the user and return the URL with the correct sub domain for that user.scherbatsky.jr
02/15/2022, 7:34 AMrp
02/16/2022, 10:36 AMscherbatsky.jr
02/16/2022, 10:43 AMrp
02/16/2022, 10:43 AMscherbatsky.jr
02/16/2022, 10:44 AMrp
02/16/2022, 10:44 AMdoesSessionExist
on b.example.com, that function call will return false
scherbatsky.jr
02/16/2022, 10:50 AMrp
02/16/2022, 10:56 AMdoesSessionExist
on xyz.example.com
, it will return false.
If you make an API call from xyz.example.com
(to the same API domain as the one you query to from abc.example.com
, the cookies will go in the API, but then you can solve this issue by:
- During session creation, add the sub domain in the access token payload
- Post session verification, check that the sub domain in the access token payload is equal to the origin in the request. If it's not, reject the request (send a 401).
This way, you can restrict the session to be in just one sub domain, even though the different sub domains query the same API domain.scherbatsky.jr
02/16/2022, 11:14 AMrp
02/16/2022, 11:15 AMscherbatsky.jr
02/16/2022, 11:16 AMrp
02/16/2022, 11:16 AMscherbatsky.jr
02/16/2022, 11:18 AMrp
02/16/2022, 11:20 AMscherbatsky.jr
02/16/2022, 11:23 AMrp
02/16/2022, 11:30 AMscherbatsky.jr
02/16/2022, 11:31 AM