https://supertokens.com/ logo
Join Discord
Powered by
And how do you to the login / session creation ope...
# support-questions
r
And how do you to the login / session creation operation?
And how do you to the login / session creation operation?
Let’s move this conversation to a thread
@User
s
Currently relying on default route for signin. I have a function using axios to sign in at the moment, ``export async function signin(email: string, password: string): Promise { const body = { formFields: [ { id: 'email', value: email }, { id: 'password', value: password } ] } let response try { response = await axios.post('auth/signin', body) const userId = await SuperTokens.getUserId() store.commit('updateUserId', userId) console.log(await SuperTokens.doesSessionExist()) } catch (e) { console.log(e) } return response }``
r
Ok and then callling doesSessionExist return a true?
s
Yes, it does
r
What’s strange is that the browser isn’t even adding cookies to the graphql request
Can you make a REST endpoint that requires session verification and returns the userId,
Then call that using axios - just to make sure that at least that works?
s
Sure
r
Or even better, make the request using fetch
Since httplink uses fetch
s
I am still getting unauthorized. Looks like my cookies are not set properly. As checking for session right before sending the requests is returning false.
r
Hmmm. When the cookies are returned from the login API, do you see any warning printed on the console?
s
Nope, not any warnings. Do I have manually set sAccessToken in the cookies?
r
You don’t have manually set them
s
sFrontEnd is enough?
r
How about the set-cookie header from the login response, do you see a small orange triangle at the end of the header line?
No. The browser should be automatically setting the sAccessToken. That doesn’t seem to be happening. We need to see why
I see. Can you hover on the yellow triangle? What does it say?
s
SamSite="Lax" is has blocked it because due to cross site response
r
What’s your frontend domain?
And what websiteDomain have you set in the backend appInfo config?
s
It was set to localhost:8080. I just set it to http://plizz.mycorpsec.test
Now, it SameSite="None" is blocking it
r
So you want to set it to the same value as what you are testing this on
s
Is it possible to set websiteDomain as regex to handle multiple domains?
r
Not at the moment
But you can set it to any one of those domains, and then manually set sameSite in session.init on the backend to “none”
That’s assuming that the website domain you are testing on and the apiDomain have totally different top level domains
s
Ohh, I am trying to make proof of concept for multi tenant app. And people can register own sub domains. I wanted an single api to handle all sub domains request.
r
So if it’s sub domain, that works too. Set the websiteDomain on the backend to be equal to your top level domain
This way, sameSite should be automatically set to none
Is that happening?
s
I am only running it locally at the moment.
r
So if your frontend is loading on localhost:8080, you should set the websiteDomain on the backend as localhost:8080
In this case, sameSite=lax should work and you shouldn’t see the yellow triangle the browser is showing you
s
Ohh, I am sorry. yeah, it was set to localhost:8080. Lax prevented it.
r
Right.
s
Is there a work around for this at the moment?
r
just set the websiteDomaon on the backend to what you are testing with
And this would set the correct value for sameSite
And it should start working
s
SameSite="None" also blocks it because it is not secure
r
Ah. So then you have to make it https. There is no choice around that unfortunately. It’s a browser rule
One more thing that you could do is setup a local proxy for your API
For your frontend domain I mean*
So make localhost:8080 be the reverse proxy for your website domain
This way, you can load localhost:8080 on the browser and query the API which is on localhost:3000
And the sameSite=Lax should work
s
Right now I have sameSite to None, cookies sercure to true
Its working
r
ok awesome!
s
Thanks for the help @User !!!!
r
So now in the case of the testing and prod multi tenancy env, would this same setup work? Or is that still unknown?
s
Still unknown. Looks like we might have issue when user logins with different sub domains in the same browser.
I genuinely like the package, and I will try to contribute the docs as much as I can!
r
So we do support logging in via multiple sub domains
The session that is created is shared across all sub domains, or can be restricted to work on only that sub domain
s
I see. We do not want to share any session.
r
I see. So what you will want to do is: - On the frontend, the value of websiteDomain should be the current domain 
window.location.origin
- On the backend, you can set the websiteDomain as your top level domain for the website. - On the backend, you want to provide some callbacks to return the right sub domain for the user for things like creating a password reset link or email verification link. I can give you a list of which callbacks to provide if you tell me which recipe(s) you are using on the backend.
s
EmailPassword
Might wanna rename this thread 😅
r
You want to provide the 
resetPasswordUsingTokenFeature.getResetPasswordURL
function: https://supertokens.com/docs/emailpassword/common-customizations/reset-password/embed-in-page#step-3-changing-the-website-path-for-reset-password-ui-optional And you want to provide the 
emailVerificationFeature.getEmailVerificationURL
function: https://supertokens.com/docs/emailpassword/common-customizations/email-verification/embed-in-page#step-a-on-the-backend In both these functions, you will want to fetch the right sub domain for the user and return the URL with the correct sub domain for that user.
Sub domain support
s
Alright, I will look into these. Thanks for all the help.
Hey @User, about the value of websiteDomain in the frontend, did you mean cookieDomain?
r
No. I meant websiteDomain. Cookie domain would be used if you want to share the same session across sub domains - but you don't want to do that.
@User ^
s
Ohh, I am not sure where I would set websiteDomain? Currently, cookies are being set on all the sub domains in the browser. I have not set any cookieDomain in backend or frontened.a
r
Oh yea. You are using the supertokens-website SDK which doesn't have websiteDomain. So ignore that comment then.
s
Is there a way to disable cookie sharing?
r
by default, the cookies are not shared across sub domains
i mean the session is not shared across sub domains
That is, if a user logs into a.example.com, and you query 
doesSessionExist
on b.example.com, that function call will return 
false
s
I see. Currently I have abc.example.com on one tab and xyz.example.com on the other, when I login in first one, I see sAccessToken and refreshtoken set on the second one too
r
Yes. You would see those as the tokens are attached to the API domain, and not the website domain. But if you query 
doesSessionExist
on 
xyz.example.com
, it will return false. If you make an API call from 
xyz.example.com
(to the same API domain as the one you query to from 
abc.example.com
, the cookies will go in the API, but then you can solve this issue by: - During session creation, add the sub domain in the access token payload - Post session verification, check that the sub domain in the access token payload is equal to the origin in the request. If it's not, reject the request (send a 401). This way, you can restrict the session to be in just one sub domain, even though the different sub domains query the same API domain.
s
Okay. But does it mean I can still use multiple accounts in multiple domains in the same browser at the same time, like switch back and forth without signing out? I am bit confused.
r
hmm. So you won't be able to do that. Unless the API domain for each sub domain is also different.
s
Okay
r
is that a blocker for you? Im curious about your use case now.. haha
s
One of those extreme cases where our users can work across multiple tenants.
It would be an inconvenience 😂
r
hahah.. well... One solution for this would be to in fact share a session across sub domains, and if the user tries to access another sub domain than the one they logged in with, you can detect it's not the right sub domain and redirect them to the right one. Or, show a message saying that if you want to login to this concurrently, please use a different browser or a private window. Perhaps this could be a clean solution and a good UX.
s
Well, I will suggest this to my team. 😅
Would this have been possible in supertokens react?
r
The session would work exactly the same way with supertokens-auth-react
s
Alright. Thank you!
6 Views
PreviousNext
Powered by