https://supertokens.com/ logo
Join Discord
Powered by
hey, is there a way to get access token and refres...
# support-questions-legacy
a
hey, is there a way to get access token and refresh token validity from the backend? I am using golang.
r
hey!
Do you mean get the amount of time left for a session before it expires? Or the actual lifetime vvalues?
a
the datetime value of when the token expires
r
a
what value do I need to pass for
Copy code
sessionHandle
?
r
you can get that from the session object
there should be a session.GetHandle() function
(it's basically the session ID)
a
oh, actually the scenario is I want to identify whether a session is active or not - whether both access or refresh tokens are available or only refresh token is available
currently I am lying on 
session.GetSession(c.Request, c.Writer, &options) to get sessionContainer
and using the error message to return accordingly or if sessionContainer is nil, I return saying session is expired
r
Yea that will return an error like try refresh token if the access token has expired.
but why don't you just use our verifySession middleware? That will take care of sending an appropriate response to the client
a
FE needs this API in order to determine whether a session is active - if active, is refresh token available to handle the scenario where if user closes the browser/tab and reopens it, FE needs to know what page it should show depending on the API response
r
If you pass options to GetSession that make sesssion optional, and if it returns nil as the session container, it means no session exists (and no refresh token exists)
if GetSession returns an error like try referesh token, it means that access token doesn't exist, but refresh token does - so here you should send a 401 to the client and it should refresh on its own (if you are using our interceptors on the frontend)
a
will check that out, thanks @rp_st
hey @rp_st , I have created an API which calls 
GetSession
and returns appropriate responses when a session is expired, session exists or a call to refresh api is needed, I tested out the scenarios in postman by deleting cookies, it worked for me, but from the browser, in spite of cookies being attached the API is not able to find the session
not sure what is going wrong
r
Hey! Can you avoid using GetSession and use VerifySession instead? It will be easier
If you have to use GetSession, then can you enable debug logs on the frontend and backend and then show me the output when you make the API call that fails.
a
Copy code
antiCsrfCheck := true
    sessionRequired := true
    options := sessmodels.VerifySessionOptions{
        AntiCsrfCheck:   &antiCsrfCheck,
        SessionRequired: &sessionRequired,
    }
it worked with sessionRequired=true, I was passing it false earlier
r
and what is the code after this runs?
a
Copy code
sessionContainer, err := session.GetSession(c.Request, c.Writer, &options)
    if err != nil && sessionContainer == nil {
        ginutil.JSONError(c, http.StatusUnauthorized, nil, "try refresh token")
        return
    }

    if sessionContainer == nil {
        ginutil.JSONError(c, http.StatusNotFound, nil, "session expired")
        return
    }

    if sessionContainer.GetAccessToken() != "" {
        ginutil.JSON(c, nil, "OK")
        return
    }
r
And what are the options?
a
Copy code
options := sessmodels.VerifySessionOptions{
        AntiCsrfCheck:   &antiCsrfCheck,
        SessionRequired: &sessionRequired,
    }
r
Try this out:
Copy code
go
import (
    "fmt"
    "net/http"

    "github.com/supertokens/supertokens-golang/recipe/session"
    "github.com/supertokens/supertokens-golang/supertokens"
)

func likeCommentAPI(w http.ResponseWriter, r *http.Request) {
    sessionContainer, err := session.GetSession(r, w, &options)

    if err != nil {
        err = supertokens.ErrorHandler(err, r, w)
        if err != nil {
            // TODO: send 500 to client
        }
        return
    }

    if sessionContainer == nil {
      // session does not exist
    } else {
      userID := sessionContainer.GetUserID()
    }
}
a
hey @rp_st I tried the above solution, I see that Cookie value is set in the browser, but 
sessionContainer
is nil
r
can you enable debug log and then call the API? And show me the output
a
r
Can i see the request headers as seen on chrome?
it seems that the cookies are not being sent. Either due to some misconfig, or because a session doesn't actually exist
a
r
right yea. so no cookies being sent
are you using axios?
a
not sure, will check
yes axios
r
adding interceptors?
a
Copy code
client.interceptors.request.use(
  (request) => {
    return request;
  },
  (error) => {
    return Promise.reject(error);
  },
);
r
i mean are you adding supertokens interceptors?
a
umm, no I don't see that
r
you should do that
see the docs,
a
will try, thanks
we are not using supertokens-auth-react on the FE, is there any other way to resolve this?
r
use supertokens-website
checkout the "plain javascript" code tabs
a
we are using ST on the backend only, is there any way to implement this without using any ST libs on the FE?
r
you can, but then you would have to change how sessions works to be "simpler". For example, you could override the session functions to simply create and return a JWT. Here you can see a demo app for this: https://github.com/supertokens/supertokens-auth-react/tree/master/examples/with-jwt-localstorage
a
hey @rp_st another related question, we have BE deployed on a dev server and FE is trying to integrate BE apis locally, the cookies are not being set in the browser, I tried adding 
cookieSameSite := "none"
and 
CookieSameSite: &cookieSameSite,
in session.Init, but I still see
r
Try giving the right apiDomain and websiteDomain values
Maybe @sattvikc2793 can help
s
I'll try it out and let you know. Just to confirm, u are setting up FE locally, i.e. localhost and BE is on some staging domain?
a
yes thats right
BE is on http
r
Hmm it wonโ€™t allow you to set backend on http with sameSite as none. You will require your backend to be on https
a
ohh, any other way we can achieve this until we get https on the server?
r
Uhmm. If you use the same domain on frontend and backend that would work too
Otherwise, not really
a
yeah, FE on the server works with BE, but for local setup FE is not able to call BE from server
r
Yeaa. You will need https Iโ€™m afraid
a
okay, what should be the 
cookieSameSite
value when we use https ?
r
None
โ€œnoneโ€
a
okay, thanks @rp_st
s
@alisha08770 you could use this - https://theboroer.github.io/localtunnel-www/ do to local testing with https.
a
we will try this, thanks
s
@alisha08770 I tried a setup similar to yours, backend on https and frontend on http://localhost:3000 , it works fine. With proper configuration of WebsiteDomain and APIDomain, things should work pretty smoothly. do let us know if you need any assistance.
a
ok, our Backend is on http, if it doesn't work after adding SSL, will surely let you know
s
works fine with http as well
r
if backend is in http, and sameSite is none, it won't work
s
my bad, works on firefox and not on chrome
a
oh will check on firefox
hey @rp_st @sattvikc , we moved our BE to https, but we still see the cookies are not being set on the FE
r
hey @alisha08770 can you show the debug logs, and can you show the screenshot of the set -cookie header in the response?
a
should I be setting the sameSite to none ?
r
yea most likely that's the issue
but the lin should have figured that on it's own if you give it the right values for api and website domain
a
FE is running on 
localhost:3000
and BE on 
{{baseURL}}/auth/v1/
this I am using in supertokens.init
r
can you show me debug log output?
a
I can't access the server logs
r
right. Can you ask someone who can?
or you can just try to set the sameSite to none
but i would advice not to set it yourself manually, instead, make sure that the rigth apiDomain and websiteDomain values are given to the backend and frontend.
a
will check both
r
did the apple issue get fixed btw?
a
no, it was some infra issue, not sure apple had blocked our server ip maybe because we did not have ssl
I think it should solve now that we have ssl
r
right. Makes sense
a
after adding sameSite="none"
cookies not being set
r
are you using axios on the frontend?
when u make the signinup API call
a
yes axios
r
did u add the interceptors to it?
supertokens interceptors
a
umm no
r
yea. that's the problem. Please do. You need to add the interceptor to all of your axios instances.
a
Copy code
import Session from "supertokens-auth-react/recipe/session";

const client = axios.create({
  headers: {
    "Content-Type": "application/json",
  },
  withCredentials: true,
});

Session.addAxiosInterceptors(client);
added this still the same issue
r
can you enable frontend logs and show me the output of them when you are calling the signinup API?
a
we are not using ST on the FE
r
im so confused
then where are you adding this interceptor?
if it's not on the frontend
a
I mean we are not calling supertokens.init in the FE
r
ohh i see.
you need to
otherwise the interceptor will not do anything
a
ohh
r
please see the quick setup guide ๐Ÿ™‚
a
we want to call the BE apis directly
r
you can
you just need to do supertokens.init
with the session recipe
a
ok will try that
r
and if you are not using our pre built UI on the frontend, you don't need to use the supertokens-auth-react SDK. You can directly use the supertokens-website SDK
see the "Plain Javascript" code tabs in the link above
and follow that
a
we are facing a related problem on the dev server
upon signup - cookies are being set in the browser with sameSite=none, but when FE calls a custom verify-session API which fetches the session
this API returns session not found
r
can you enable backend logs and show me the output when you call the API?
also, you should make sure that you have called supertokens.init on the FE and added axious interceptors
a
it worked previously when we didnt have https though
com.supertokens {t: "2022-06-28T15:15:08Z", message: "getSession: UNAUTHORISED because idRefreshToken from cookies is nil", file: "/go/pkg/mod/github.com/supertokens/supertokens-golang@v0.6.6/recipe/session/main.go:46" sdkVer: "0.6.6"}
from the logs
r
Right yea. So as it says, the cookies are not being sent
Are you sure that the interceptor is running on the frontend? Can I see the request headers?
a
no we haven't added the interceptor
r
You need to do that. If using axios
Otherwise things wonโ€™t work
It adds important headers for the browser to send cookies
a
oh, wondering how did it work previously (before adding ssl), we did not added FE interceptor previously
the problem seems to be that the verify-session API was using cache value, after disabling cache, it works ๐Ÿ˜„
r
Ok great! But please do add interceptors if using axios. Otherwise refreshing wonโ€™t work and the user will be logged out unnecessarily
a
hey @rp_st , we have a backend service which verifies session using the 
VerifySession
middleware for a few of the APIs
we have seen that we need to pass rid=session in the header for POST, PUT, DELETE apis
r
rid=anti-csrf should be passed
for the APIs that don't use verifySession, you can use an instead of axios that does not have the interceptor. For the APIs that do have verifySession, you shuold use the interceptor.
a
ok, so without using the interceptor, anti-csrf check will be disbled?
r
well, it won't be disabled. It will just fail
a
ok, to avoid adding headers we need to have interceptors added in the FE - is that right?
r
correct
a
ok, can we use 
supertokens-website
without supertokens.init ?
r
nope. You need to do supertokens.init
a
ok, thanks, we will add that and will let you know how it goes ๐Ÿ™‚
@pranay4349 ^
p
Hey @rp_st , As per your suggestion to use the ST Session in the react interceptors is not working in local machine. The API reqiests are succesful but I'm not able to access the response if I add the Session in interceptor.
Is there any thing that I'm missing or need to add anything extra?
r
Can I see code for what you are doing?
p
I'm using this supertokens-auth-react lib
sure
This is how I have added it
r
you don't need to do the client.inrterceptors... thing.
Also, you need to make sure that supertokens.init is being called
Can you enabled frontend logs and show me the output on app start and when you are making an API call
p
ok, looks like the debug logs are huge to share here
is it okay for you to join for a quick connect
r
can upload as a file
sure
p
hey @rp_st , I have a small concern wrt the interceptors, is it fine if we can connect on the same bridge above.
I'n not able to modify the response from interceptors, its throwing error
r
hey @pranay4349 sure
a
hey @rp_st , it worked with the changes you suggested
should we make the cookieSameSite attribute env specific, none for dev env and lax for qa, prod env?
FE will always be using dev BE in their local
r
yea. You should make it env specific
a
thanks for your help ๐Ÿ™‚
89 Views
PreviousNext
Powered by