https://supertokens.com/ logo
a

alisha

06/03/2022, 6:13 AM
hey, is there a way to get access token and refresh token validity from the backend? I am using golang.
r

rp

06/03/2022, 6:32 AM
hey!
Do you mean get the amount of time left for a session before it expires? Or the actual lifetime vvalues?
a

alisha

06/03/2022, 6:35 AM
the datetime value of when the token expires
r

rp

06/03/2022, 6:36 AM
a

alisha

06/03/2022, 6:38 AM
what value do I need to pass for
Copy code
sessionHandle
?
r

rp

06/03/2022, 6:39 AM
you can get that from the session object
there should be a session.GetHandle() function
(it's basically the session ID)
a

alisha

06/03/2022, 6:43 AM
oh, actually the scenario is I want to identify whether a session is active or not - whether both access or refresh tokens are available or only refresh token is available
currently I am lying on
session.GetSession(c.Request, c.Writer, &options) to get sessionContainer
and using the error message to return accordingly or if sessionContainer is nil, I return saying session is expired
r

rp

06/03/2022, 6:46 AM
Yea that will return an error like try refresh token if the access token has expired.
but why don't you just use our verifySession middleware? That will take care of sending an appropriate response to the client
a

alisha

06/03/2022, 6:48 AM
FE needs this API in order to determine whether a session is active - if active, is refresh token available to handle the scenario where if user closes the browser/tab and reopens it, FE needs to know what page it should show depending on the API response
r

rp

06/03/2022, 6:50 AM
If you pass options to GetSession that make sesssion optional, and if it returns nil as the session container, it means no session exists (and no refresh token exists)
if GetSession returns an error like try referesh token, it means that access token doesn't exist, but refresh token does - so here you should send a 401 to the client and it should refresh on its own (if you are using our interceptors on the frontend)
a

alisha

06/03/2022, 7:11 AM
will check that out, thanks @rp
hey @rp , I have created an API which calls
GetSession
and returns appropriate responses when a session is expired, session exists or a call to refresh api is needed, I tested out the scenarios in postman by deleting cookies, it worked for me, but from the browser, in spite of cookies being attached the API is not able to find the session
not sure what is going wrong
r

rp

06/09/2022, 8:05 AM
Hey! Can you avoid using GetSession and use VerifySession instead? It will be easier
If you have to use GetSession, then can you enable debug logs on the frontend and backend and then show me the output when you make the API call that fails.
a

alisha

06/09/2022, 12:36 PM
Copy code
antiCsrfCheck := true
    sessionRequired := true
    options := sessmodels.VerifySessionOptions{
        AntiCsrfCheck:   &antiCsrfCheck,
        SessionRequired: &sessionRequired,
    }
it worked with sessionRequired=true, I was passing it false earlier
r

rp

06/09/2022, 12:45 PM
and what is the code after this runs?
a

alisha

06/09/2022, 12:53 PM
Copy code
sessionContainer, err := session.GetSession(c.Request, c.Writer, &options)
    if err != nil && sessionContainer == nil {
        ginutil.JSONError(c, http.StatusUnauthorized, nil, "try refresh token")
        return
    }

    if sessionContainer == nil {
        ginutil.JSONError(c, http.StatusNotFound, nil, "session expired")
        return
    }

    if sessionContainer.GetAccessToken() != "" {
        ginutil.JSON(c, nil, "OK")
        return
    }
r

rp

06/09/2022, 12:55 PM
And what are the options?
a

alisha

06/09/2022, 12:58 PM
Copy code
options := sessmodels.VerifySessionOptions{
        AntiCsrfCheck:   &antiCsrfCheck,
        SessionRequired: &sessionRequired,
    }
r

rp

06/09/2022, 1:09 PM
Try this out:
Copy code
go
import (
    "fmt"
    "net/http"

    "github.com/supertokens/supertokens-golang/recipe/session"
    "github.com/supertokens/supertokens-golang/supertokens"
)

func likeCommentAPI(w http.ResponseWriter, r *http.Request) {
    sessionContainer, err := session.GetSession(r, w, &options)

    if err != nil {
        err = supertokens.ErrorHandler(err, r, w)
        if err != nil {
            // TODO: send 500 to client
        }
        return
    }

    if sessionContainer == nil {
      // session does not exist
    } else {
      userID := sessionContainer.GetUserID()
    }
}
a

alisha

06/13/2022, 9:32 AM
hey @rp I tried the above solution, I see that Cookie value is set in the browser, but
sessionContainer
is nil
r

rp

06/13/2022, 9:37 AM
can you enable debug log and then call the API? And show me the output
Can i see the request headers as seen on chrome?
it seems that the cookies are not being sent. Either due to some misconfig, or because a session doesn't actually exist
right yea. so no cookies being sent
are you using axios?
a

alisha

06/13/2022, 10:23 AM
not sure, will check
yes axios
r

rp

06/13/2022, 10:25 AM
adding interceptors?
a

alisha

06/13/2022, 10:25 AM
Copy code
client.interceptors.request.use(
  (request) => {
    return request;
  },
  (error) => {
    return Promise.reject(error);
  },
);
r

rp

06/13/2022, 10:25 AM
i mean are you adding supertokens interceptors?
a

alisha

06/13/2022, 10:26 AM
umm, no I don't see that
r

rp

06/13/2022, 10:26 AM
you should do that
see the docs,
a

alisha

06/13/2022, 10:27 AM
will try, thanks
we are not using supertokens-auth-react on the FE, is there any other way to resolve this?
r

rp

06/13/2022, 11:54 AM
use supertokens-website
checkout the "plain javascript" code tabs
a

alisha

06/13/2022, 11:56 AM
we are using ST on the backend only, is there any way to implement this without using any ST libs on the FE?
r

rp

06/13/2022, 11:57 AM
you can, but then you would have to change how sessions works to be "simpler". For example, you could override the session functions to simply create and return a JWT. Here you can see a demo app for this: https://github.com/supertokens/supertokens-auth-react/tree/master/examples/with-jwt-localstorage
a

alisha

06/14/2022, 3:18 PM
hey @rp another related question, we have BE deployed on a dev server and FE is trying to integrate BE apis locally, the cookies are not being set in the browser, I tried adding
cookieSameSite := "none"
and
CookieSameSite: &cookieSameSite,
in session.Init, but I still see
r

rp

06/14/2022, 3:21 PM
Try giving the right apiDomain and websiteDomain values
Maybe @sattvikc can help
s

sattvikc

06/14/2022, 3:32 PM
I'll try it out and let you know. Just to confirm, u are setting up FE locally, i.e. localhost and BE is on some staging domain?
a

alisha

06/14/2022, 3:34 PM
yes thats right
BE is on http
r

rp

06/14/2022, 3:37 PM
Hmm it won’t allow you to set backend on http with sameSite as none. You will require your backend to be on https
a

alisha

06/14/2022, 3:37 PM
ohh, any other way we can achieve this until we get https on the server?
r

rp

06/14/2022, 3:38 PM
Uhmm. If you use the same domain on frontend and backend that would work too
Otherwise, not really
a

alisha

06/14/2022, 3:39 PM
yeah, FE on the server works with BE, but for local setup FE is not able to call BE from server
r

rp

06/14/2022, 3:39 PM
Yeaa. You will need https I’m afraid
a

alisha

06/14/2022, 3:40 PM
okay, what should be the
cookieSameSite
value when we use https ?
r

rp

06/14/2022, 3:40 PM
None
“none”
a

alisha

06/14/2022, 3:41 PM
okay, thanks @rp
s

sattvikc

06/16/2022, 9:38 AM
@alisha you could use this - https://theboroer.github.io/localtunnel-www/ do to local testing with https.
a

alisha

06/16/2022, 10:21 AM
we will try this, thanks
s

sattvikc

06/16/2022, 10:24 AM
@alisha I tried a setup similar to yours, backend on https and frontend on http://localhost:3000 , it works fine. With proper configuration of WebsiteDomain and APIDomain, things should work pretty smoothly. do let us know if you need any assistance.
a

alisha

06/16/2022, 10:27 AM
ok, our Backend is on http, if it doesn't work after adding SSL, will surely let you know
s

sattvikc

06/16/2022, 10:30 AM
works fine with http as well
r

rp

06/16/2022, 10:30 AM
if backend is in http, and sameSite is none, it won't work
s

sattvikc

06/16/2022, 10:39 AM
my bad, works on firefox and not on chrome
a

alisha

06/16/2022, 10:47 AM
oh will check on firefox
hey @rp @sattvikc , we moved our BE to https, but we still see the cookies are not being set on the FE
r

rp

06/28/2022, 7:52 AM
hey @alisha can you show the debug logs, and can you show the screenshot of the set -cookie header in the response?
a

alisha

06/28/2022, 7:59 AM
should I be setting the sameSite to none ?
r

rp

06/28/2022, 7:59 AM
yea most likely that's the issue
but the lin should have figured that on it's own if you give it the right values for api and website domain
a

alisha

06/28/2022, 8:08 AM
FE is running on
localhost:3000
and BE on
{{baseURL}}/auth/v1/
this I am using in supertokens.init
r

rp

06/28/2022, 8:11 AM
can you show me debug log output?
a

alisha

06/28/2022, 8:13 AM
I can't access the server logs
r

rp

06/28/2022, 8:14 AM
right. Can you ask someone who can?
or you can just try to set the sameSite to none
but i would advice not to set it yourself manually, instead, make sure that the rigth apiDomain and websiteDomain values are given to the backend and frontend.
a

alisha

06/28/2022, 8:15 AM
will check both
r

rp

06/28/2022, 8:16 AM
did the apple issue get fixed btw?
a

alisha

06/28/2022, 8:18 AM
no, it was some infra issue, not sure apple had blocked our server ip maybe because we did not have ssl
I think it should solve now that we have ssl
r

rp

06/28/2022, 8:22 AM
right. Makes sense
a

alisha

06/28/2022, 11:21 AM
after adding sameSite="none"
cookies not being set
r

rp

06/28/2022, 11:23 AM
are you using axios on the frontend?
when u make the signinup API call
a

alisha

06/28/2022, 11:29 AM
yes axios
r

rp

06/28/2022, 11:29 AM
did u add the interceptors to it?
supertokens interceptors
a

alisha

06/28/2022, 11:32 AM
umm no
r

rp

06/28/2022, 11:32 AM
yea. that's the problem. Please do. You need to add the interceptor to all of your axios instances.
a

alisha

06/28/2022, 11:39 AM
Copy code
import Session from "supertokens-auth-react/recipe/session";

const client = axios.create({
  headers: {
    "Content-Type": "application/json",
  },
  withCredentials: true,
});

Session.addAxiosInterceptors(client);
added this still the same issue
r

rp

06/28/2022, 11:49 AM
can you enable frontend logs and show me the output of them when you are calling the signinup API?
a

alisha

06/28/2022, 11:50 AM
we are not using ST on the FE
r

rp

06/28/2022, 11:51 AM
im so confused
then where are you adding this interceptor?
if it's not on the frontend
a

alisha

06/28/2022, 11:52 AM
I mean we are not calling supertokens.init in the FE
r

rp

06/28/2022, 11:52 AM
ohh i see.
you need to
otherwise the interceptor will not do anything
a

alisha

06/28/2022, 11:52 AM
ohh
r

rp

06/28/2022, 11:52 AM
please see the quick setup guide 🙂
a

alisha

06/28/2022, 11:53 AM
we want to call the BE apis directly
r

rp

06/28/2022, 11:53 AM
you can
you just need to do supertokens.init
with the session recipe
a

alisha

06/28/2022, 11:53 AM
ok will try that
and if you are not using our pre built UI on the frontend, you don't need to use the supertokens-auth-react SDK. You can directly use the supertokens-website SDK
see the "Plain Javascript" code tabs in the link above
and follow that
a

alisha

06/28/2022, 4:33 PM
we are facing a related problem on the dev server
upon signup - cookies are being set in the browser with sameSite=none, but when FE calls a custom verify-session API which fetches the session
this API returns session not found
r

rp

06/28/2022, 4:37 PM
can you enable backend logs and show me the output when you call the API?
also, you should make sure that you have called supertokens.init on the FE and added axious interceptors
a

alisha

06/28/2022, 5:08 PM
it worked previously when we didnt have https though
com.supertokens {t: "2022-06-28T15:15:08Z", message: "getSession: UNAUTHORISED because idRefreshToken from cookies is nil", file: "/go/pkg/mod/github.com/supertokens/supertokens-golang@v0.6.6/recipe/session/main.go:46" sdkVer: "0.6.6"}
from the logs
r

rp

06/28/2022, 5:10 PM
Right yea. So as it says, the cookies are not being sent
Are you sure that the interceptor is running on the frontend? Can I see the request headers?
a

alisha

06/28/2022, 5:11 PM
no we haven't added the interceptor
r

rp

06/28/2022, 5:11 PM
You need to do that. If using axios
Otherwise things won’t work
It adds important headers for the browser to send cookies
a

alisha

06/28/2022, 5:33 PM
oh, wondering how did it work previously (before adding ssl), we did not added FE interceptor previously
the problem seems to be that the verify-session API was using cache value, after disabling cache, it works 😄
r

rp

06/28/2022, 6:02 PM
Ok great! But please do add interceptors if using axios. Otherwise refreshing won’t work and the user will be logged out unnecessarily
a

alisha

06/29/2022, 9:57 AM
hey @rp , we have a backend service which verifies session using the
VerifySession
middleware for a few of the APIs
we have seen that we need to pass rid=session in the header for POST, PUT, DELETE apis
r

rp

06/29/2022, 10:00 AM
rid=anti-csrf should be passed
for the APIs that don't use verifySession, you can use an instead of axios that does not have the interceptor. For the APIs that do have verifySession, you shuold use the interceptor.
a

alisha

06/29/2022, 10:17 AM
ok, so without using the interceptor, anti-csrf check will be disbled?
r

rp

06/29/2022, 10:18 AM
well, it won't be disabled. It will just fail
a

alisha

06/29/2022, 10:18 AM
ok, to avoid adding headers we need to have interceptors added in the FE - is that right?
r

rp

06/29/2022, 10:18 AM
correct
a

alisha

06/29/2022, 10:20 AM
ok, can we use
supertokens-website
without supertokens.init ?
r

rp

06/29/2022, 10:20 AM
nope. You need to do supertokens.init
a

alisha

06/29/2022, 10:21 AM
ok, thanks, we will add that and will let you know how it goes 🙂
@pranay ^
p

pranay

06/30/2022, 7:50 AM
Hey @rp , As per your suggestion to use the ST Session in the react interceptors is not working in local machine. The API reqiests are succesful but I'm not able to access the response if I add the Session in interceptor.
Is there any thing that I'm missing or need to add anything extra?
r

rp

06/30/2022, 7:52 AM
Can I see code for what you are doing?
p

pranay

06/30/2022, 7:52 AM
I'm using this supertokens-auth-react lib
sure
This is how I have added it
r

rp

06/30/2022, 7:53 AM
you don't need to do the client.inrterceptors... thing.
Also, you need to make sure that supertokens.init is being called
Can you enabled frontend logs and show me the output on app start and when you are making an API call
p

pranay

06/30/2022, 8:03 AM
ok, looks like the debug logs are huge to share here
is it okay for you to join for a quick connect
r

rp

06/30/2022, 8:04 AM
can upload as a file
sure
p

pranay

06/30/2022, 9:46 AM
hey @rp , I have a small concern wrt the interceptors, is it fine if we can connect on the same bridge above.
I'n not able to modify the response from interceptors, its throwing error
r

rp

06/30/2022, 10:00 AM
hey @pranay sure
a

alisha

07/01/2022, 8:12 AM
hey @rp , it worked with the changes you suggested
should we make the cookieSameSite attribute env specific, none for dev env and lax for qa, prod env?
FE will always be using dev BE in their local
r

rp

07/01/2022, 8:27 AM
yea. You should make it env specific
a

alisha

07/01/2022, 9:32 AM
thanks for your help 🙂
4 Views