https://supertokens.com/ logo
Join Discord
Powered by
Is there a quick way to invalidate all active sess...
# support-questions-legacy
n
Is there a quick way to invalidate all active sessions after a password reset? (Email + Password provider) It is a requirement for a security audit
r
hey @n1ru4l yea - override the API for password reset, call the original impl which returns the user id of the user and revoke all the session for that user.
n
Thank you!
okay so if I use 
Session.revokeAllSessionsForUser
, I still have to blacklist the existing tokens?
r
oh yea. access token verification is still stateless.. so yea
n
okay i see
r
but you can enable access token blacklisting feature
what you can do is to create one API that does session verification and post that checks supertokens for the session handle and if it's missing, it revokes the session
and then call that API on every page load from the frontend by default
sort of a midway solution
n
Access Token Blacklisting should be fine
I have one follow up question regarding this - It works like a charm - however, on the frontend this raises the following uncaught exception:
Copy code
Error: Either the session has ended or has been blacklisted
Is there a simple way to gracefully handle this? Is this even considered a bug?
oh I think it is happning on the backend
Copy code
err: SessionError: Either the session has ended or has been blacklisted
      at Object.<anonymous> (/Users/laurinquast/Projects/graphql-hive-2/node_modules/.pnpm/supertokens-node@12.0.5/node_modules/supertokens-node/lib/build/recipe/session/sessionFunctions.js:245:19)
      at Generator.next (<anonymous>)
      at fulfilled (/Users/laurinquast/Projects/graphql-hive-2/node_modules/.pnpm/supertokens-node@12.0.5/node_modules/supertokens-node/lib/build/recipe/session/sessionFunctions.js:15:36)
      at runMicrotasks (<anonymous>)
      at processTicksAndRejections (node:internal/process/task_queues:96:5) {
    type: 'UNAUTHORISED',
    payload: { clearCookies: true },
    errMagic: 'ndskajfasndlfkj435234krjdsa',
    fromRecipe: 'session',
    page: '/[orgId]'
  },
yes
r
Oh yes. If this error runs through out errorHandler middleware on the backend, it will result in a 401 being send to the frontend
n
so i need to handle it
r
Well, you can just make sure our errorHandler is run when this exception is thrown
Which function call is this error being thrown from? Is it on the session object (result of verifySession)?
n
this is again the server side props handler of Next.js
Session.getSession
r
Ahh I see
n
r
So yes. You need to handle this by sending a 401 to the frontend
Or redirecting the user to the login page
n
exactly redirect to login page seems to be right here
thanks!
r
Actually, I’m not sure if redirecting to the login screen will just work. Cause maybe the fronted still thinks that the session exists.
n
ill test now
r
So maybe it makes sense to send the same response as when it’s try refresh token. And then the frontend tries and refresh, which will clear all tokens on frontend as well. Then redirect to login would be better
n
yes redirecting to /auth results in an infinite loop πŸ˜„
r
Yeaaa. I thought so
So send back the same response as the try refresh error and see what happens
n
works πŸ™‚
r
awesome!
m
Hi, I have recently deployed my Next js app. It was working well on the local host but when I deployed it, it is stuck in infinite loop to auth page.
The backend for this a Node+express app . Is there anything I am missing?
r
can you elaborate?
m
Sure,
I have the backend deployed at api.exmple.com, which is node express app
appName: 'Super token test', apiDomain: 'https://api.example.com', websiteDomain: 'https://app.example.com', apiBasePath: '/auth', websiteBasePath: '/auth',
When I try to visit https://app.example.com/, it goes in infinite loop and redirects to auth page
r
do you use SessionAuth around your whole app? Whats the redirect cycle?
m
I tried putting session auth around the whole app, but it did not work. Currently session auth protects pages other than auth
r
right. So that's good
where does it redirect from and to which page?
m
r
have you provided your own 
/auth
page? are you doing any SSR on the the 
/auth
page?
m
Nope, I am using pre-built UIs and no SSR.
r
hmm
m
Copy code
import React, { useEffect } from 'react'
import dynamic from 'next/dynamic'
import SuperTokens from 'supertokens-auth-react'
import { redirectToAuth } from 'supertokens-auth-react'

const SuperTokensComponentNoSSR = dynamic(
  new Promise((res) => res(SuperTokens.getRoutingComponent)) as any,
  { ssr: false },
)

export default function Auth() {
  // if the user visits a page that is not handled by us (like /auth/random), then we redirect them back to the auth page.
  useEffect(() => {
    if (!SuperTokens.canHandleRoute()) {
      redirectToAuth()
    }
  }, [])

  return <SuperTokensComponentNoSSR />
}
r
are you sure that is not being used on the 
/auth
page?
can you print out something in the 
if (!SuperTokens.canHandleRoute()) {
if statement?
m
sure
Just to let you know again, this is working well on localhost. But it fails when i deploy this to actual domains
r
the sever returns a 
404
when navigating to 
/auth
maybe thats the problem?
m
Yes but only change I made between localhost and production is to change connectionURI and apiKey to production values
r
thats nothing to do with this
check your web server setting. It should not be returning a 404 on that path
if you are using netlify, then that might be causing this issue
where you may need to configure them to return the nextjs react bundle even on non 
/
paths
m
Yes this seems to be issue, I will figure out this but my backend also giving me 404 for /auth routes
r
right yea
2 Views
PreviousNext
Powered by