SuperTokens is an open source authentication solution offering features like: Different types of login: Email / password, Passwordless (OTP or Magic link based).

SuperTokens.com

I hope it isn't a bother, but I was hoping to learn more about this piece comment from GitHub:

> The only issue with the steps you mentioned is that the page the user needs to be redirected to, must have have the same path as the refresh token API (that is provided by us). That path is = `/{apiBasePath}/session/refresh` (`/auth/session/refresh` by default). The reason for this is that the refresh token cookie is restricted to be sent to only that exact path (for security reasons).

_I was curious to know how this helps security, and how SuperTokens enforces this_. I noticed that my Remix trick indeed fails to work unless I have the user visit `/auth/session/refresh` from the browser.

This is enforced via the cookie's path config. It's a config that tells the browser which path to send the cookie on.

And it increases security by limiting the network exposure of the refresh token