hey! Quick question, is it possible somehow to allow multi-user signins? Imagine Figma or Google, where you can switch users anytime you want. Technically it would be possible with JWTs and store them individually but I don't want to lose subdomain support. With cookies it's a bit different, since they have the same name and logging in another user would overwrite the previous one. I was thinking about a middy middleware that would basically combine cookies from multiple users. Combine them on the way out (after:) and select the proper one on the way in (before:, based on another header, like "x-current-user-id"). What do you think about this, or is there another way that I can achieve this? Thanks

Hey @legolas8911 this is possible. Let me elaborate.

hey @rp , thanks for the quick response! I'm logged in with user X, I have the cookies for it, all fine. I now login with user Y. I have the current cookie on the login request that belongs to user X so I can basically create a new session for user Y and adding X in the access token payload like you mentioned above. All fine so far. But my cookies for user X will be overwritten by the ones from Y, isn't that right? That means that as soon as the session for X expires, it's gone, no refresh for that user. Only the last logged in user will have an autorefresh, right? Even if I have the user X userid in my Y session, I can't just change the currentUserId on switch since that would be a security issue as I see it, maybe user X was deleted in the meantime or something, I'll need to make the user login with X again

> But my cookies for user X will be overwritten by the ones from Y, isn't that right? Yes. This is what you want. > Only the last logged in user will have an autorefresh, right? Yes. > Even if I have the user X userid in my Y session, I can't just change the currentUserId on switch since that would be a security issue as I see it, maybe user X was deleted in the meantime or something, I'll need to make the user login with X agai So when you want to switch users, you can do that by making an API that will: - Check if user X is in the session (you add this to the access token payload when user Y logged in) and check if X is not deleted. - Call the createNewSession with userId of

X

and putting Y in the access token payload so that you can switch to user Y later on if needed.

const existingSession = await Session.getSession(input.res.event, input.res.event); (on lambda, using middy)

can you try:

await Session.getSession(input.req, input.res)

there is no input.res or input.req

oh sorry, it should be

input.options.req

and

input.options.res

req does not exist

also, you should call it with optional session flag cause during first login, there will be no session

2022-12-04T14:34:07.984Z e7ba1234-91ee-4845-b0a6-4fe904ebed5d INFO SESSION INPUT { res: AWSResponse { wrapperUsed: true, sendHTMLResponse: [Function (anonymous)], setHeader: [Function (anonymous)], setCookie: [Function (anonymous)], setStatusCode: [Function (anonymous)], sendJSONResponse: [Function (anonymous)], sendResponse: [Function (anonymous)], original: { version: '2.0', routeKey: '$default', rawPath: '/signin', rawQueryString: '', cookies: [Array], headers: [Object], requestContext: [Object], body: '{"formFields":[{"id":"email","value":"lEMAIL"},{"id":"password","value":"PASS"}]}', isBase64Encoded: false, supertokens: [Object] }, event: { version: '2.0', routeKey: '$default', rawPath: '/signin', rawQueryString: '', cookies: [Array], headers: [Object], requestContext: [Object], body: '{"formFields":[{"id":"email","value":"EMAIL"},{"id":"password","value":"PASS"}]}', isBase64Encoded: false, supertokens: [Object] }, statusCode: 200, content: '{}', responseSet: false, statusSet: false }, userId: 'UID', accessTokenPayload: { 'st-role': { v: [Array], t: 1670164447875 }, 'st-perm': { v: [Array], t: 1670164447983 } }, sessionData: {}, userContext: { _default: { request: [AWSRequest] } } }

ok right. So what you may want to do is to call

getSession

function in the login API instead with

input.options.req

and

input.options.res

Session.getSession, right?

yes

deploying

and the logs?

same getSession: Returning TRY_REFRESH_TOKEN because custom header (rid) was not passed

hmm.. thats weird. the request object should have that

rid

header in it

well it can't

Can you console log out

input.userContext._default.request

?

if I set it it breaks the login

which recipe are you using?

message: "middleware: Not handling because recipe doesn't handle request path or method. Request path: /signin, request method: post

set the

rid

as

thirdpartyemailpassword

heh, this works!

ok nice

let me check the logs, if it found the session

nice

to clarify, without this change, out of the box, it worked without setting any rid header so I assumed for login it doesn't need to be set

yea cause normally, login doesn't call the

getSession

function

(I was making test requests from Paw, not from a ST lib)

and

getSession

protects against CSRF using this

rid

header.

got it, thanks!