https://supertokens.com/ logo
Join Discord
Powered by
Hi guys! I've come across a pretty strange behavio...
# support-questions-legacy
a
Hi guys! I've come across a pretty strange behavior. I'm using the SDK in a react native app. In order to maintain the session state i routinely check "SuperTokens.doesSessionExist()" and with that answer go forward with an authorized/unauthorized user. What i have discovered is that when the session expires, the method "doesSessionExist", still resolves true.
r
hey @Axel
a
Yo!
r
when the session expires meaning that the access token has expired? or that the refresh token has expired too?
a
no, its the access token. Because i can run the "attemptRefreshingSession()" method instead of "doesSessionExist()" as a work around
r
right yea. So in this case, a session does exist. It's just that the access token has expired.
a session fails to exist when the refresh token was revoked or has expired.
a
ok that explains it actually, what is your recommendation if i just want a simple way to check if a session is valid?
Should i go for "getUserId()"? if it is an empty string the session is false? or something like that?
r
not really. You shouldn't have to worry about access token expiration. Just use the functions freely. Refreshing happens on its own
a
huh, that sparks a couple of questions. Refreshing happens on its own?
r
yea. Are you using axios?
if so, you need to add our axios interceptors to your axios instance
and then it will do auto refresh when you make an API call
a
ooh, ok. No i have a simple fetch call right now. Was hoping to make use of your coming fix to intercept apollo requests
r
fetch interception also should happen on its own
a
hmm
r
as long as you called session.init
a
yep
wait, session.init?
r
in the request that you make, what are all the headers that sent in the request?
> wait, session.init? Oh sorry
just supertokens.init
a
ye
hehe
with a google login i send:
headers: { 'Content-Type': 'application/json', rid: 'emailpassword', },
r
right. So interception is happening
oh wait no..
i mean can you show me the request headers for an API call to one of your APIs?
a
yeah
r
that you call using fetch
post login
a
r
right. So interception is happening
now if the API returns 401, does it not call the refresh APi?
a
no, i've tried it locally with an expiry timer on 1 min. And i have to manually call refresh in order to get it to do exactly that
r
hmm. Does the API return a 401 if the access token has expired?
a
call "attemptRefreshing.."
hmm.. that i haven't tried actually
or checked rather
r
so you should let the access token expire and then call an API that uses verifySession. That API should return a 401 which should trigger a refresh API call on its own
so you don't need to call "attemptRefreshing.."
a
I have to check how it is done in the backend. It's not me who set that part up
r
right. All you should see is that the API returns a 401 when access token has expired or is missing
a
aight, give me a couple of mins
have to set things up locally
ok
so i did not get a 401 back
i only got an error from hasura, saying "code: access-denied"
so maybe it is the hasura middle layer interrupting me again
?
But i gues that that is good enough. "code: access-denied" is the translation of 401, so i can handle that error in the client side.
r
yea. but it's better for the backend to send 401
you shouldn't have to handle refreshing on your frontend
a
I fully agree but with the requests going through hasura i dont really see a better way for now.
But at least now i know how it works
So a huge thanks for the help today! I
You'll probably hear from me again sometime 🙂 Merry christmas!
r
sounds good 🙂
16 Views
PreviousNext
Powered by