Just wanted to ask if we have to do custom implementation of

Question

Just wanted to ask if we have to do custom implementation of Session verification on the backend in case standard request response objects are not available how can we do that

rp · Answer

hey < mib200>

rp · Answer

at the moment we don t You need to use our verifySession or getSession function But soon in a few weeks time we will have a way So stay tuned

mib200 · Answer

I was thinking can t we extend those functions

rp · Answer

you can make your own request and response wrapper for those functions that works with your framework

mib200 · Answer

My exact use case is that when I am unable to find cookies on the backend I should be able to set new cookies without the user being redirected to login page

rp · Answer

why would you not be able to find cookies

mib200 · Answer

after he is redirected to login page the front end SDK refreshes the session and user goes back into protected pages

mib200 · Answer

but this looks quite glitchy

rp · Answer

right So does the frontend request send the cookies in the API call

mib200 · Answer

I check for `sFrontToken` in the backend cookies

rp · Answer

that won t exist

mib200 · Answer

and when it is not available the user is redirected to login page

rp · Answer

you need to see the sAccessToken and sIdRefresgToken

mib200 · Answer

correct by the way I am using this in sub domain context

mib200 · Answer

so I only have `sFrontToken` and one other cookie

mib200 · Answer

surprisingly the frontend somehow re establishes the session even when this cookie is expired and removed from frontend And again this is on a sub domain context

rp · Answer

so sFrontTokens is not meant for the backend

rp · Answer

the backend should only care about sAccessToken really

rp · Answer

so make sure that that s being sent by the browser

rp · Answer

or the sRefreshToken in case of the refresh API

mib200 · Answer

but that is not available to a sub domain So if auth was done for auth example com `sAccessToken` is available on that domain The cookies available on internal example com does not have the above cookie It only receives `sFrontToken`

mib200 · Answer

As the documentation says `sFrontToken` Used to access a session s access token payload and user ID on the frontend without exposing the `sAccessToken`

mib200 · Answer

this is maybe for sub domain security

rp · Answer

oh you can make it available on sub domains as well

rp · Answer

https supertokens com docs session common customizations sessions multiple api endpoints

rp · Answer

sFrontToken should not be used for verifying access since it s not signed Stick to using the sAccessToken

mib200 · Answer

let me double check this

mib200 · Answer

maybe I configured something wrong

mib200 · Answer

strange

mib200 · Answer

< rp> you are right Cookies can be exposed to subdomains

mib200 · Answer

I was declaring session scope

mib200 · Answer

cookie domain definition was missing

rp · Answer

great

mib200 · Answer

< rp> another quick question Now that I have these cookie tokens in backend and I don t have any way to use Session method from node SDK on AstroJS to get session

mib200 · Answer

what do you suggest how should get the tokens refreshed from the backend call itself in SSR

rp · Answer

yeaa so that goes back to my initial message

mib200 · Answer

instead of waiting for frontend to refresh it

rp · Answer

you can t get tokens refreshed from backend

rp · Answer

cause the refresh token is only available on the frontend

mib200 · Answer

But we do get `sIdRefreshToken` in backend

mib200 · Answer

from cookies

rp · Answer

thats not the refresh token

rp · Answer

even though it has a similar name

rp · Answer

the refresh token is `sRefreshTokens`

rp · Answer

and is only sent on the refresh API path

rp · Answer

so if the access token is expired or missing send back a 401

rp · Answer

and the frontend will call the refresh API

rp · Answer

Now about support for astroJS you should create a wrapper for that like how we have for express

mib200 · Answer

ok so no rolling session is possible from backend This has to be done from the frontend only

rp · Answer

yea

mib200 · Answer

Last question where is this `sRefreshTokens` stored on frontend

mib200 · Answer

I can t see it in cookies

rp · Answer

Navigate to the api domain on the refresh API path on your browser

rp · Answer

you will see it then

rp · Answer

are you using our SDK with a different backedn thats not AstroJS

rp · Answer

like with express

mib200 · Answer

Yes I am using your example from NextJS

rp · Answer

right i see

rp · Answer

and a different astrojs backend

mib200 · Answer

backend and frontend both on nestjs

mib200 · Answer

connection URI as https try supertokens com

mib200 · Answer

nextJS I meant

rp · Answer

right

rp · Answer

so where does astroJS come in

rp · Answer

cause you mentioned that before

mib200 · Answer

that is a different project where I am trying to do the same thing using the same methods since I am not very fond of NextJS

rp · Answer

ahh i see

mib200 · Answer

my apologies for the confusion

rp · Answer

haha no worries

mib200 · Answer

< rp> so where do I get these `sRefreshTokens`

rp · Answer

the browser will send this to the backend when you call the referesh API

mib200 · Answer

I meant where can I see them in browser They are not in cookie storage Just want to understand the flow coz if they are being sent to server with some data and that data is not there in browser how tokens are getting refreshed

rp · Answer

it is on the browser cookies for dsure

rp · Answer

navigate to api domain and to the refresh API path