https://supertokens.com/ logo
Title
m

mib200

12/09/2022, 8:13 AM
Just wanted to ask, if we have to do custom implementation of Session verification on the backend in case standard request response objects are not available, how can we do that?
r

rp

12/09/2022, 8:14 AM
hey @mib200
at the moment, we don't. You need to use our verifySession or getSession function. But soon (in a few weeks time), we will have a way. So stay tuned.
m

mib200

12/09/2022, 8:16 AM
I was thinking, can't we extend those functions?
r

rp

12/09/2022, 8:16 AM
you can make your own request and response wrapper for those functions that works with your framework
m

mib200

12/09/2022, 8:16 AM
My exact use case is that when I am unable to find cookies on the backend, I should be able to set new cookies without the user being redirected to login page
r

rp

12/09/2022, 8:17 AM
why would you not be able to find cookies?
m

mib200

12/09/2022, 8:17 AM
after he is redirected to login page, the front end SDK refreshes the session and user goes back into protected pages
but this looks quite glitchy
r

rp

12/09/2022, 8:17 AM
right. So does the frontend request send the cookies in the API call?
m

mib200

12/09/2022, 8:18 AM
I check for
sFrontToken
in the backend cookies
r

rp

12/09/2022, 8:18 AM
that won't exist
m

mib200

12/09/2022, 8:18 AM
and when it is not available, the user is redirected to login page
r

rp

12/09/2022, 8:18 AM
you need to see the sAccessToken and sIdRefresgToken
m

mib200

12/09/2022, 8:18 AM
correct, by the way, I am using this in sub-domain context
so I only have
sFrontToken
and one other cookie
surprisingly, the frontend somehow re-establishes the session even when this cookie is expired and removed from frontend... And again, this is on a sub domain context.
r

rp

12/09/2022, 8:20 AM
so sFrontTokens is not meant for the backend
the backend should only care about sAccessToken really
so make sure that that's being sent by the browser.
or the sRefreshToken in case of the refresh API
m

mib200

12/09/2022, 8:22 AM
but that is not available to a sub-domain. So if auth was done for "auth.example.com",
sAccessToken
is available on that domain The cookies available on "internal.example.com" does not have the above cookie. It only receives
sFrontToken
As the documentation says: `sFrontToken`: Used to access a session's access token payload and user ID on the frontend without exposing the
sAccessToken
.
this is maybe for sub-domain security
r

rp

12/09/2022, 8:26 AM
oh you can make it available on sub domains as well
sFrontToken should not be used for verifying access since it's not signed. Stick to using the sAccessToken
m

mib200

12/09/2022, 8:29 AM
let me double check this
maybe I configured something wrong
strange
@rp you are right! Cookies can be exposed to subdomains
I was declaring session scope
cookie domain definition was missing
r

rp

12/09/2022, 9:11 AM
great!
m

mib200

12/09/2022, 9:12 AM
@rp another quick question. Now that I have these cookie tokens in backend, and I don't have any way to use Session method from node SDK on AstroJS to get session
what do you suggest, how should get the tokens refreshed from the backend call itself in SSR
r

rp

12/09/2022, 9:12 AM
yeaa.. so that goes back to my initial message
m

mib200

12/09/2022, 9:13 AM
instead of waiting for frontend to refresh it
r

rp

12/09/2022, 9:13 AM
you can't get tokens refreshed from backend
cause the refresh token is only available on the frontend
m

mib200

12/09/2022, 9:13 AM
But we do get
sIdRefreshToken
in backend
from cookies
r

rp

12/09/2022, 9:14 AM
thats not the refresh token
even though it has a similar name
the refresh token is
sRefreshTokens
and is only sent on the refresh API path
so if the access token is expired or missing, send back a 401
and the frontend will call the refresh API
Now about support for astroJS, you should create a wrapper for that like how we have for express
m

mib200

12/09/2022, 9:15 AM
ok, so no rolling session is possible from backend. This has to be done from the frontend only
r

rp

12/09/2022, 9:15 AM
yea
m

mib200

12/09/2022, 9:15 AM
Last question, where is this
sRefreshTokens
stored on frontend
I can't see it in cookies
r

rp

12/09/2022, 9:16 AM
Navigate to the api domain on the refresh API path on your browser
you will see it then
are you using our SDK with a different backedn thats not AstroJS?
like with express?
m

mib200

12/09/2022, 9:17 AM
Yes, I am using your example from NextJS
r

rp

12/09/2022, 9:17 AM
right i see
and a different astrojs backend?
m

mib200

12/09/2022, 9:17 AM
backend and frontend both on nestjs
connection URI as https://try.supertokens.com
nextJS I meant
r

rp

12/09/2022, 9:18 AM
right
so where does astroJS come in?
cause you mentioned that before
m

mib200

12/09/2022, 9:18 AM
that is a different project where I am trying to do the same thing using the same methods since I am not very fond of NextJS
r

rp

12/09/2022, 9:18 AM
ahh i see
m

mib200

12/09/2022, 9:19 AM
my apologies for the confusion
r

rp

12/09/2022, 9:19 AM
haha no worries
m

mib200

12/09/2022, 9:24 AM
@rp so where do I get these?
sRefreshTokens
r

rp

12/09/2022, 9:29 AM
the browser will send this to the backend when you call the referesh API
m

mib200

12/09/2022, 9:35 AM
I meant where can I see them in browser. They are not in cookie storage. Just want to understand the flow, coz if they are being sent to server with some data, and that data is not there in browser, how tokens are getting refreshed.
r

rp

12/09/2022, 9:37 AM
it is on the browser cookies for dsure
navigate to api domain and to the refresh API path