https://supertokens.com/ logo
Channels
bot-training
community
contributing
general
github-activity
info
introductions
new-releases
random
security
support-questions
welcome-0xdelusion
welcome-aj-ya
welcome-aleksandrc
welcome-alpinjs
welcome-amberlamps1
welcome-andrew-rodriguez
welcome-ankit-choudhary
welcome-anthony-stod-custodio
welcome-call-in
welcome-chwalbox
welcome-claybiokiller
welcome-co7e
welcome-cosmoecwsa
welcome-devdag
welcome-dinso
welcome-drebotelho
welcome-elio
welcome-ernest
welcome-foxbarrington
welcome-fromscratch
welcome-galto4ir
welcome-goetzum
welcome-hay-kot
welcome-himanshu-kukreja
welcome-hossambarakat
welcome-ichikawakazuto
welcome-jahir9991
welcome-jamesl
welcome-jerry123424
welcome-john-oliver
welcome-jonas-alexanderson
welcome-jxyz
welcome-kelvinwop
welcome-kraz
welcome-lancekey
welcome-leoo
welcome-lukeacollins
welcome-m-j-mon
welcome-malik-khoja
welcome-marco
welcome-mardadi
welcome-meshguy
welcome-metamorph
welcome-mike-tectu
welcome-mirzok
welcome-mozomig
welcome-naberyou66_
welcome-nacer
welcome-namratha
welcome-naveenkumar
welcome-nightlight
welcome-nischith
welcome-notankit
welcome-olawumi
welcome-pavan-kumar-reddy-n
welcome-pineappaul
welcome-poothebear
welcome-rick
welcome-samuel-qosenergy
welcome-samuelstroschein
welcome-shubhamgoel23
welcome-shubhamkaushal
welcome-sidebar
welcome-surajsli
welcome-suyash_
welcome-syntaxerror
welcome-tauno
welcome-tawnoz
welcome-teclali
welcome-tls
welcome-turbosepp
welcome-vikram_shadow
Powered by
Title
p

productdevbook

12/13/2022, 7:09 AM
https://supertokens.com/docs/nodejs/modules/recipe_session.html how to backend verify access token ?
n

nkshah2

12/13/2022, 7:11 AM
Hi
Youre looking at the SDK reference page which is meant for function references as opposed to actual docs
Refer to this page: https://supertokens.com/docs/session/common-customizations/sessions/session-verification-in-api/verify-session
p

productdevbook

12/13/2022, 7:13 AM
how to used with graphql 
ts
   server.route({
      method: ['GET', 'POST'],
      url: graphqlPath,
      handler: graphql,
    })
r

rp

12/13/2022, 7:14 AM
for jwt verification, you can use any JWT library
again, it's in our docs.
p

productdevbook

12/13/2022, 7:23 AM
ts
  const response = await fetch(`${connectionUri}/recipe/session/verify`, {
    method: 'POST',
    headers: {
      'content-type': 'application/json',
      'api-key': apiKey,
      'rid': 'session',
    },
    body: JSON.stringify({
      accessToken,
      enableAntiCsrf: false,
      doAntiCsrfCheck: false,
    }),
  })
https://app.swaggerhub.com/apis/supertokens/CDI/2.16.2#/Session%20Recipe/verifySession used thank you
r

rp

12/13/2022, 7:25 AM
well. You don't need to use that. Instead, you should use the node JS SDK's verifySession middleware if you are verifying the sAccessToken. If you are verifying the JWT, use any JWT lib
See the link sent by @nkshah2 above for how to use the verifySession function
it's more efficient than calling the above API yourself.
p

productdevbook

12/13/2022, 7:29 AM
ts
 verifySession()(ctx.req, ctx.reply, (res) => {
            console.log(res)
          })
thats true ?
iam in graphql server used
r

rp

12/13/2022, 7:30 AM
so a better function to use would be the getSession function in this case
https://supertokens.com/docs/session/common-customizations/sessions/session-verification-in-api/get-session
cause you are not using the middleware like a middelware
p

productdevbook

12/13/2022, 7:33 AM
TypeError: Cannot read properties of undefined (reading 'wrapperUsed')
r

rp

12/13/2022, 7:34 AM
can i see the code?
p

productdevbook

12/13/2022, 7:34 AM
ts
        try {
            const session = await Session.getSession(ctx.req, ctx.res)

            if (session === undefined)
              throw new Error('Should never come here')

            const userId = session.getUserId()
            console.log(userId, 'aaa')
          }
          catch (error) {
            console.log(error, 'aaa')
          }
r

rp

12/13/2022, 7:34 AM
can you log out 
ctx.req
and 
cts.res
?
p

productdevbook

12/13/2022, 7:35 AM
log out ? -> see, yes all see
r

rp

12/13/2022, 7:36 AM
as in console.log
console.log(ctx.req, ctx.res)
p

productdevbook

12/13/2022, 7:40 AM
req data see but res empty
r

rp

12/13/2022, 7:40 AM
yea so thats the problem
you need to give it a response object
p

productdevbook

12/13/2022, 7:44 AM
okay now fixed res. 
SessionError: Session does not exist. Are you sending the session tokens in the request as cookies?
r

rp

12/13/2022, 7:45 AM
are you sending the JWT from the frontend as an authorization bearer token?
right. So the 
getSession
and 
verifySession
functions only work for our sAccessToken cookie
since you are using a JWT, you should use any JWT verification library for your framework
See this: https://supertokens.com/docs/session/common-customizations/sessions/with-jwt/jwt-verification
p

productdevbook

12/13/2022, 7:49 AM
hmm if this cookie comes in it is automatically verified right?
header etc dont verified, thats true
r

rp

12/13/2022, 7:50 AM
yea. So for getSession, the 
sAccessToken
and 
sIdRfereshToken
are required. In that case, you don't need to to send the authorization bearer token
p

productdevbook

12/13/2022, 7:56 AM
ts
 const client = jwksClient({
    jwksUri: 'http://localhost:3001/auth/jwt/jwks.json',
  })

  function getKey(header: JwtHeader, callback: SigningKeyCallback) {
    client.getSigningKey(header.kid, (err, key) => {
      const signingKey = key!.getPublicKey()
      callback(err, signingKey)
    })
  }

  console.log(token, 'token')
  JsonWebToken.verify(token, getKey, {}, (_err, decoded) => {
    const decodedJWT = decoded
    console.log(decodedJWT, 'decoded')
  })
undefined decoded
r

rp

12/13/2022, 7:56 AM
what is the _err?
p

productdevbook

12/13/2022, 7:57 AM
JsonWebTokenError: jwt malformed
r

rp

12/13/2022, 7:58 AM
Can you paste the token here?
p

productdevbook

12/13/2022, 7:58 AM
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsInZlcnNpb24iOiIyIn0=.eyJzZXNzaW9uSGFuZGxlIjoiMmE0YmRiNGYtYzE2Ni00NGJiLThkZDYtNDFiN2ZkZDI5NmM5IiwidXNlcklkIjoiZmUxZGQ2OGMtNjc3NS00MzViLWE2OTgtYzFiNGUyOTk1NzAyIiwicmVmcmVzaFRva2VuSGFzaDEiOiIzNTYwNjdlM2E3Y2RhMjNhMjQzMTFiMGFlYThjMmRhODI4ZjhhMWU3NzJkYzhlMWI5M2E4NjQzYjRlMDRmMzAwIiwicGFyZW50UmVmcmVzaFRva2VuSGFzaDEiOm51bGwsInVzZXJEYXRhIjp7Imp3dCI6ImV5SnJhV1FpT2lJd056STFNR1UzT0MwM1pqTTVMVFJtTVRrdFlqWmhaQzFsWWpCbFkyWmhZalppTWpFaUxDSjBlWEFpT2lKS1YxUWlMQ0poYkdjaU9pSlNVekkxTmlKOS5leUp6ZFdJaU9pSm1aVEZrWkRZNFl5MDJOemMxTFRRek5XSXRZVFk1T0Mxak1XSTBaVEk1T1RVM01ESWlMQ0pwYzNNaU9pSm9kSFJ3T2k4dmJHOWpZV3hvYjNOME9qTXdNREV2WVhWMGFDSXNJbVY0Y0NJNk1UWTNNRGt5TVRreE55d2lhV0YwSWpveE5qY3dPVEU0TWpnMmZRLlNSTzdaTUNvbzFHNWNFWWZOdG1jRGRWRjdLZHdKSDJxLUtIMXM1eTBkZGt1bDRvNVVLQ01MUkhZZDdES2tzNDVwbnB1VzJaY0JHZVMwaFpxam11b2JrQktSWW9jcFRKTjdiNnYtOGt3czBsZHY2RFdMTk5mSlplQmlPSHlSS1E4OUo4ZXYwTVpFcW1HM2VPNUUxdjhCMHJNeFVKbk1VVHQtYjNmaTA2VGY1UzJTZy1VQkFaWkhPbHhHemVtYWU4eWliM1FDc1kzX1VIMkpPVGJRZnZVbDVmN0h2UjVQUi1QQ2ZWMkltWUFVckNReGp4WVdjZmtETXdZWDlfMXp5ZHN0NmNCV3dIV2J5WlRtTTZrdjFXbldwTDJzbUFJYklvMzhHdmdScE1xbUN1ai0wSVowcGUxT05SWHdyaEJxWW5zYWVQX2x4NzZQMWhhTWFwTWlpMFFOQSIsIl9qd3RQTmFtZSI6Imp3dCJ9LCJhbnRpQ3NyZlRva2VuIjpudWxsLCJleHBpcnlUaW1lIjoxNjcwOTIxODg2OTIxLCJ0aW1lQ3JlYXRlZCI6MTY3MDkxODI4NjkyMSwibG1ydCI6MTY3MDkxODI4NjkyMX0=.PCde9q7C173dbbR17ICZu2lgtp/rPpHWvMinF5rbhAS+YFfOCcopvjQImLPjKCH2zOZPO/wRPk2n7FTvAJo42kpWg0RGiv9X7MYA5UCYwylYCJZI6zGZvJi2te1XV+MU2hAMuuM5TbcwdHWmPVFCAl5PtfMAH7R8UpnBei4cma0TZN1nRsK73hesQsVHSknDBOw4dYDBCRRfz78Fi1GnBYU9XMpf1e/WTcDfMMq1WZI31NnmzYVIsH6o7EBKM3g+eat3O2P+6hFTKlp7fafA2xqb+gFFJqd+SqiHOlX2peCQpRc0PDDFp/zgADVhAXHbug1cc4b5vjjOAtUdDY5JiQ==
r

rp

12/13/2022, 7:59 AM
right. So you are giving it the sAccessToken
you need to give it the authorization bearer token from the request
the thing you added on the frontend when querying this API
p

productdevbook

12/13/2022, 8:01 AM
this ?
same token
r

rp

12/13/2022, 8:01 AM
no.
so on the frontend, you add the JWT to the request right?
as an authorization bearer token
correct?
p

productdevbook

12/13/2022, 8:02 AM
yes
r

rp

12/13/2022, 8:02 AM
so you should read that on the backend from the request and use that as the token for the JWT verification
p

productdevbook

12/13/2022, 8:02 AM
ts
   if (ctx.headers.authorization) {
            let authHeader = ctx.headers.authorization
            authHeader = Array.isArray(authHeader) ? authHeader[0] : authHeader

            const authHeaderParts = authHeader.split(' ')
            if (authHeaderParts.length === 2 && authHeaderParts[0] === 'Bearer') {
              const accessToken = authHeaderParts[1]
              verifyToken(accessToken)
         
            }
          }
and back
r

rp

12/13/2022, 8:03 AM
right yea
p

productdevbook

12/13/2022, 8:03 AM
this same
r

rp

12/13/2022, 8:03 AM
are you querying the APi using postman?
i mean testing the API using postman*
p

productdevbook

12/13/2022, 8:04 AM
no nuxt reload page and backend console see
r

rp

12/13/2022, 8:04 AM
im not sure how to make this more clear
but you are passingt he sAccessToken to the JWT verification which will get that issue about JWT malformed
you need to see your code about which token you are passing where
the authorization bearer token is the JWT not the sAccessToken
p

productdevbook

12/13/2022, 8:30 AM
ts
     Session.init({
        jwt: {
          enable: true,
        },
      }),
and login
sAccessToken -> this jwt thats true
r

rp

12/13/2022, 8:33 AM
sAccessToken is not the JWT. The JWT is in the sAccessToken payload which you extract on the frontend and pass the authorization header to the backend
p

productdevbook

12/13/2022, 8:37 AM
hmm
const jwt = await Session.getAccessTokenPayloadSecurely().jwt
only get jwt
clinet and send server
eyJraWQiOiIwNzI1MGU3OC03ZjM5LTRmMTktYjZhZC1lYjBlY2ZhYjZiMjEiLCJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJmZTFkZDY4Yy02Nzc1LTQzNWItYTY5OC1jMWI0ZTI5OTU3MDIiLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjMwMDEvYXV0aCIsImV4cCI6MTY3MDkyMzg2MywiaWF0IjoxNjcwOTIwMjMyfQ.faEnRZMQDV_OpGb0B8hWJZNd8YmaRBWPIiVP5VSrrud6db92htxTKza7PiAAYGfFE6jzBr_EILy3PEXGwpVGzisaERqcyi09nCIwjngDhuW9S8HCsjKpwW75EWyylUAYtsYsa63ggnyGBhP2r9NOlrSb92OwrYT_eNRe-EFZjLbkXsh69NNZAhngzqnNBf3o6G2zEpqLsq3UmL8P_321fKDL6T1cZj3J_4bdPsmwwmruOqtxHgEGsulokUx_IMBhE_oqzTTKPYhnSMF9JGZaaX2kaZ50Mx8uLkBcQwEyMthsJZ-pmH9MUH75azXG_t6TaX5vxkUa8MCmIjSogoh1eg
this
The big problem is I can't figure out how to send it with nuxt 3. Because graphql structure I can't get it in advance.
r

rp

12/13/2022, 8:42 AM
are you talking about server side rendering?
cause for SSR, you will have to use cookies - in which case, you can use the getSession function.
p

productdevbook

12/13/2022, 9:31 AM
how to login after save 
getAccessTokenPayloadSecurely
jwt save cookie ?
why not retroactive direct jwt freeze
After logging in, if we save the cookie without the need for jwt http secure, the problem will disappear.
After all, you don't need http secure for jwt, right?
r

rp

12/13/2022, 9:34 AM
i don't think i understand your question here.
anyway, hope you can figure it out 🙂
p

productdevbook

12/13/2022, 9:35 AM
Why is jwt direct cookie not saved after login even though I selected jwt?
r

rp

12/13/2022, 9:36 AM
Cause if you want to use cookie based auth, you don't need to use JWT. just use the sAccessToken and use the getSession function we have. That's all
p

productdevbook

12/13/2022, 9:36 AM
Shouldn't jwt be registered here directly?
r

rp

12/13/2022, 9:36 AM
no
cause the purpose the JWT is different
p

productdevbook

12/13/2022, 9:36 AM
how to only jwt used ?
r

rp

12/13/2022, 9:37 AM
we don't have an option (yet) of how to only get JWT in cookies
we provide the sAccessToken which can be used along with our SDK
So maybe just use that instead of using the JWT method
p

productdevbook

12/13/2022, 9:38 AM
I can't use it because access to it is late on the client side in ssr and the api sends a request without waiting for it.
this is why jwt and other cookies are not received
r

rp

12/13/2022, 9:39 AM
what do you mean access to is late?
p

productdevbook

12/13/2022, 9:39 AM
ts
import {
  ApolloClient,
  InMemoryCache,
  createHttpLink,
} from '@apollo/client/core/index.js'
import {
  DefaultApolloClient,
  provideApolloClient,
} from '@vue/apollo-composable/dist/index.esm.js'
import Session from 'supertokens-web-js/recipe/session'
import SuperTokens from 'supertokens-web-js'
import ThirdPartyEmailPassword from 'supertokens-web-js/recipe/thirdpartyemailpassword'
import { defineNuxtPlugin } from '#app'

export default defineNuxtPlugin(async (nuxtApp) => {
  let token = ''
  console.log('1')
  nuxtApp.hook('app:mount
ed', async () => {
    console.log('2')
    SuperTokens.init({
      appInfo: {
        apiDomain: 'http://localhost:3001',
        apiBasePath: '/auth',
        appName: 'aa',
      },
      recipeList: [
        Session.init(),
        ThirdPartyEmailPassword.init(),
      ],
    })
    console.log('3')

    Session.getAccessTokenPayloadSecurely().then((payload) => {
      token = payload.jwt
    })
    console.log('4')
  })
  console.log('5')

  const httpLink = createHttpLink({
    credentials: 'include',
    uri: 'http://127.0.0.1:3001/graphql',
    headers: {
      authorization: `Bearer ${token}`,
    },
  })

  const cache = new InMemoryCache()

  let apolloClient: ApolloClient<any>

  if (process.server) {
    console.log('6')
    apolloClient = new ApolloClient({
      ssrMode: true,
      link: httpLink,
      cache,
    })
    nuxtApp.hook('app:rendered', () => {
      nuxtApp.payload.data.apollo = apolloClient.extract()
    })
  }
  else {
    console.log('7')
    apolloClient = new ApolloClient({
      link: httpLink,
      cache,
      ssrForceFetchDelay: 100,
    })
  }

  provideApolloClient(apolloClient)
  nuxtApp.provide('$apollo', { DefaultApolloClient, apolloClient })
})
r

rp

12/13/2022, 9:39 AM
once you login, we add the sAccessToken to the cookies
which would be sent on each API call
p

productdevbook

12/13/2022, 9:40 AM
I gave console.log numbers, you can understand from here
9-vue-index
-> index.vue data send
r

rp

12/13/2022, 9:40 AM
im not sure why you even need to do this: 
Session.getAccessTokenPayloadSecurely().then((payload) => {
      token = payload.jwt
    })
the access token cookie should go in the request header
which the browser would add automatically
if that's not happening, you should see why.
you really don't need to use the authorization header at all
it's much simpler with just cookies and the getSession function.
what is the value of apiDomain that you have set in supertokens.init?
p

productdevbook

12/13/2022, 9:45 AM
backend
r

rp

12/13/2022, 9:46 AM
and on the frontend?
p

productdevbook

12/13/2022, 9:46 AM
SuperTokens.init({
      appInfo: {
        apiDomain: 'http://localhost:3001',
        apiBasePath: '/auth',
        appName: 'aaa',
      },
      recipeList: [
        Session.init(),
        ThirdPartyEmailPassword.init(),
      ],
    })
r

rp

12/13/2022, 9:46 AM
right. So the reason the cookies don't go is cause you have set this to localhost, but the graphql is being queried via 127.0.0.1.
So either change the apiDomain on frontend and backend to 127.0.01:3001, or then change the graphql requests to use localhost:3001
p

productdevbook

12/13/2022, 9:52 AM
all change localhost -> 127.0.01
r

rp

12/13/2022, 9:52 AM
did you sign in?
p

productdevbook

12/13/2022, 9:54 AM
yes
r

rp

12/13/2022, 9:54 AM
are you sure?
p

productdevbook

12/13/2022, 9:54 AM
logout and re login
dont fixed
r

rp

12/13/2022, 9:54 AM
whats the cookie store on the frontend after you logged in?
p

productdevbook

12/13/2022, 9:56 AM
🔥
r

rp

12/13/2022, 9:56 AM
ok great!!
p

productdevbook

12/13/2022, 9:56 AM
Thank you very much, very very much
r

rp

12/13/2022, 9:56 AM
now on thje backend, you can use the getSession function like you were before
p

productdevbook

12/13/2022, 9:57 AM
👏
r

rp

12/13/2022, 9:58 AM
so it works?
p

productdevbook

12/13/2022, 9:59 AM
yes
r

rp

12/13/2022, 9:59 AM
nice
p

productdevbook

12/13/2022, 10:03 AM
const session = await Session.getSession(ctx.req, ctx.reply)
          await verifyToken(session.getAccessTokenPayload().jwt)
now token verify working 👏
r

rp

12/13/2022, 10:46 AM
right. So you don't need to call 
verifyToken
at all.. cause 
Session.getSession
does verification.
and you can even disable the JWT config
#support-questionsJoin Discord
Powered by