https://supertokens.com/ logo
Title
k

kuzyaross

12/20/2022, 5:55 AM
Hi. Is there any way to change expiration time of tokens depending on the way session created? Now user gets its session using
auth/signinup/code
, then sends otp (we use passwordless recipe)
auth/signinup/code/consume
which gives them tokens. This works fine, but now we want users of mobile app, which we are developing have tokens which will expire after a day, not after several hours as now. TIA.
n

nkshah2

12/20/2022, 5:59 AM
Hi @kuzyaross At the moment thats not possible, out of curiosity though why would you need this?
If you use the mobile SDKs it will handle auto refreshing for you, in which case a shorter access token expiration would not be a problem
k

kuzyaross

12/20/2022, 6:21 AM
Hi @nkshah2 Thank you for your answer. In addition to the fact that mobile app users shouldn't constantly re-enter using the app, we want to understand what session was issued from the mobile app to limit access to certain roles. For example, the mobile app cannot be used by an organization administrator (business logic) If auto refresh is done by the mobile SDK, the question arises Is it possible to define another path
auth/mobile/signup/code
that does the same thing as the default
auth/signup/code
, only I can limit the roles that can use this path?
So there will be 2 routes -
auth/mobile/signup/code
(for mobile app) and
auth/signup/code
(for other)
n

nkshah2

12/20/2022, 6:23 AM
You could send additional information in the request for mobile users and then set different roles for that user using the overrides feature in the backend SDKs
That way you wont have to maintain duplicate routes
For example you could send a custom header or request body property for mobile users, the override the
auth/signup/code
API to consume that information and do some custom logic
But yes it is possible to create your own route and then call the function exposed by the Passwordless recipe
Which will do the same thing as the default API
But I would recommend the override approach
k

kuzyaross

12/20/2022, 6:28 AM
Oh, i see. How i can add business logic to auth/signup/code ?
n

nkshah2

12/20/2022, 6:29 AM
Are you using NodeJS on the backend?
k

kuzyaross

12/20/2022, 6:29 AM
Django
n

nkshah2

12/20/2022, 6:34 AM
Right im not too familiar with python syntax but I can help explain what you would want to do: On your backend you would want to override the
/signinup/code/consume
API (Refer to this for overrides https://supertokens.com/docs/passwordless/advanced-customizations/apis-override/usage). This API is responsible for signing up users after they enter the code In this API check if the request contains the custom header/body property that your mobile users would send. If it contains it, you can set different roles than the ones you normally would for this user
When overriding the API, you have access to an
api_options
variable which the api receives as an input. This will allow you to read the original request and any custom properties you may have set
k

kuzyaross

12/20/2022, 6:38 AM
Thank you! It helps a lotšŸ„°
n

nkshah2

12/20/2022, 6:38 AM
Happy to help! Feel free to reach out if you face any issues setting this up