Channels
bot-training
community
contributing
general
github-activity
info
introductions
new-releases
random
security
support-questions
welcome-0xdelusion
welcome-aj-ya
welcome-aleksandrc
welcome-alpinjs
welcome-amberlamps1
welcome-andrew-rodriguez
welcome-ankit-choudhary
welcome-anthony-stod-custodio
welcome-call-in
welcome-chwalbox
welcome-claybiokiller
welcome-co7e
welcome-cosmoecwsa
welcome-devdag
welcome-dinso
welcome-drebotelho
welcome-elio
welcome-ernest
welcome-foxbarrington
welcome-fromscratch
welcome-galto4ir
welcome-goetzum
welcome-hay-kot
welcome-himanshu-kukreja
welcome-hossambarakat
welcome-ichikawakazuto
welcome-jahir9991
welcome-jamesl
welcome-jerry123424
welcome-john-oliver
welcome-jonas-alexanderson
welcome-jxyz
welcome-kelvinwop
welcome-kraz
welcome-lancekey
welcome-leoo
welcome-lukeacollins
welcome-m-j-mon
welcome-malik-khoja
welcome-marco
welcome-mardadi
welcome-meshguy
welcome-metamorph
welcome-mike-tectu
welcome-mirzok
welcome-mozomig
welcome-naberyou66_
welcome-nacer
welcome-namratha
welcome-naveenkumar
welcome-nightlight
welcome-nischith
welcome-notankit
welcome-olawumi
welcome-pavan-kumar-reddy-n
welcome-pineappaul
welcome-poothebear
welcome-rick
welcome-samuel-qosenergy
welcome-samuelstroschein
welcome-shubhamgoel23
welcome-shubhamkaushal
welcome-sidebar
welcome-surajsli
welcome-suyash_
welcome-syntaxerror
welcome-tauno
welcome-tawnoz
welcome-teclali
welcome-tls
welcome-turbosepp
welcome-vikram_shadow
Title
d
d3adb0y
12/20/2022, 3:13 PMHowdy again folks. I am doing some API testing right now using Postman to ensure that my FastAPI path operations are validating that the user has the required roles. I created a JWT token using the docs, however I am getting a 401 response when trying to hit any of the endpoints. I set a base FastAPI dependency of verify_session().
n
nkshah2
12/20/2022, 3:45 PMHi
Can I see the backend config?
d
d3adb0y
12/20/2022, 3:47 PMi think i figured out what i was doing wrong. in my Depends statement I was passing the result of verify_session() instead of the callable
but in terms of UserContext, JWT does not provide that. So I am just mocking the expected roles to simulate the validation.
n
nkshah2
12/20/2022, 3:48 PMSo the backend APIs use cookies to verify sessions, have you checked the testing with postman docs?
d
d3adb0y
12/20/2022, 3:49 PMOh no I didn't know there were docs on that
n
nkshah2
12/20/2022, 3:49 PMI can point you to it, what recipe are you using?
d
d3adb0y
12/20/2022, 3:50 PMall good, i can find it ๐
ty
n
nkshah2
12/20/2022, 3:50 PMAwesome, in case you dont spot it itโs a separate section in the recipe docs
In the sidebar
d
d3adb0y
12/21/2022, 5:43 AMI think I'm still stuck on this actually
the doc sections related to postman are for validating the recipe API endpoints
im wondering how can i authenticate to my backend API using JWT or API keys
n
nkshah2
12/21/2022, 5:44 AMSo you want to enable using JWTs for the session recipe
d
d3adb0y
12/21/2022, 5:44 AMyes. and i saw that info in the docs.
n
nkshah2
12/21/2022, 5:44 AMThis would generate a JWT in the session data that you can then use
Alright so you have that set up right?
d
d3adb0y
12/21/2022, 5:45 AMyes
session.init(
jwt=session.JWTConfig(
enable=True,
# issuer=f'{api_domain}{api_base_path}'
)
),
do i need issuer set?
should that be the supertokens core URL or the API url
n
nkshah2
12/21/2022, 5:46 AMSo a couple things:
- Yep you need to set the issuer to match the api domain and base path with the ones you use in supertokens init
- SuperTokens does not verify JWTs, you would have to build this yourself
Nope, the one you used in your backend when you initialised SuperTokens
apiDomain and apiBasePath
Oh im guessing thats python?
d
d3adb0y
12/21/2022, 5:46 AMso what does adding JWConfig to the session init func do
yeap python sdk
for supertokens
n
nkshah2
12/21/2022, 5:47 AMWith enable true, it will store the jwt in your session data and provide an API endpoint that is used by JWKS verifiers to fetch the public key to verify the JWT
d
d3adb0y
12/21/2022, 5:47 AMah i see
n
nkshah2
12/21/2022, 5:47 AMSo for example if you were to use auth0's library to verify the JWT, you can provide it with a jwks endpoint which would be an PAI exposed by the JWT recipe
d
d3adb0y
12/21/2022, 5:48 AMright
basically i just want a way to hit my APIs via Postman
without having to toggle auth on or off
i generated a JWT against the SuperTokens core api but that is not accepted by my app
n
nkshah2
12/21/2022, 5:49 AMSo unless you absolutely need to use JWTs, I would recommend going with cookies. But if you want to stick with JWTs, you would need to add some custom middleware to your backend to verify the JWT and use that instead of the verifySession middleware that SuperTokens provides
d
d3adb0y
12/21/2022, 5:50 AMcookies would work with postman?
assuming i had a valid browser session
n
nkshah2
12/21/2022, 5:51 AMYep the docs should explain how, also you can trigger the sign up flow from postman itself and cookies would still work
d
d3adb0y
12/21/2022, 5:51 AMhm
n
nkshah2
12/21/2022, 5:51 AMThe only thing that wont work is auto refreshing of the session since thats something our frontend SDKs would do normally
But manually calling refresh and then retrying will still work
d
d3adb0y
12/21/2022, 5:51 AMlet me see if that works one second
also thanks again for the help
you guys have one of the most active communities ive seen for a project
n
nkshah2
12/21/2022, 5:52 AMThanks for the kind words! and we are happy to help
Let us know if you have any issues
d
d3adb0y
12/21/2022, 5:53 AMohhh
i see
so it spits out the JWT in the user info
n
nkshah2
12/21/2022, 5:54 AMYep as part of the access token payload
d
d3adb0y
12/21/2022, 5:54 AMyeah thats not a bad compromise
lemme try it
n
nkshah2
12/21/2022, 5:54 AMBut you stick to cookies you dont even need to enable JWTs unless you need to integrate with a service that requires JWTs
Plain cookie based auth will work just fine between your frontend and backend
d
d3adb0y
12/21/2022, 5:54 AMok ill test with just cookies
worked like a charm
n
nkshah2
12/22/2022, 4:27 AMAwesome