Channels
bot-training
community
contributing
general
github-activity
info
introductions
new-releases
random
security
support-questions
welcome-0xdelusion
welcome-aj-ya
welcome-aleksandrc
welcome-alpinjs
welcome-amberlamps1
welcome-andrew-rodriguez
welcome-ankit-choudhary
welcome-anthony-stod-custodio
welcome-call-in
welcome-chwalbox
welcome-claybiokiller
welcome-co7e
welcome-cosmoecwsa
welcome-devdag
welcome-dinso
welcome-drebotelho
welcome-elio
welcome-ernest
welcome-foxbarrington
welcome-fromscratch
welcome-galto4ir
welcome-goetzum
welcome-hay-kot
welcome-himanshu-kukreja
welcome-hossambarakat
welcome-ichikawakazuto
welcome-jahir9991
welcome-jamesl
welcome-jerry123424
welcome-john-oliver
welcome-jonas-alexanderson
welcome-jxyz
welcome-kelvinwop
welcome-kraz
welcome-lancekey
welcome-leoo
welcome-lukeacollins
welcome-m-j-mon
welcome-malik-khoja
welcome-marco
welcome-mardadi
welcome-meshguy
welcome-metamorph
welcome-mike-tectu
welcome-mirzok
welcome-mozomig
welcome-naberyou66_
welcome-nacer
welcome-namratha
welcome-naveenkumar
welcome-nightlight
welcome-nischith
welcome-notankit
welcome-olawumi
welcome-pavan-kumar-reddy-n
welcome-pineappaul
welcome-poothebear
welcome-rick
welcome-samuel-qosenergy
welcome-samuelstroschein
welcome-shubhamgoel23
welcome-shubhamkaushal
welcome-sidebar
welcome-surajsli
welcome-suyash_
welcome-syntaxerror
welcome-tauno
welcome-tawnoz
welcome-teclali
welcome-tls
welcome-turbosepp
welcome-vikram_shadow
Title
r
ronflai
12/20/2022, 10:28 PMHello everyone ! I'm trying to setup supertokens with appsync but I have trouble to make it works. I created a lambda with this code https://supertokens.com/docs/passwordless/serverless/with-aws-lambda/authorizer#2-add-code-to-the-lambda-function-handler and I added a new authorization provider in appsync with this lambda authorizer. Then when I try to test it by using the queries tool in aws console appsync with as authorization token the user_id I got in my front end app after successfully logged in I got the following error message:
{
"errors": [
{
"errorType": "AuthorizerFailureException",
"message": "The adapter was unable to infer a handler to use for the event. This is likely related to how the Lambda function was invoked. (Are you testing locally? Make sure the request payload is valid for a supported handler.)"
}
]
}n
nkshah2
12/21/2022, 5:07 AMHi
@porcellus might be able to help, he’ll be in later today
p
porcellus
12/21/2022, 8:59 AMHi, I'm not sure how the queries tool work, but using the userId as an authorization token doesn't sound right. You could try the access-token, but I'm not sure if it'll work as the authorizer uses cookies from the request.
r
ronflai
12/21/2022, 9:14 AMHello @porcellus Thanks for the answer ! So If I understand well, the lambda authorizer use cookies from the request to validate the authentication ? Im' not sure to understand because in the code I linked the
user_idgenerate_allowWhat should I do in my react app then to send the right property in my graphql calls ?
p
porcellus
12/21/2022, 9:58 AMif the react app is using our SDK, it's handled automatically
it sends the access-token
about the authorizer and cookies: the authorizer uses the cookies of the request to get/check the access token which contains the userid that you can use in generate_allow
r
ronflai
12/21/2022, 11:45 AMWe are using different domain for front and back, and on my front end app I can see se set-cookie header in response to the consume call and I can even see the
sAccessTokensAccessTokensRefreshTokenp
porcellus
12/21/2022, 12:16 PMIt's most likely just not showing up in the dev tools, because by default it only shows the cookies of the current domain.
r
ronflai
12/21/2022, 12:36 PMok buy why when I do ```const accessTokenPayload = await Session.getAccessTokenPayloadSecurely();
const customClaimValue = accessTokenPayload.customClaim
console.log("accessTokenPayload: ", accessTokenPayload)
console.log("customClaimValue: "), customClaimValue```I got
{}undefinedp
porcellus
12/21/2022, 2:26 PMOh sorry, I missed this notification. How did you add
customClaimr
ronflai
12/21/2022, 2:28 PMI don't have custom claim sorry but I should be able to see the access token ? why do I get an empty object ?
p
porcellus
12/21/2022, 2:29 PMThis is the access token payload, not the entire access token. We use HTTP-only cookies to store the token for security reasons
r
ronflai
12/21/2022, 2:31 PMwhat does it mean ? That I can't log the access token in the console ? Btw I also try to call
await Session.attemptRefreshingSession();p
porcellus
12/21/2022, 2:33 PMYeah, your front-end code doesn't have access to it.
By default. You can potentially change how these things work if necessary.
Oh, and if you have a valid session, you should not get a 401. That's something we could investigate. What does the response look like? (body/response headers)
r
ronflai
12/21/2022, 2:58 PMThis is for the consume call:
p
porcellus
12/21/2022, 3:01 PMThis is looking ok
r
ronflai
12/21/2022, 3:05 PMAnd I don't know why but I don't see the refresh call in the network
p
porcellus
12/21/2022, 3:06 PMWell, attemptRefreshingSession should always call that
r
ronflai
12/21/2022, 3:07 PMbut what I can see is the response from my API to the refresh:
{
"statusCode": 401,
"headers": {
"content-length": "26",
"id-refresh-token": "remove",
"access-control-expose-headers": "id-refresh-token",
"content-type": "application/json; charset=utf-8",
"access-control-allow-credentials": "****",
"access-control-allow-origin": "http://localhost:3001",
"vary": "Origin"
},
"multiValueHeaders": {
"set-cookie": [
"sAccessToken=\"\"; expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly; Path=/; SameSite=none; Secure",
"sIdRefreshToken=\"\"; expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly; Path=/; SameSite=none; Secure",
"sRefreshToken=\"\"; expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly; Path=/session/refresh; SameSite=none; Secure"
]
},
"body": "{\"message\":\"unauthorised\"}",
"isBase64Encoded": false
}Ok I finaly found the request in my network
So this is the refresh request:
General:
Request URL: https://staging.api.lizy.io/auth/api/session/refresh
Request Method: POST
Status Code: 401
Remote Address: 54.192.111.7:443
Referrer Policy: strict-origin-when-cross-origin
Response Headers:
access-control-allow-credentials: true
access-control-allow-origin: http://localhost:3001
access-control-expose-headers: id-refresh-token
content-length: 26
content-type: application/json; charset=utf-8
date: Wed, 21 Dec 2022 15:16:54 GMT
id-refresh-token: remove
set-cookie: sAccessToken=""; expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly; Path=/; SameSite=none; Secure
set-cookie: sIdRefreshToken=""; expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly; Path=/; SameSite=none; Secure
set-cookie: sRefreshToken=""; expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly; Path=/session/refresh; SameSite=none; Secure
vary: Origin
via: 1.1 d3dc7fce70a4cf01f01f6bf06755098c.cloudfront.net (CloudFront)
x-amz-apigw-id: dgJ4HFaqFiAFYlA=
x-amz-cf-id: ZMSacDcpMOL7FEoAkKlZhV4NMTXGVcmWgI3ekY3gUZS8XUZOmVr8oQ==
x-amz-cf-pop: MRS52-P2
x-amzn-remapped-content-length: 26
x-amzn-requestid: 822ea0b4-3143-4aa0-88b9-e61d66b514da
x-amzn-trace-id: Root=1-63a32366-167c0d65779e98173ef0df8a;Sampled=0
x-cache: Error from cloudfront
Response:
{"message":"unauthorised"}p
porcellus
12/21/2022, 3:23 PMI'll check it out in a few minutes
It looks like the backend SDK is not getting the cookies. Can you also show the request headers?
r
ronflai
12/21/2022, 3:35 PMyes
authority: staging.api.lizy.io
:method: POST
:path: /auth/api/session/refresh
:scheme: https
accept: */*
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9
cache-control: no-cache
content-length: 0
cookie: sAccessToken="eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsInZlcnNpb24iOiIyIn0%3D.eyJzZXNzaW9uSGFuZGxlIjoiZmMyYTYwMjAtNjg4MC00ZGM2LTlmMDQtZTcyZDk2MjcwMWI0IiwidXNlcklkIjoiOGQ3NzcxZjgtYmU1Ni00YTBmLTlkMGUtMTkyZDMxNGFlZGE3IiwicmVmcmVzaFRva2VuSGFzaDEiOiJlM2RiNWQ0MThhMzc0MzI1NjM1ZmYwYzMzMTA1YmE1NmJlYTI0Y2VlYWI0MzEzZTAzZDllNDAzMzU4ODA4MDZmIiwicGFyZW50UmVmcmVzaFRva2VuSGFzaDEiOm51bGwsInVzZXJEYXRhIjp7fSwiYW50aUNzcmZUb2tlbiI6bnVsbCwiZXhwaXJ5VGltZSI6MTY3MTY0MDYyNjYwOSwidGltZUNyZWF0ZWQiOjE2NzE2MzcwMjY2MDksImxtcnQiOjE2NzE2MzcwMjY2MDl9.G6IfZRX9pm9RlMZKz4Gmq6v7mDg9iQH9GokcYJGikfzCi9I5xNmqdOUohzDstd7dFY8siqKTCoibUnFjqpJGSHlgoLiC7YFia2ssBz6bFaEH9PPYtiRPVpFf/ijw6S7UzlQTIzvhkApqIz1tLwe7FDEiRf8Csv5qwOa0b60YLZXJl/3nbWN5X%2BZgW6QiczOdRED%2BfaZdZ54CBedHXOsgrAhvX1dYJoihoiuf9E4VKe0o5mH3irW2cSMCuacmnBucS6ETokcjf2VDhccy2uzYMoPwNWIyyReexHgYRityMpTcJnihO3nmMZDYsWKvJiAbBRIFmZBOnUZha9q8mBvYLA%3D%3D"; sIdRefreshToken=d100f5a1-69bd-4fb6-bd55-9bc554bacbb4
fdi-version: 1.8,1.9,1.10,1.11,1.12,1.13,1.14,1.15
origin: http://localhost:3001
pragma: no-cache
referer: http://localhost:3001/
rid: session
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108", "Brave";v="108"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: cross-site
sec-gpc: 1
user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36this is the request headers
p
porcellus
12/21/2022, 3:47 PMYou seem to be missing this setting: https://supertokens.com/docs/emailpassword/appinfo#apigatewaypath-optional
r
ronflai
12/21/2022, 3:50 PMIt has to be set on the back or the front end config ? or both ?
And why the create code and the verify requests works but not the refresh one ?
p
porcellus
12/21/2022, 3:57 PMcreate/consume code and others like it work, because I assume you've set the
apiBasePathverify calls work because the access token cookie is sent with every request to the backend domain
refresh fails to work because the
apiBasePathr
ronflai
12/21/2022, 3:59 PMalright I got it. Thanks for the investigation and the answers. I 'll test it and tell you if t's work !
p
porcellus
12/21/2022, 4:05 PMhappy to help 🙂
r
ronflai
12/21/2022, 4:35 PMI tried to add
api_gateway_path=f"/{get_current_stage()}"api_domainapi_domain = (
"https://api.lizy.io"
if get_current_stage() == Stage.PROD
else f"https://{get_current_stage()}.api.lizy.io"
)to have better view I'll share my front end and backend conf
This is the front end conf :
SuperTokens.init({
appInfo: {
apiDomain:
process.env.BACKEND == "production"
? "https://api.lizy.io"
: "https://staging.api.lizy.io",
apiBasePath: "/auth/api",
appName: "Lizy authentication",
},
recipeList: [Session.init(), Passwordless.init()],
});and the backend config:
api_domain = (
"https://api.lizy.io"
if get_current_stage() == Stage.PROD
else f"https://{get_current_stage()}.api.lizy.io"
)
website_domain = (
"https://www.lizy.be" if get_current_stage() == Stage.PROD else "https://staging.www.lizy.be/"
)
init(
app_info=InputAppInfo(
app_name="Lizy authentication services",
api_domain=api_domain,
website_domain=website_domain,
api_base_path="/",
website_base_path="/auth",
),
supertokens_config=SupertokensConfig(
connection_uri= ********,
api_key= ********
),
framework="fastapi",
recipe_list=[
session.init(cookie_same_site="none"),
passwordless.init(
flow_type="MAGIC_LINK",
contact_config=ContactEmailOnlyConfig(),
),
],
mode="asgi",
)and in the backend the
api_base_pathhandler = Mangum(app, api_gateway_base_path="/auth/api")p
porcellus
12/21/2022, 5:07 PMthis isn't really about staging environments - the
apiBasePathin this case it looks like you should add
/auth/apir
ronflai
12/21/2022, 5:17 PMi figured out when I sent the message to you ^^
Thanks for the help the refresh token is working. Do you have any idea on what to do next to integrate with appsync and securing grapqhl call ?
p
porcellus
12/21/2022, 5:30 PMThe last time I tried it, all I did was what we wrote here: https://supertokens.com/docs/passwordless/serverless/with-aws-lambda/appsync-integration
I mean I never tried to use the query tool in aws, I just started using the frontend