https://supertokens.com/ logo
Join Discord
Powered by
I'm logged out after using supertokens with multip...
# support-questions-legacy
c
I'm logged out after using supertokens with multiple api endpoints ( https://supertokens.com/docs/passwordless/common-customizations/sessions/multiple-api-endpoints)
r
hey @crro
c
sorry adding more context
r
can you elaborate more? Is the issue reproducible?
c
yes, so after I added the cookie domain to be 
.example.com
to my nextjs app in both my frontend and backend config
and then having a full configuration in my new api that is a go api using gin, living in api.example.com
after the refresh token expires, i am logged out of the app
In the documentation it wasn't clear if I had to write a full config in my api, so I did
r
hmm. What does the refresh API request header and response code?
c
not sure if that is causing the problem
r
also, what do you mean by "write a full config in my api"?
c
so the docs have this
Copy code
import (
    "github.com/supertokens/supertokens-golang/recipe/session"
    "github.com/supertokens/supertokens-golang/recipe/session/sessmodels"
    "github.com/supertokens/supertokens-golang/supertokens"
)

func main() {
    cookieDomain := ".example.com"

    supertokens.Init(supertokens.TypeInput{
        RecipeList: []supertokens.Recipe{
            session.Init(&sessmodels.TypeInput{
                CookieDomain: &cookieDomain,
            }),
        },
    })
}
and I assumed that that was for the go api that lives in api.example.com
but I have
Copy code
func initSupertokens() {
    apiBasePath := "/api/auth"
    websiteBasePath := "/auth"
    cookieDomain := os.Getenv("COOKIE_DOMAIN")
    err := supertokens.Init(supertokens.TypeInput{
        Supertokens: &supertokens.ConnectionInfo{
            ConnectionURI: os.Getenv("SUPERTOKENS_CORE_URL"),
            APIKey:        os.Getenv("SUPERTOKENS_CORE_API_KEY"),
        },
        AppInfo: supertokens.AppInfo{
            AppName:         "mirio",
            APIDomain:       os.Getenv("SUPERTOKENS_API_DOMAIN"),
            WebsiteDomain:   os.Getenv("SUPERTOKENS_WEBSITE_DOMAIN"),
            APIBasePath:     &apiBasePath,
            WebsiteBasePath: &websiteBasePath,
        },
        RecipeList: []supertokens.Recipe{
            passwordless.Init(plessmodels.TypeInput{
                FlowType: "USER_INPUT_CODE",
                ContactMethodEmail: plessmodels.ContactMethodEmailConfig{
                    Enabled: true,
                },
            }),
            session.Init(&sessmodels.TypeInput{
                CookieDomain: &cookieDomain,
            }), // initializes session features
        },
    })
    if err != nil {
        panic(err.Error())
    }
}
r
right. So you need to modify the 
initSupertokens
config only
c
maybe the double initialization is causing the problem?
hmm not sure I follow
my app lives in vercel, I use next.js
and I wanted to make a new api to get around some of their limits, but I want to be able to call GetSession().GetUserID() in my go api
I assumed I also had to initialize supertokens in the go api, is that not the case?
r
> I assumed I also had to initialize supertokens in the go api, is that not the case? Yea that's true. Because you want to do GetSession().GetUserID()
can i see the refresh API request headers and response status code?
c
It's going to send me some time to reproduce
but yes
r
sure
c
so when I send a PUT I get back {"message":"try refresh token"}
this is after I'm already logged out
r
a quick way to make it refresh is to delete the sAccessToken on the frontend's cookie store and then call some API that does session verification
c
ah
great idea
got it
what do you want to see?
r
request headers and response status code
c
response headers
access-control-allow-credentials: true access-control-allow-origin: http://localhost:3000 access-control-expose-headers: id-refresh-token cache-control: no-cache, no-store, max-age=0, must-revalidate content-length: 26 content-type: application/json; charset=utf-8 date: Fri, 30 Dec 2022 11:49:53 GMT etag: "1a-iIm2HzPSwwRY7J6XT9TGrQdj86E" id-refresh-token: remove server: Vercel set-cookie: sAccessToken=; Domain=.mirio.org; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly; Secure; SameSite=Lax set-cookie: sRefreshToken=; Domain=.mirio.org; Path=/api/auth/session/refresh; Expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly; Secure; SameSite=Lax set-cookie: sIdRefreshToken=; Domain=.mirio.org; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly; Secure; SameSite=Lax strict-transport-security: max-age=63072000 vary: Origin x-matched-path: /api/auth/[[...path]] x-vercel-cache: MISS x-vercel-id: cdg1::iad1::wws68-1672400993592-81565adb5a4b
and statatus code
Request URL: https://mirio.org/api/auth/session/refresh Request Method: POST Status Code: 401 Remote Address: 76.76.21.21:443 Referrer Policy: strict-origin-when-cross-origin
r
right. And request headers?
c
and now I'm logged out
ahhh
:authority: mirio.org :method: POST :path: /api/auth/session/refresh :scheme: https accept: / accept-encoding: gzip, deflate, br accept-language: en-US,en;q=0.9,es;q=0.8,fr;q=0.7 content-length: 0 cookie: sRefreshToken=5Xqpp%2Bj30OHw77aTy4B9pOEeTyqxTwuVhmcvw12WGi0yTJeM0Epq4AviCOy2%2Ftgvt4SCDpcHpm1Y2jKSRkOkGzIZ8Y60IhyALHEpkOTAwoBXeso4wf3t%2BvKfw6PWQoaHv07vsX9mZy5EBqRkFDQYVrUO9rxMh3s507WOIhmtYb7ogYr0rHGorkEv%2BDwRCPJ5wm01wW%2BHNTjuxCXcvRljDSg5EAqtDZ7A4v3XHxcf8qEkPA69naLMZxYRwbLLP2zU3kSMc%2FZYihvvizbXdfXQmJhe2lhS9GmVPaVF179J4Im1UcLrF71PAR%2BxDvI4zvsbb0m8pqNYzqyO7O1CK2mPB%2FRPW3K3szVeuZCYt0iVgDD9OU6P1e63nuTYAS5djJ4expdQ0dZBcInNPnpq.a2712f3512443e8a5d1ae4b6b3ad575cf07ddda0a540b29c8613791476875037.V2; sRefreshToken=fUFGH%2FDNaOLD%2Fncf%2FKdQBaQzYtDtnQCtmWaWaKc6tzV08xyyLeSjmukUZj3WCzJ4%2FW7fyefI18s10i6YecEqOm7w05QvzHcBwiBWuL%2Bw9do3TrdO%2FuEZ8UR1P6GIzahLBUPB6VFasoVjqEJaSu3WOJS3fKhdFyCLEDaMiICiObvKcBkWYCMZMHm%2FsUEqPyzk%2B9LLbkkoD2%2Fem8KrjSG5uBen97Qyp5W6G1A4p8XeAtMgiIXhPGnCtdCS6tY5LzH%2BmIHZ5B9PUFtU0yXOK9NP.76eddcafdef0d4b709a5bd95685b71093b27067514311b2d4403ee4705a6a15f.V2; _ga=GA1.1.1547479551.1658211284; _ga_6VWK48TC98=GS1.1.1666991035.35.0.1666991035.0.0.0; sIdRefreshToken=8a7b073d-738c-4930-8eb2-8fc0baa1c9a8; sIdRefreshToken=64fb907a-60a1-4676-a10a-a43c09d573ca; sIRTFrontend=64fb907a-60a1-4676-a10a-a43c09d573ca; sFrontToken=eyJ1aWQiOiIxZTlmMGY3Ny02Y2U2LTQwMmUtYjBiYS05Nzk0NGZiYjBkOWEiLCJhdGUiOjE2NzI0MDQ1MTc2MDUsInVwIjp7fX0=; _ga_HRPKHNPCHL=GS1.1.1672399772.76.1.1672400930.0.0.0 fdi-version: 1.8,1.9,1.10,1.11,1.12,1.13,1.14,1.15 origin: https://mirio.org referer: https://mirio.org/create rid: session sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108", "Google Chrome";v="108" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "macOS" sec-fetch-dest: empty sec-fetch-mode: cors sec-fetch-site: same-origin user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
r
hmm so this seems fine
are there are errors in the supertokens core error logs when this call is being made?
c
also none of these interactions are using my new api
let me try it one more time to make sure I'm looking at the correct logs
r
yup
c
no errors
r
thats very strange
does the flow work without the cookieDomain setting?
without the new API?
c
what's even more odd is that it works locally
r
right. But does it work in prod without the cookieDomain config?
if you don't query the new API
c
hmm let me try
locally my cookie domina is localhost
not 
.mirio.org
which is what it should be right?
r
yup
c
deploying change to prod
in a few min I should be able to test
ok now the access token has the domain mirio.org and I think that before it had .mirio.org
yep now it works
Request URL: https://mirio.org/api/auth/session/refresh Request Method: POST Status Code: 200 Remote Address: 76.76.21.21:443 Referrer Policy: strict-origin-when-cross-origin
r
hmm interesting
c
:authority: mirio.org :method: POST :path: /api/auth/session/refresh :scheme: https accept: / accept-encoding: gzip, deflate, br accept-language: en-US,en;q=0.9,es;q=0.8,fr;q=0.7 content-length: 0 cookie: sRefreshToken=XdZCeItWYlUD48VQE4IVWnrBUrCRQif5Za6PfYXsHvVmlWcU6Sjv1YxKs9hR7%2F%2FIjuL2O18iK5oq1fi7zswl0IkUGnPYbER3jz8l28M6xkgIGZfvgw6RP4427eM2sbAzxeVDGjWd1wC6hn%2FZenF81GV3Tz1wK25FcsXT4%2F2ULUpej5%2Fhketo85DoTP5wQQXFnnOoujV0UfZ5%2FX%2FfPC5SrINC7hIE3weXm9%2F1kUBtXL1kP2EZuGIZ8Cd%2B7IkNupRcZTaLe8wAiomOL4VO3cfq.830bd3cd52572ab4556f1c94c62865569c5eabc2ce1ad1f3f4adf80396f927af.V2; _ga=GA1.1.1547479551.1658211284; _ga_6VWK48TC98=GS1.1.1666991035.35.0.1666991035.0.0.0; sIdRefreshToken=f7be95ac-509f-46fe-9812-392a7abdae85; sIRTFrontend=f7be95ac-509f-46fe-9812-392a7abdae85; sFrontToken=eyJ1aWQiOiIxZTlmMGY3Ny02Y2U2LTQwMmUtYjBiYS05Nzk0NGZiYjBkOWEiLCJhdGUiOjE2NzI0MDUzOTQzMzksInVwIjp7fX0=; _ga_HRPKHNPCHL=GS1.1.1672399772.76.1.1672401830.0.0.0 fdi-version: 1.8,1.9,1.10,1.11,1.12,1.13,1.14,1.15 origin: https://mirio.org referer: https://mirio.org/create rid: session sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108", "Google Chrome";v="108" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "macOS" sec-fetch-dest: empty sec-fetch-mode: cors sec-fetch-site: same-origin user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
r
might be a bug in our backend SDK - can you please open an issue about this in our golang repo?
c
this is my backend config
and my frontend config
r
oh. SO you are using node in one API and golang in the other API?
c
yes
but this flow that we just did does not use the golang api
this was all node
r
right. And just setting the cookieDomain in the node server causes issues?
c
correct
I also had it set in my golang api
this is my config in my golang api
r
but was that being queried at all?
c
no, not the golang api
in the flow that initially failed and that now works after removing the cookie domain
r
can you add back the cookieDomain setting and try again? Without querying the golang server at all
c
ah interesting
ok
let me try that
should I log out
and then log in?
r
yes
c
ok now the cookie domain is
r
right
c
where as before it was
r
ok
and does regular refreshing work?
if you don't query golang server at all
c
sorry about to do that
but it seems like I have two access tokens
is that normal?
trying regular refreshing
r
thats not normal
c
should I delete both?
r
yea. Just delete everything and try again
c
ok
r
yup
c
failed
Request URL: https://mirio.org/api/auth/session/refresh Request Method: POST Status Code: 401 Remote Address: 76.76.21.21:443 Referrer Policy: strict-origin-when-cross-origin
without hitting golang api
r
hmm. So just adding the cookieDomain value causes this'
c
Copy code
:authority: mirio.org
:method: POST
:path: /api/auth/session/refresh
:scheme: https
accept: */*
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9,es;q=0.8,fr;q=0.7
content-length: 0
cookie: sRefreshToken=tWCk6XQZXk9fY1JgRA80EtS62Fq%2FgI07E1sCxVyCHt1dUq1d6LbbHC0HgPvHxEJB%2FEHv%2Bz8zpc40AyLuZSs%2BE8%2BadnEuXoVkG%2BeKglbD27tb8tBOK8dz9Qvol25PufsSv6kQxoHx26HATPLPBMFbN9qDiDPAoCoEh9IBkkYrIrG0y8fF5%2BEnidtg6CVeTbJkeo5NVM3fPVoKkWiGkEiDIRAtBw2LjSAPOaOl0cL%2BdYirErm5bb1ZlY9hc289laW7%2FDQEMJrd7XvqwI9dx2YXXXRXlqKPN5Q8mEd2QnDILYgyVnaWItzO3fBR0AquduvKuXuYYUfJ3dO4FGoL6%2B%2BiXfWoHjZQXU44208FoCPCzPzy5LW7Up4%2BJksYpiYVresKvxIMhEtHoKHAtq%2Fq.c9f417c73d378d2ade5b2367012ba0bc937193eb8b80c4abcd9efd21cfc75b16.V2; sRefreshToken=TDXOxUPD1cOyqe%2BVwf2F7888%2FEpvJ%2BVGNi932lpGJI0LHcO%2BRTnRst4U8L54B7%2FZLsowNaZpJnk%2FGLCmyITMO2L2NFjLtSDLaFf6ygcInaS2yW4E%2BXhtARC%2FZ3ILuw5M4Iw4r51hE6AfU7Bq4C7UoEH%2BHXlZ7W%2FavzmI1eKdFW%2Bn8jQWfiO%2Fav3neBQliA1k9PE4l9SEL4nkieREYfo3TkA1ykuNUaAg67WwKYFKPiBKemba%2FG3v0ThQ%2F0JUMjCisnarf19nD5LZRTQsYoxw.384537965132daad8eaf11bb052a387028c1f820bede5b878cbebf3e0964e4ba.V2; _ga=GA1.1.1547479551.1658211284; _ga_6VWK48TC98=GS1.1.1666991035.35.0.1666991035.0.0.0; sIdRefreshToken=142da346-baf7-4891-8077-deb1eb0554f4; sIRTFrontend=142da346-baf7-4891-8077-deb1eb0554f4; sFrontToken=eyJ1aWQiOiIxZTlmMGY3Ny02Y2U2LTQwMmUtYjBiYS05Nzk0NGZiYjBkOWEiLCJhdGUiOjE2NzI0MDYxMTgxNTksInVwIjp7fX0=; _ga_HRPKHNPCHL=GS1.1.1672399772.76.1.1672402543.0.0.0
fdi-version: 1.8,1.9,1.10,1.11,1.12,1.13,1.14,1.15
origin: https://mirio.org
referer: https://mirio.org/create
rid: session
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108", "Google Chrome";v="108"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "macOS"
sec-fetch-dest: empty
sec-fetch-mode: cors
sec-fetch-site: same-origin
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
req headers^
correct
but locally it works fine if the cookie domain is localhost
r
oh hmm. there are two refresh tokens
thats the problem
you need to clear all cookies
you can clear the refresh cookie by navigating to the refresh API path on your browser and you will see it
delete that and all other cookies and then login again and try
c
so I'm logged out
r
did u delete the refresh token cookie from the browser?
c
you want me to go to mirio.org/api/auth/session/refresh
r
yes correct
c
I deleted all cookies
r
yes
c
ok I get a 404 when I go there
Request URL: https://mirio.org/api/auth/session/refresh Request Method: GET Status Code: 404 Remote Address: 76.76.21.21:443 Referrer Policy: strict-origin-when-cross-origin
the only cookies in this site are
now should I log in?
r
yea so 404 is fine. But you should delete all cookies in there
and then you can try and login again and do the flow
c
ok
r
right
c
after requesting the code but before submitting it
r
thats fine
c
after submission
now deleted access token
still fails
Request URL: https://mirio.org/api/auth/session/refresh Request Method: POST Status Code: 401 Remote Address: 76.76.21.21:443 Referrer Policy: strict-origin-when-cross-origin
response: {"message":"unauthorised"}
r
what are the request headers?
c
:authority: mirio.org :method: POST :path: /api/auth/session/refresh :scheme: https accept: / accept-encoding: gzip, deflate, br accept-language: en-US,en;q=0.9,es;q=0.8,fr;q=0.7 content-length: 0 cookie: sRefreshToken=tWCk6XQZXk9fY1JgRA80EtS62Fq%2FgI07E1sCxVyCHt1dUq1d6LbbHC0HgPvHxEJB%2FEHv%2Bz8zpc40AyLuZSs%2BE8%2BadnEuXoVkG%2BeKglbD27tb8tBOK8dz9Qvol25PufsSv6kQxoHx26HATPLPBMFbN9qDiDPAoCoEh9IBkkYrIrG0y8fF5%2BEnidtg6CVeTbJkeo5NVM3fPVoKkWiGkEiDIRAtBw2LjSAPOaOl0cL%2BdYirErm5bb1ZlY9hc289laW7%2FDQEMJrd7XvqwI9dx2YXXXRXlqKPN5Q8mEd2QnDILYgyVnaWItzO3fBR0AquduvKuXuYYUfJ3dO4FGoL6%2B%2BiXfWoHjZQXU44208FoCPCzPzy5LW7Up4%2BJksYpiYVresKvxIMhEtHoKHAtq%2Fq.c9f417c73d378d2ade5b2367012ba0bc937193eb8b80c4abcd9efd21cfc75b16.V2; sRefreshToken=frQIvzNPQ51nYQQt%2FNzDKF8wD%2BBj9zmhxoVhOetGVy4amXEQy7uGKrBKWqdm%2FqVIL5juBuYkOK3JTL1dOV39HFa%2BRbefXFeXJh7FCl8bCUX7cRvPdlKBph4uAq0%2B5TUH4ZNIQBxhaPKZ680O%2FSUuDYLS1KPxJl9loUVILt3Am5bgUQpGb5Nfosg4vmq%2Fi0SK6XA%2B2CwQgFqD27tOFXyaPUdzgmR8CETPlPGpwD513GbPvRXeyORBRt3HnuiEwX5yh3BEJUeSc2goCCVnL8%2F0.d276d501a8e7d682dc02fba4b8ad18d6f451da90ca890de5765a6a208425e6a4.V2; sIdRefreshToken=e6b9ae05-2916-4a9c-9433-0ddaed79fe6a; sIRTFrontend=e6b9ae05-2916-4a9c-9433-0ddaed79fe6a; sFrontToken=eyJ1aWQiOiIxZTlmMGY3Ny02Y2U2LTQwMmUtYjBiYS05Nzk0NGZiYjBkOWEiLCJhdGUiOjE2NzI0MDY3MjU4NjgsInVwIjp7fX0=; _ga_HRPKHNPCHL=GS1.1.1672402935.1.1.1672403164.0.0.0 fdi-version: 1.8,1.9,1.10,1.11,1.12,1.13,1.14,1.15 origin: https://mirio.org referer: https://mirio.org/create rid: session sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108", "Google Chrome";v="108" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "macOS" sec-fetch-dest: empty sec-fetch-mode: cors sec-fetch-site: same-origin user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
and I still have two
r
there are two refesh tokens again
c
yeah
see the first request that fails with a 401
has only one
:authority: mirio.org :method: POST :path: /api/recordings :scheme: https accept: / accept-encoding: gzip, deflate, br accept-language: en-US,en;q=0.9,es;q=0.8,fr;q=0.7 content-length: 134 content-type: application/json cookie: sIdRefreshToken=e6b9ae05-2916-4a9c-9433-0ddaed79fe6a; sIRTFrontend=e6b9ae05-2916-4a9c-9433-0ddaed79fe6a; sFrontToken=eyJ1aWQiOiIxZTlmMGY3Ny02Y2U2LTQwMmUtYjBiYS05Nzk0NGZiYjBkOWEiLCJhdGUiOjE2NzI0MDY3MjU4NjgsInVwIjp7fX0=; _ga_HRPKHNPCHL=GS1.1.1672402935.1.1.1672403164.0.0.0 origin: https://mirio.org referer: https://mirio.org/create rid: anti-csrf sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108", "Google Chrome";v="108" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "macOS" sec-fetch-dest: empty sec-fetch-mode: cors sec-fetch-site: same-origin user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
r
can you delete the cookies once again and this time, login, and then navigate to the refresh endpoint and check just one cookie is there?
c
actually
doesn't have any
nvm
r
can you delete the cookies once again and this time, login, and then navigate to the refresh endpoint and check just one cookie is there?
c
yeah
ok logged in
now just go to refresh endpoint without deleing the access token correct?
r
yes
c
sRefreshToken=tWCk6XQZXk9fY1JgRA80EtS62Fq/gI07E1sCxVyCHt1dUq1d6LbbHC0HgPvHxEJB/EHv+z8zpc40AyLuZSs+E8+adnEuXoVkG+eKglbD27tb8tBOK8dz9Qvol25PufsSv6kQxoHx26HATPLPBMFbN9qDiDPAoCoEh9IBkkYrIrG0y8fF5+Enidtg6CVeTbJkeo5NVM3fPVoKkWiGkEiDIRAtBw2LjSAPOaOl0cL+dYirErm5bb1ZlY9hc289laW7/DQEMJrd7XvqwI9dx2YXXXRXlqKPN5Q8mEd2QnDILYgyVnaWItzO3fBR0AquduvKuXuYYUfJ3dO4FGoL6++iXfWoHjZQXU44208FoCPCzPzy5LW7Up4+JksYpiYVresKvxIMhEtHoKHAtq/q.c9f417c73d378d2ade5b2367012ba0bc937193eb8b80c4abcd9efd21cfc75b16.V2; sRefreshToken=idKxbFVTenMlUKXzLYGVTpP1RQuqjbSNzZGTgzdUodf4gBVmKGCZDFqv+3RKDQzQLmBg7dlWopti2z9Nm1E6Vvr8HE6Drll9NOfs8Xu7fDIwUq+MWDuA33KX/Mo5b8HpPru5ZbFBl5A9BHod+ub5OG9dXS5cAZA5EQe4/EPxUwdAjXtBrGnaZQ07zMkigBB0NlAlJegRoR8MXVmFEHdKohlaFaFP0sp3/Ry72K74sj3K1jT5ELy0F77nAWx1JzaG8oHKKwBsivIn3DweEyEN.ea478758d33ad0ccc9f03766ff20977407f3d82a9b5f986bd609f35ec1cbdbbb.V2; sAccessToken=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsInZlcnNpb24iOiIyIn0=.eyJzZXNzaW9uSGFuZGxlIjoiOGEyMzc4OTAtMGVkOC00NDEzLTk2OTktODk0ZGY2NjM5YjM4IiwidXNlcklkIjoiMWU5ZjBmNzctNmNlNi00MDJlLWIwYmEtOTc5NDRmYmIwZDlhIiwicmVmcmVzaFRva2VuSGFzaDEiOiI1MmVmYThmOTk3NjFjODhjNDBhODk2YWFhNzkxMDIyOGIwOTFmOTBlMDMzNmU2N2Y2NzQ4N2E2ZjVkZmMxZGI5IiwicGFyZW50UmVmcmVzaFRva2VuSGFzaDEiOm51bGwsInVzZXJEYXRhIjp7fSwiYW50aUNzcmZUb2tlbiI6bnVsbCwiZXhwaXJ5VGltZSI6MTY3MjQwNjk2MzY2NSwidGltZUNyZWF0ZWQiOjE2NzI0MDMzNjM2NjUsImxtcnQiOjE2NzI0MDMzNjM2NjV9.a47HQT5Hu3dso7Uv7UHXiICegfgdAohcHN1WltJeIEcxmTdeSmhnNxmDkWVZ4ONXo4Ogvk5IxtxA5YcMKBiI7uQiiNrkv67ebdVZN67MK4NlbZYiyMmfZfYwmDLDkR3HBTomhjG8m4cMB+JkUzjgh9K/ziCX3luOsr5W20KuzZs43JO97Ngz1GaxJS8WqjoOU3FJt8m2TvLEEVh06X+Y2rTzRBRSAdWjIPet+9KiJMayhhbIlAgGHoWsSumHd8LWtCjfUI9W1430qvsrgzgTw4Py1JD9NXqViG7PlAEExKGjBiz2Q7q2CtEx0iEiTtwyJ+/l+zBef8bVQdVNVBJcCA==; sIdRefreshToken=85f9fa47-90f0-46b6-81c2-33fee6625d21; sIRTFrontend=85f9fa47-90f0-46b6-81c2-33fee6625d21; sFrontToken=eyJ1aWQiOiIxZTlmMGY3Ny02Y2U2LTQwMmUtYjBiYS05Nzk0NGZiYjBkOWEiLCJhdGUiOjE2NzI0MDY5NjM2NjUsInVwIjp7fX0=; _ga_HRPKHNPCHL=GS1.1.1672403336.1.1.1672403364.0.0.0
two again
r
well no.
just one refresh token and one access token
So now if you delete the access token, and make an api call, does it send just one refresh token?
c
no no
there are two
I highlighted the second one in the picture
r
hmm. Where does the second one come from? Can you try in incognito mode?
c
trying in incognito
but I get one for mirio.org
and another for .mirio.org
r
refresh token?
you get back two refresh tokens from the API?
can i see the sign in API response?
sign in API response headers
c
idk when I end up getting two
after sign in
this is the headers
front-token: eyJ1aWQiOiIxZTlmMGY3Ny02Y2U2LTQwMmUtYjBiYS05Nzk0NGZiYjBkOWEiLCJhdGUiOjE2NzI0MDczODU3MTAsInVwIjp7fX0= id-refresh-token: 81c6cf92-f659-4ae2-bcbe-5fd22aafaeb0;1681043785710 server: Vercel set-cookie: sAccessToken=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsInZlcnNpb24iOiIyIn0%3D.eyJzZXNzaW9uSGFuZGxlIjoiMGRlNWYxNzUtZjdiNi00ODI0LWE1NmItYWRjNWQ3ZDNhNzgwIiwidXNlcklkIjoiMWU5ZjBmNzctNmNlNi00MDJlLWIwYmEtOTc5NDRmYmIwZDlhIiwicmVmcmVzaFRva2VuSGFzaDEiOiJmM2Q3YTQyMzdkNjE5ZDY1MWI4NThkOTU1YzA5MTZmOWM2NzYwNzk0MWVmMmFmMDQ5ODY0MjY5ZGY1Y2E0YTY3IiwicGFyZW50UmVmcmVzaFRva2VuSGFzaDEiOm51bGwsInVzZXJEYXRhIjp7fSwiYW50aUNzcmZUb2tlbiI6bnVsbCwiZXhwaXJ5VGltZSI6MTY3MjQwNzM4NTcxMCwidGltZUNyZWF0ZWQiOjE2NzI0MDM3ODU3MTAsImxtcnQiOjE2NzI0MDM3ODU3MTB9.HPq8EWkOprsyzuCvPqPJjERDl%2FLJDIh9RNY%2F3RKJyuokzbMF4Z%2F%2FAx14MFIAkeltX1mofZUoJJqZRzcKn2GVJ8yV%2BBnb8W7uWlZJ%2F%2FXo87LcUiToVPDVFiv8HP3PKgCYuwdJap4o3dcNElXZ6DDdaaKxbq1bQ6dW%2FF2PqZzSWyASF4t4sxY6yQ%2FBiQHPycHNNg6GNF06CdXxVPTSBUnYEohdXzVVNsspyUzOSQ%2F%2B0DnYGHjsOiUnWPc3qgq34j9USEOoJszmDio4m9hI3BgX2mbJEPbEDUNS%2FVgEpH6nV0wcYDWn1lKJfRJfe2hl69%2FD857tV2h7xoDIsLqyrRs%2FQg%3D%3D; Domain=.mirio.org; Path=/; Expires=Fri, 30 Dec 2022 13:36:25 GMT; HttpOnly; Secure; SameSite=Lax set-cookie: sRefreshToken=MgekqU%2FQ%2B%2Fh91oLscTrCGRZytyU5LnWX6tl52jVa1zHt6%2FoGmf0CdVKsaBzxSjD7UNObfPa3WtShUzPKBA9Oth1R8eDB%2FK7mbNA3jZbnjyUBy7uCKeG7IqVo9JJvEUcEuPEiHRcF1SNGMvhzIerB%2BoTrCUBUjboKSmbSAZc95CvA8e1JYItYD9144mX2tbmCMY4gKpcc02k7D9Y8ebbDhywpBzQ7wlgNdZ92zpgXDZMYxLDdgwdS6WFUbb2x8pZFMzZCZpYqEjQqasW8G2u6.022b50c592cf4d31df75826cbe69f795502d3932d22af6dac9a2b4692d2d7769.V2; Domain=.mirio.org; Path=/api/auth/session/refresh; Expires=Sun, 09 Apr 2023 12:36:25 GMT; HttpOnly; Secure; SameSite=Lax set-cookie: sIdRefreshToken=81c6cf92-f659-4ae2-bcbe-5fd22aafaeb0; Domain=.mirio.org; Path=/; Expires=Sun, 09 Apr 2023 12:36:25 GMT; HttpOnly; Secure; SameSite=Lax strict-transport-security: max-age=63072000
now I'm going to go to the refresh endpoint
r
hmm
c
cookie: sRefreshToken=MgekqU%2FQ%2B%2Fh91oLscTrCGRZytyU5LnWX6tl52jVa1zHt6%2FoGmf0CdVKsaBzxSjD7UNObfPa3WtShUzPKBA9Oth1R8eDB%2FK7mbNA3jZbnjyUBy7uCKeG7IqVo9JJvEUcEuPEiHRcF1SNGMvhzIerB%2BoTrCUBUjboKSmbSAZc95CvA8e1JYItYD9144mX2tbmCMY4gKpcc02k7D9Y8ebbDhywpBzQ7wlgNdZ92zpgXDZMYxLDdgwdS6WFUbb2x8pZFMzZCZpYqEjQqasW8G2u6.022b50c592cf4d31df75826cbe69f795502d3932d22af6dac9a2b4692d2d7769.V2; _ga=GA1.1.498503693.1672403656; sAccessToken=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsInZlcnNpb24iOiIyIn0%3D.eyJzZXNzaW9uSGFuZGxlIjoiMGRlNWYxNzUtZjdiNi00ODI0LWE1NmItYWRjNWQ3ZDNhNzgwIiwidXNlcklkIjoiMWU5ZjBmNzctNmNlNi00MDJlLWIwYmEtOTc5NDRmYmIwZDlhIiwicmVmcmVzaFRva2VuSGFzaDEiOiJmM2Q3YTQyMzdkNjE5ZDY1MWI4NThkOTU1YzA5MTZmOWM2NzYwNzk0MWVmMmFmMDQ5ODY0MjY5ZGY1Y2E0YTY3IiwicGFyZW50UmVmcmVzaFRva2VuSGFzaDEiOm51bGwsInVzZXJEYXRhIjp7fSwiYW50aUNzcmZUb2tlbiI6bnVsbCwiZXhwaXJ5VGltZSI6MTY3MjQwNzM4NTcxMCwidGltZUNyZWF0ZWQiOjE2NzI0MDM3ODU3MTAsImxtcnQiOjE2NzI0MDM3ODU3MTB9.HPq8EWkOprsyzuCvPqPJjERDl%2FLJDIh9RNY%2F3RKJyuokzbMF4Z%2F%2FAx14MFIAkeltX1mofZUoJJqZRzcKn2GVJ8yV%2BBnb8W7uWlZJ%2F%2FXo87LcUiToVPDVFiv8HP3PKgCYuwdJap4o3dcNElXZ6DDdaaKxbq1bQ6dW%2FF2PqZzSWyASF4t4sxY6yQ%2FBiQHPycHNNg6GNF06CdXxVPTSBUnYEohdXzVVNsspyUzOSQ%2F%2B0DnYGHjsOiUnWPc3qgq34j9USEOoJszmDio4m9hI3BgX2mbJEPbEDUNS%2FVgEpH6nV0wcYDWn1lKJfRJfe2hl69%2FD857tV2h7xoDIsLqyrRs%2FQg%3D%3D; sIdRefreshToken=81c6cf92-f659-4ae2-bcbe-5fd22aafaeb0; sIRTFrontend=81c6cf92-f659-4ae2-bcbe-5fd22aafaeb0; sFrontToken=eyJ1aWQiOiIxZTlmMGY3Ny02Y2U2LTQwMmUtYjBiYS05Nzk0NGZiYjBkOWEiLCJhdGUiOjE2NzI0MDczODU3MTAsInVwIjp7fX0=; _ga_HRPKHNPCHL=GS1.1.1672403656.1.1.1672403786.0.0.0
ok in incognito there is only one
want me to try the flow of deleting the access token and triggering the refresh?
in incognito?
r
yes
c
hmm how can I delete the access token in incognito?
I used an extension for that
r
same as the other way
maybe don't use the extension.. it might be causing this issue
you can google how to delete cookies on chrome via inspect elemtn
c
ok
but only delete access token right?
r
yes
c
ok it worked!
r
nice
c
:authority: mirio.org :method: POST :path: /api/auth/session/refresh :scheme: https accept: / accept-encoding: gzip, deflate, br accept-language: en-US,en;q=0.9 content-length: 0 cookie: sRefreshToken=MgekqU%2FQ%2B%2Fh91oLscTrCGRZytyU5LnWX6tl52jVa1zHt6%2FoGmf0CdVKsaBzxSjD7UNObfPa3WtShUzPKBA9Oth1R8eDB%2FK7mbNA3jZbnjyUBy7uCKeG7IqVo9JJvEUcEuPEiHRcF1SNGMvhzIerB%2BoTrCUBUjboKSmbSAZc95CvA8e1JYItYD9144mX2tbmCMY4gKpcc02k7D9Y8ebbDhywpBzQ7wlgNdZ92zpgXDZMYxLDdgwdS6WFUbb2x8pZFMzZCZpYqEjQqasW8G2u6.022b50c592cf4d31df75826cbe69f795502d3932d22af6dac9a2b4692d2d7769.V2; _ga=GA1.1.498503693.1672403656; sIdRefreshToken=81c6cf92-f659-4ae2-bcbe-5fd22aafaeb0; sIRTFrontend=81c6cf92-f659-4ae2-bcbe-5fd22aafaeb0; sFrontToken=eyJ1aWQiOiIxZTlmMGY3Ny02Y2U2LTQwMmUtYjBiYS05Nzk0NGZiYjBkOWEiLCJhdGUiOjE2NzI0MDczODU3MTAsInVwIjp7fX0=; _ga_HRPKHNPCHL=GS1.1.1672403656.1.1.1672404297.0.0.0 fdi-version: 1.8,1.9,1.10,1.11,1.12,1.13,1.14,1.15 origin: https://mirio.org referer: https://mirio.org/create rid: session sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108", "Google Chrome";v="108" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "macOS" sec-fetch-dest: empty sec-fetch-mode: cors sec-fetch-site: same-origin user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36
so nothing is wrong?
Request URL: https://mirio.org/api/auth/session/refresh Request Method: POST Status Code: 200 Remote Address: 76.76.21.21:443 Referrer Policy: strict-origin-when-cross-origin
I still don't know why in non incognito I get two access tokens
r
yeaaa. iim not sure. You just need to be careful about cookie deletion when changing modes
c
ok, alright, thanks!
Actually
so one odd thing
is that in non-incognito
if I visit
I send two refresh tokens
r
thats cause the browser has 2 of them
c
and I end up with two
r
right. Im not sure how
c
but I guess will other people not have this problem as well?
like now that I added the cookie domain
will all new people that now use the domain as .mirio.org, be fine?
r
yea they should be
im not sure how you ended up in this state
c
yeah
it works when I do it with firefox too
that is very odd
is there a way to find out where the refresh token is taken from? or a way to delete all data associated with the site?
r
the browser has a way of doing that. You can delete all cookies per site
google it
c
sounds good thanks a lot for the time looking into this with me @rp_st !
12 Views
PreviousNext
Powered by