https://supertokens.com/ logo
Join Discord
Powered by
getting 401 Unauthorized on HTTPS connections
# support-questions-legacy
c
getting 401 Unauthorized on HTTPS connections
My FE and BE are deployed on diff. servers. I was getting below Error so I switched to https and set cookieSecure to true: Error: Since your API and website domain are different, for sessions to work, please use https on your apiDomain and dont set cookieSecure to false. I'm using email-otp recipe. After entering the OTP, I get logged in for < 1 sec and then again logged out to email filling page, checked in console getting 401 Unauthorized: https:///login/session/refresh 401 I don't know much about SSL/TLS config, but when I visit the FE,BE endpoint they open in https with Lock icon next to them, I didn't provide any SSL/TLS certificates myself. I'm using cloudflare for hosting the FE and domain for BE is bought from cloudflare.
r
you should not add any config to the session.init on the backend. What are the values for 
apiDomain
and 
websiteDomain
?
c
apiDomain=https://abc.party websiteDomain=https://abc-app.pages.dev/ They look something like this, replaced actual name wih abc
r
i see.
So just set the right values in the api and website domain and don't set any config in session.init
Copy code
Error: Since your API and website domain are different, for sessions to work, please use https on your apiDomain and dont set cookieSecure to false.
This error should go away. if this shows up, it means you are not putting 
https
in the apiDomain value. So double check that
c
this error went away
r
cool
c
Session.init({ cookieSecure: true, })
r
you don't need to set cookieSecure
c
should I remove it?
r
yup.
Just Session.init()
c
ok let me try
still same issue 401
r
are you using safari?
if not, can you show me a screenshot of the network tab's response headers for the sign in API call on chrome?
c
it's on chrome, response for /refresh is: {"message":"unauthorised"} In Application->Cookies->https://abc-app.pages.dev/ , there is no cookie for refresh token. value for sIRTFrontend is remove.
r
are you using our frontend SDK?
can i see the request and response headers for the sign in API call? And also for the refresh API call
the refresh token is stored on a specific path. So if you want to see it, you have to navigate to the refresh path on your api domain on your browser.
c
yes
r
can you please just send the info over?
c
name for login api call?
r
you must have implemented login already correct?
Otherwise how are you creating a session?
c
yes. In network tab the once with /login endpint have name code and consume as name, which once do you want me to share
r
the consume one.
so you see the orange triangle
can you hover on it? What does it say
?
c
the attempt to set cookie was blocked by user preferences
r
right. So thats the reason.
Cause your chrome setting has cross site cookies disabled
to solve this, either make the apiDomain and websiteDomain on the same base domain, or then switch to using non cookie based auth (which is going to be released next week)
or you can customise the existing SDK to use header based auth as shown in this demo app: https://github.com/supertokens/supertokens-auth-react/tree/master/examples/with-localstorage
c
cool, thanks for help. learned something new 👍
399 Views
PreviousNext
Powered by