Channels
bot-training
community
contributing
general
github-activity
info
introductions
new-releases
random
security
support-questions
welcome-0xdelusion
welcome-aj-ya
welcome-aleksandrc
welcome-alpinjs
welcome-amberlamps1
welcome-andrew-rodriguez
welcome-ankit-choudhary
welcome-anthony-stod-custodio
welcome-call-in
welcome-chwalbox
welcome-claybiokiller
welcome-co7e
welcome-cosmoecwsa
welcome-devdag
welcome-dinso
welcome-drebotelho
welcome-elio
welcome-ernest
welcome-foxbarrington
welcome-fromscratch
welcome-galto4ir
welcome-goetzum
welcome-hay-kot
welcome-himanshu-kukreja
welcome-hossambarakat
welcome-ichikawakazuto
welcome-jahir9991
welcome-jamesl
welcome-jerry123424
welcome-john-oliver
welcome-jonas-alexanderson
welcome-jxyz
welcome-kelvinwop
welcome-kraz
welcome-lancekey
welcome-leoo
welcome-lukeacollins
welcome-m-j-mon
welcome-malik-khoja
welcome-marco
welcome-mardadi
welcome-meshguy
welcome-metamorph
welcome-mike-tectu
welcome-mirzok
welcome-mozomig
welcome-naberyou66_
welcome-nacer
welcome-namratha
welcome-naveenkumar
welcome-nightlight
welcome-nischith
welcome-notankit
welcome-olawumi
welcome-pavan-kumar-reddy-n
welcome-pineappaul
welcome-poothebear
welcome-rick
welcome-samuel-qosenergy
welcome-samuelstroschein
welcome-shubhamgoel23
welcome-shubhamkaushal
welcome-sidebar
welcome-surajsli
welcome-suyash_
welcome-syntaxerror
welcome-tauno
welcome-tawnoz
welcome-teclali
welcome-tls
welcome-turbosepp
welcome-vikram_shadow
Title
l
Leoo
01/21/2023, 4:22 PMCan I use verifySession in a way that the route is also accessible by users without a session?
I thought
verifySession({ sessionRequired: false })r
rp
01/21/2023, 4:23 PMHey. Using sessionRequired: false is the correct way
The only time this returns a 401 is when a user has a session, but their access token has expired
Therefore the session needs to be refreshed
As opposed to a user who doesn’t have a session at all. In this case it will allow the api to run except that the session object is undefined
l
Leoo
01/21/2023, 4:32 PMHmm ok I'll investigate a bit more
Thanks for all the help in the last 2 days!!
Sometimes the automatic refreshing of the accessToken works, and sometimes I just get back a 401. Can't really work out, what the problem is. Just really unpredictable.
To test better, I decreased the accessToken lifetime to 15s. And on sometimes the refreshing works and I can have minutelong session, but sometimes not.
Noticed, that Session.doesSessionExist returns false immediately after the session creation (when the 15s token is still valid). What could be the cause for that?
r
rp
01/21/2023, 5:47 PMwhich frontend sdk of ours are you using?
l
Leoo
01/21/2023, 5:48 PMI'm using supertokens-web-js
r
rp
01/21/2023, 5:48 PMright. Can i see the request and response headers for the sign in API call? Chrome screenshot will do
l
Leoo
01/21/2023, 5:51 PMYes, I'll prepare them. But I just found something:
When I create the new session and wait, until the accessToken expires. Then sIRTFrontend is set to remove. The accessToken also gets removed. When I delete the sIRTFrontend cookie and refresh the page the refreshing works. It also never stops working. Not even after multiple refreshes.
What functionality sets the sIRTFrontend cookie?
r
rp
01/21/2023, 5:52 PMwe add interceptors to your networking lib and when the interceptor detects that session tokens are returned, it sets the correct value for sIRTFrontend
l
Leoo
01/21/2023, 5:54 PMWhat does it mean when it's set to remove?
r
rp
01/21/2023, 5:55 PMit means that the frontend thinks that no session exists.
l
Leoo
01/21/2023, 5:57 PMwhen is that supposed to happen?
r
rp
01/21/2023, 5:58 PMwhen you call the sign in function from the frontend.
The API that returns session tokens
l
Leoo
01/21/2023, 6:02 PMI'm not doing that. My current flow looks like the following:
I sign into github with my own implementation of the OAuth flow, which redirects the user to a new tab. I create the session on the server using createSession() and add the oauth token to the sessionData. The new tab is closed and the session exists for the livetime of the accessToken
r
rp
01/21/2023, 6:03 PMRight. So the api that calls createNewSession, I want to see the response and request headers for that
l
Leoo
01/21/2023, 6:04 PMThe session creation is happening in the express backend. The Frontend get's to know that the user is logged in because of the values the telefunc functions return
r
rp
01/21/2023, 6:05 PMI’m confused. Doesn’t the frontend call the express backend api which creates the new session?
l
Leoo
01/21/2023, 6:06 PMYes but not through the supertokens sdk
r
rp
01/21/2023, 6:06 PMThat’s fine
So whatever that api call is, I want to see the request and response headers of that
l
Leoo
01/21/2023, 6:06 PMAlright
{
"params": {
"headers": [
"Host: localhost:3000",
"Connection: keep-alive",
"Upgrade-Insecure-Requests: 1",
"User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36",
"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"Sec-Fetch-Site: cross-site",
"Sec-Fetch-Mode: navigate",
"Sec-Fetch-User: ?1",
"Sec-Fetch-Dest: document",
"sec-ch-ua: \"Not_A Brand\";v=\"99\", \"Google Chrome\";v=\"109\", \"Chromium\";v=\"109\"",
"sec-ch-ua-mobile: ?0",
"sec-ch-ua-platform: \"macOS\"",
"Accept-Encoding: gzip, deflate, br",
"Accept-Language: de, en;q=0.9",
"Cookie: sIRTFrontend=remove"
],
"line": "GET /services/auth/github-oauth-callback?code=29bba76e378dbfb47e9c HTTP/1.1\r\n"
},The request
r
rp
01/21/2023, 6:12 PMCan u show me the screenshot on chrome?
l
Leoo
01/21/2023, 6:12 PMbit tricky because of the new tab opening thing
got it to work
r
rp
01/21/2023, 6:14 PMHmm. This already has the access token set in cookies.
So I’m not sure what you are doing
l
Leoo
01/21/2023, 6:17 PMok sorry wrong one
r
rp
01/21/2023, 6:18 PMSo it seems that our interceptor is not applied to this api call. What’s the domain for this api call? And what’s the value of apiDomain set on the frontend?
l
Leoo
01/21/2023, 6:20 PMuhh ok that sounds like a really good hint
I set the frontend and backend api path to /session
r
rp
01/21/2023, 6:21 PMWhat about the apiDomain?
l
Leoo
01/21/2023, 6:21 PMMy api routes are at /
r
rp
01/21/2023, 6:21 PMThat’s not the issue
l
Leoo
01/21/2023, 6:21 PMapiDomain is http://localhost:3000
r
rp
01/21/2023, 6:22 PMAs long as you have the same apiBasePath on the backend and frontend
l
Leoo
01/21/2023, 6:22 PM(in the frontend location.origin)
r
rp
01/21/2023, 6:22 PMAnd what is the value of location.origin?
And which api are you calling? The domain of the api
l
Leoo
01/21/2023, 6:22 PMr
rp
01/21/2023, 6:22 PMEven on the callback screen, the location.origin is localhost:3000?
l
Leoo
01/21/2023, 6:24 PMI set it to "http://localhost:3000" now. Should have been that with location.origin, but I'll test with the fixed string
r
rp
01/21/2023, 6:25 PMYou also need to make sure that you are calling supertokens.init on the frontend in the callback page before the api call is made
l
Leoo
01/21/2023, 6:25 PMThat is happening
I got an error when that didn't happen
r
rp
01/21/2023, 6:25 PMCan you enable frontend debug logs and show me the output when the api call is made?
l
Leoo
01/21/2023, 6:27 PMyes
r
rp
01/21/2023, 6:33 PMCan you send me the logs that are generated just during the api call?
l
Leoo
01/21/2023, 6:35 PMThe user get's redirected to my app after successful github authentication. In the request of that page the session gets created
r
rp
01/21/2023, 6:35 PMThere is a preserve log button on chrome
Maybe go through this list first before I can help more 🙂
Intuitively, it seems that you are not calling supertokens.init before making the api call.
But I may be wrong.
l
Leoo
01/21/2023, 6:37 PMOk thanks, I'll work through that
So could the problem be that the session get's created in the page request?
The frontend can't be initialized before
r
rp
01/21/2023, 6:38 PMIt gets created in the api call you are making
The problem is that our interceptors are not being applied to the api call
This happens cause of misconfiguration of apiDomain vs the url that you are querying
Or cause you have not called supertokens.init on the app yet
If you have specific questions, I’d be happy to help. I feel like I have spent enough time debugging with you and the GitHub issue about exists already.
l
Leoo
01/21/2023, 6:40 PMYes, you're right
Thanks a lot man!
FYI: You've been right, I created the session on a "API-only" route. The user got directly redirected to that route and on that route no SuperTokens.init() call was made. I'm creating the session now with a fetch call from the frontend even before it is needed and before the oauth redirection cascade. Everything works as expected now 🙂
Can the frontend also recognise that a session is created if this creation is not triggered by a fetch call from the frontend? Would it work if I redirect the user to a new page and the session get's created in that page request (so not by calling an API endpoint and so for not utilizing the fetch interceptor)? Supertokens would only be initialized, after the browser processes the response. But the response would include all necessary headers.
r
rp
01/22/2023, 3:10 PMYes. That can work, if on the frontend, you call the Session.attemptRefreshSession function when the page loads (I think the name of the function is that, but if not, it’s similar)
l
Leoo
01/22/2023, 5:03 PMAlright, thanks 👍
Everything works as expected now, in Chrome... Safari seems to have problems. Can my multi tab oauth flow be a problem in Safari? I'm creating the session in one tab and it survives refreshes. When I navigate to the oauth provider in a new tab and get redirected to my frontend route (also in the new tab), the behaviour is different from the behaviour in chrome. After the oauth flow finished and the new tab shows my frontend route, but the sIRTFrontend cookie is again set to remove.
r
rp
01/22/2023, 6:51 PMHmm. Usually safari issues are due to use cross site cookies. But I think in your case, the api and website domain values are the same right?
l
Leoo
01/22/2023, 6:56 PMYes
r
rp
01/22/2023, 6:56 PMHmm. So there shouldn’t be any issue as such. Can I see the request and response headers for the request that creates a session?
l
Leoo
01/22/2023, 6:57 PMyep
Also added this snippet, which generates this output. Getting the access token payload works, until the accessToken needs to be refreshed. When /session/refresh is called by the frontend sdk it returns a 401 and the accessToken payload can no longer be read
sIRTFrontend is then set to remove
r
rp
01/22/2023, 7:10 PMSo I see a weird thing. Why is the sameSite value none in cookies?
Have you explicitly set it to none on the backend?
l
Leoo
01/22/2023, 7:15 PMthese are my configs
r
rp
01/22/2023, 7:25 PMThe value of apiDomain should be localhost:3000 as well
Make that change, and try again.
l
Leoo
01/22/2023, 7:28 PMUh ok males sense
Ok just checked and that was the problem. Now it works :))
Thanks a lot for all that first class support! Can I do anything for you? Something like writing a review anywhere? Or do you have a buymeacoffe ^^
r
rp
01/22/2023, 7:50 PMYou could tweet about us and tag @supertokensio in it
l
Leoo
01/22/2023, 7:51 PMAlright, I‘ll do that 🙂
FYI: Just checked again and I used the config that was generated by the tool on your page. Which has the apiDomain for the appInfo set to the remote apiDomain. Might be a bit confusing
r
rp
01/23/2023, 2:45 AMThat’s cause you set it to that value in the form above
l
Leoo
01/23/2023, 3:51 AMAhh ok I didn't get that the apiUrl of the backend is automatically added... Thought that would be the place to put in the supertokens api domain 😅