https://supertokens.com/ logo
Title
e

EdwinN1337

01/31/2023, 8:48 AM
Hi, we're trying to make supertokens work on our vercel deployments url, the cookiedomain for the frontendConfig and backendConfig is set to
.vercel.app
and
cookieSameSite: none
what are we missing?
r

rp

01/31/2023, 8:48 AM
hey @EdwinN1337
.vercel.app
is a special domain - it's in the public suffix list
so you can't set that to the cookieDomain
e

EdwinN1337

01/31/2023, 8:50 AM
right! anyway we can make sessions work with vercel? it's for our staging deployments for our capacitor apps
r

rp

01/31/2023, 8:51 AM
e

EdwinN1337

01/31/2023, 8:51 AM
thanks! 👍
ah i could also assign custom domain to specific branches on vercel
way easier 🙂
r

rp

01/31/2023, 9:04 AM
cool
e

EdwinN1337

01/31/2023, 9:46 AM
Somehow I cant get it working... When logging it, we do another call to our backend verifying the session
js
supertokens.init(backendConfig())

export default async function handler(req: SessionRequest, res: NextApiResponse & Response) {
  // we first verify the session
  await superTokensNextWrapper(async next => verifySession()(req, res, next), req, res)
session is invalid, thats due to cookies not accepted Our backendConfig we got
js
    Session.init({
      cookieDomain: process.env.NODE_ENV === 'production' ? '.domain.nl' : 'localhost',
      cookieSameSite: process.env.NEXT_PUBLIC_APP_STAGE && process.env.NODE_ENV === 'development' ? 'strict' : 'none',
frontendConfig
js
    Session.init({
      cookieDomain: process.env.NODE_ENV === 'production' ? '.domain.nl' : 'localhost',
r

rp

01/31/2023, 9:48 AM
can you be a bit more specific about whats not working?
e

EdwinN1337

01/31/2023, 9:48 AM
Session not valid due cookies not saved,
we are using a subdomain 😉
r

rp

01/31/2023, 9:49 AM
why is the cookie not saved?
e

EdwinN1337

01/31/2023, 9:54 AM
no clue, cant figure it out 😉 the superTokensNextWrapper is removing the cookies before I can take a look in the request hehe will remove this call to check moment
r

rp

01/31/2023, 9:58 AM
id need more info to help - the backend and frontend debug logs
e

EdwinN1337

01/31/2023, 10:09 AM
lol turns out vercel didnt build a recent version
sorry! it works
r

rp

01/31/2023, 10:22 AM
haha ok!
m

mib200

01/31/2023, 3:14 PM
@rp even we’ve tried setting cookieDomain on backend as x.example.com but it doesn’t set the refresh tokens etc.
We tried to configure the same on Frontend, it still doesn’t work
Although if I set .example.com. Everything works
So what we did was do exclude setting cookieDomain both in front end and backend
We skipped sessionScope config a well
Now everything works on same domain.
BUT another strange behaviour, the refresh token etc can’t be seen as set in chrome inspector. But once I get the refresh api to call, all 4 types of cookies I can see.
This means that refresh token etc is there somewhere. But not visible in chrome inspector
But strangely they become visible after refresh api is called. Which shouldn’t have worked if there were no refresh tokens
r

rp

01/31/2023, 3:24 PM
> This means that refresh token etc is there somewhere. But not visible in chrome inspector You need to navigate to the refresh api path on the browser to see it.
m

mib200

01/31/2023, 5:54 PM
I thought so as well. But then I wonder why I am able to see it other times
will keep on experimenting to understand the browser behaviour better
r

rp

01/31/2023, 5:57 PM
yea.. chrome is strange sometimes. It shows the tokens when newly added.
m

mib200

02/01/2023, 2:37 AM
@rp one more question I’ve. My client is hosted on x.test.com and backend is at auth.example.com
I’m able to set front tokens etc and use them. But the refresh tokens api doesn’t work so basically the user gets logged out in 1 hour without refresh of sessions
Is this how it behaves or am I missing something?
r

rp

02/01/2023, 6:15 AM
you need to set the samesite property of the cookie to
none
m

mib200

02/01/2023, 2:46 PM
I guessed so. But that does raise few Infosec flags in our team. Got it.
One last thing @rp how do we force secure flag for front tokens etc?
The http only and secure flag are set for refresh tokens etc
But not for front tokens
I do understand front end needs to read these. So we can leave httponly alone. But what about the secure flag? And what if we need to force both flags on all cookies?
r

rp

02/01/2023, 2:51 PM
Front token doesn’t contain anything sensitive
And the token by itself doesn’t give any access either