Channels
bot-training
community
contributing
general
github-activity
info
introductions
new-releases
random
security
support-questions
welcome-0xdelusion
welcome-aj-ya
welcome-aleksandrc
welcome-alpinjs
welcome-amberlamps1
welcome-andrew-rodriguez
welcome-ankit-choudhary
welcome-anthony-stod-custodio
welcome-call-in
welcome-chwalbox
welcome-claybiokiller
welcome-co7e
welcome-cosmoecwsa
welcome-devdag
welcome-dinso
welcome-drebotelho
welcome-elio
welcome-ernest
welcome-foxbarrington
welcome-fromscratch
welcome-galto4ir
welcome-goetzum
welcome-hay-kot
welcome-himanshu-kukreja
welcome-hossambarakat
welcome-ichikawakazuto
welcome-jahir9991
welcome-jamesl
welcome-jerry123424
welcome-john-oliver
welcome-jonas-alexanderson
welcome-jxyz
welcome-kelvinwop
welcome-kraz
welcome-lancekey
welcome-leoo
welcome-lukeacollins
welcome-m-j-mon
welcome-malik-khoja
welcome-marco
welcome-mardadi
welcome-meshguy
welcome-metamorph
welcome-mike-tectu
welcome-mirzok
welcome-mozomig
welcome-naberyou66_
welcome-nacer
welcome-namratha
welcome-naveenkumar
welcome-nightlight
welcome-nischith
welcome-notankit
welcome-olawumi
welcome-pavan-kumar-reddy-n
welcome-pineappaul
welcome-poothebear
welcome-rick
welcome-samuel-qosenergy
welcome-samuelstroschein
welcome-shubhamgoel23
welcome-shubhamkaushal
welcome-sidebar
welcome-surajsli
welcome-suyash_
welcome-syntaxerror
welcome-tauno
welcome-tawnoz
welcome-teclali
welcome-tls
welcome-turbosepp
welcome-vikram_shadow
Title
e
EdwinN1337
01/31/2023, 8:48 AMHi, we're trying to make supertokens work on our vercel deployments url,
the cookiedomain for the frontendConfig and backendConfig is set to
.vercel.appcookieSameSite: noner
rp
01/31/2023, 8:48 AMhey @EdwinN1337
.vercel.appso you can't set that to the cookieDomain
e
EdwinN1337
01/31/2023, 8:50 AMright! anyway we can make sessions work with vercel? it's for our staging deployments for our capacitor apps
r
rp
01/31/2023, 8:51 AMim not sure if this will help, but see here: https://supertokens.com/blog/how-to-deploy-supertokens-with-react-nodejs-express-on-vercel
e
EdwinN1337
01/31/2023, 8:51 AMthanks! đ
ah i could also assign custom domain to specific branches on vercel
way easier đ
r
rp
01/31/2023, 9:04 AMcool
e
EdwinN1337
01/31/2023, 9:46 AMSomehow I cant get it working...
When logging it, we do another call to our backend verifying the session
js
supertokens.init(backendConfig())
export default async function handler(req: SessionRequest, res: NextApiResponse & Response) {
// we first verify the session
await superTokensNextWrapper(async next => verifySession()(req, res, next), req, res)js
Session.init({
cookieDomain: process.env.NODE_ENV === 'production' ? '.domain.nl' : 'localhost',
cookieSameSite: process.env.NEXT_PUBLIC_APP_STAGE && process.env.NODE_ENV === 'development' ? 'strict' : 'none',js
Session.init({
cookieDomain: process.env.NODE_ENV === 'production' ? '.domain.nl' : 'localhost',r
rp
01/31/2023, 9:48 AMcan you be a bit more specific about whats not working?
e
EdwinN1337
01/31/2023, 9:48 AMSession not valid due cookies not saved,
we are using a subdomain đ
r
rp
01/31/2023, 9:49 AMwhy is the cookie not saved?
e
EdwinN1337
01/31/2023, 9:54 AMno clue, cant figure it out đ
the superTokensNextWrapper is removing the cookies before I can take a look in the request hehe
will remove this call to check moment
r
rp
01/31/2023, 9:58 AMid need more info to help - the backend and frontend debug logs
e
EdwinN1337
01/31/2023, 10:09 AMlol turns out vercel didnt build a recent version
sorry! it works
r
rp
01/31/2023, 10:22 AMhaha ok!
m
mib200
01/31/2023, 3:14 PM@rp even weâve tried setting cookieDomain on backend as x.example.com but it doesnât set the refresh tokens etc.
We tried to configure the same on Frontend, it still doesnât work
Although if I set .example.com. Everything works
So what we did was do exclude setting cookieDomain both in front end and backend
We skipped sessionScope config a well
Now everything works on same domain.
BUT another strange behaviour, the refresh token etc canât be seen as set in chrome inspector. But once I get the refresh api to call, all 4 types of cookies I can see.
This means that refresh token etc is there somewhere. But not visible in chrome inspector
But strangely they become visible after refresh api is called. Which shouldnât have worked if there were no refresh tokens
r
rp
01/31/2023, 3:24 PM> This means that refresh token etc is there somewhere. But not visible in chrome inspector
You need to navigate to the refresh api path on the browser to see it.
m
mib200
01/31/2023, 5:54 PMI thought so as well. But then I wonder why I am able to see it other times
will keep on experimenting to understand the browser behaviour better
r
rp
01/31/2023, 5:57 PMyea.. chrome is strange sometimes. It shows the tokens when newly added.
m
mib200
02/01/2023, 2:37 AM@rp one more question Iâve. My client is hosted on x.test.com and backend is at auth.example.com
Iâm able to set front tokens etc and use them. But the refresh tokens api doesnât work so basically the user gets logged out in 1 hour without refresh of sessions
Is this how it behaves or am I missing something?
r
rp
02/01/2023, 6:15 AMyou need to set the samesite property of the cookie to
nonem
mib200
02/01/2023, 2:46 PMI guessed so. But that does raise few Infosec flags in our team. Got it.
One last thing @rp how do we force secure flag for front tokens etc?
The http only and secure flag are set for refresh tokens etc
But not for front tokens
I do understand front end needs to read these. So we can leave httponly alone. But what about the secure flag? And what if we need to force both flags on all cookies?
r
rp
02/01/2023, 2:51 PMFront token doesnât contain anything sensitive
And the token by itself doesnât give any access either