https://supertokens.com/ logo
Channels
bot-training
community
contributing
general
github-activity
info
introductions
new-releases
random
security
support-questions
welcome-0xdelusion
welcome-aj-ya
welcome-aleksandrc
welcome-alpinjs
welcome-amberlamps1
welcome-andrew-rodriguez
welcome-ankit-choudhary
welcome-anthony-stod-custodio
welcome-call-in
welcome-chwalbox
welcome-claybiokiller
welcome-co7e
welcome-cosmoecwsa
welcome-devdag
welcome-dinso
welcome-drebotelho
welcome-elio
welcome-ernest
welcome-foxbarrington
welcome-fromscratch
welcome-galto4ir
welcome-goetzum
welcome-hay-kot
welcome-himanshu-kukreja
welcome-hossambarakat
welcome-ichikawakazuto
welcome-jahir9991
welcome-jamesl
welcome-jerry123424
welcome-john-oliver
welcome-jonas-alexanderson
welcome-jxyz
welcome-kelvinwop
welcome-kraz
welcome-lancekey
welcome-leoo
welcome-lukeacollins
welcome-m-j-mon
welcome-malik-khoja
welcome-marco
welcome-mardadi
welcome-meshguy
welcome-metamorph
welcome-mike-tectu
welcome-mirzok
welcome-mozomig
welcome-naberyou66_
welcome-nacer
welcome-namratha
welcome-naveenkumar
welcome-nightlight
welcome-nischith
welcome-notankit
welcome-olawumi
welcome-pavan-kumar-reddy-n
welcome-pineappaul
welcome-poothebear
welcome-rick
welcome-samuel-qosenergy
welcome-samuelstroschein
welcome-shubhamgoel23
welcome-shubhamkaushal
welcome-sidebar
welcome-surajsli
welcome-suyash_
welcome-syntaxerror
welcome-tauno
welcome-tawnoz
welcome-teclali
welcome-tls
welcome-turbosepp
welcome-vikram_shadow
Powered by
Title
t

tom-glyphic

03/02/2023, 3:35 PM
Hi, I'm using the EmailPassword Recipe with hosted Supertokens, but on user sign in getting 401 errors from 
<my_domain>/auth/session/refresh
. Is this endpoint used for EmailPassword recipe, and why would it be returning 401? From the docs it seems to only be within Session Recipe (https://app.swaggerhub.com/apis/supertokens/FDI/1.16.0#/Session%20Recipe/refresh)
r

rp

03/02/2023, 3:37 PM
hey @tom-glyphic can you enable backend debug logs and show me the output?
t

tom-glyphic

03/02/2023, 3:57 PM
Here's the logs, which shows a successful 
POST /auth/signin
request, it then tries to make 
GET
to our own 
/auth/organization/
and 
/auth/user/
and the 
POST /auth/session/refresh
which all fail with 
401
This is when attempting to log in with an existing user, in incognito mode so there is no cookie
r

rp

03/02/2023, 4:05 PM
So when you first visit the site, a 401 is expected from this API. But after you sign in, then it should all just work.
The reason this API is called first is cause the frontend SDK doesn't yet know if a session exists or not.
So calling this API tells the frontend SDK if a session exists and according to that, can show the relevant UI etc..
t

tom-glyphic

03/02/2023, 4:11 PM
The effect is the UI is being redirected back to the sign in page, even after the 
auth/signin
returned 200 (the sub pages are wrapped in 
<SessionAuth />
from 
supertokens-auth-react/recipe/session
)
But this only happens when running in incognito
r

rp

03/02/2023, 4:12 PM
Hmm. That’s odd. If the signin api is succeeding, then it should not cause a refresh failure.
Are you using header based or cookie based auth?
t

tom-glyphic

03/02/2023, 4:15 PM
We don't set 
tokenTransferMethod
explicitly, but from the request headers looks like it's defaulting to 
st-auth-mode: cookie
r

rp

03/02/2023, 4:24 PM
Hmm. Right. Can I see the sign in response headers? And also the cookie store after the api is called.
Screenshots will do
What does it say on the orange triangle when you hover on it?
right. So i think in chrome incognito, it doesn't allow cross site cookies
so you may want to switch to using header based auth. Search for "token transfer method" in our docs
#support-questionsJoin Discord
Powered by