https://supertokens.com/ logo
Title
r

ronflai

03/09/2023, 10:40 AM
Hello guys ! I have an issue with the logout on safari and on mobile. The server send a 200 but without the set-cookie header so the user is still login after the logout. Is is a known issue ? Is there a workaround ?
r

rp

03/09/2023, 10:44 AM
hey @ronflai can i see the set-cookie response header when you call the sign in API? A screenshot will do. Also, whats the value of your apiDomain and websiteDomain?
r

ronflai

03/09/2023, 10:50 AM
the set token response is too long to be display in our monitoring tool but there is main part
r

rp

03/09/2023, 10:50 AM
whats the value of sameSite for the cookies?
r

ronflai

03/09/2023, 10:51 AM
SameSite=none;
r

rp

03/09/2023, 10:51 AM
right. So safari doesn't respect that
switch to using header based auth instead of cookie based
search in our docs for "token transfer method"
and then things should work
r

ronflai

03/09/2023, 10:52 AM
can you indicate me the correct doc to follow for safari ?
r

rp

03/09/2023, 10:53 AM
there is no docs specific to safari
r

ronflai

03/09/2023, 10:53 AM
but in safari and on desktop it s work
r

rp

03/09/2023, 10:53 AM
you should just change to using header based auth
safari desktop should not work with sameSite none eithert
unless you have changed the browser's setting
r

ronflai

03/09/2023, 10:54 AM
what change should we make for this to work ?
r

rp

03/09/2023, 10:59 AM
search for "token transfer method" in our docs please
or you can tell me which recipe you use and i can send a link
r

ronflai

03/09/2023, 10:59 AM
ok I found the doc but to understand it will send the token using header and not cookie right ?
r

rp

03/09/2023, 11:00 AM
yes.
You don't need to do anythign really
just set the config as per the docs
and try again - it should work
r

ronflai

03/09/2023, 11:01 AM
but it s not really safe to send the token using header ?
r

rp

03/09/2023, 11:01 AM
it's less secure - yea
the only other way to solve this is to use websiteDomain and apiDomain that share a same base domain
so that the cookie sameSite resolves to
lax
and then it will work on safari as well
r

ronflai

03/09/2023, 11:02 AM
ok thanks for the info
And why the signin work then ? because now the signin is working fine is juste the logout
r

rp

03/09/2023, 11:07 AM
cause sign in sends the cookies.. it's the browser which is ignoring it
and logout requires cookies to work. So since the browser did not save them, it won't work
r

ronflai

03/09/2023, 11:11 AM
but we have the token in browser because otherwise the Session.doesSessionExist() in the front end should return false ?
r

rp

03/09/2023, 11:12 AM
not really.. there are other tokens on the frontend which are saved using which doesSessionExist works. The ones that the browser ignores are httpOnly cookies.
r

ronflai

03/09/2023, 1:18 PM
when I try to use the transferMethod: "header" in js app ts complaining that
tokenTransferMethod' does not exist in type 'UserInput'
what i did is just
recipeList: [
        Session.init({
          tokenTransferMethod: "header",
        }),
        Passwordless.init({
          preAPIHook: (context) =>
            addLocaleToCreateCodeRequest(context, activeLocale),
        }),
      ],
r

rp

03/09/2023, 1:20 PM
right. Which version of the frontend sdk are you using?
and which frontend SDK?
r

ronflai

03/09/2023, 1:20 PM
"supertokens-web-js": "^0.3.0"
r

rp

03/09/2023, 1:21 PM
right. So this feature is only available in version >= 0.5.0
so update to that. Be sure to check the changelog: https://github.com/supertokens/supertokens-web-js/blob/master/CHANGELOG.md
you would also need to update the backend sdk as mentioned in the above changlog
so be sure to checkout the changelog of the backend sdk as well
r

ronflai

03/09/2023, 1:24 PM
Ok thanks I'll try
I have a new error saying st-auth-mode is not allowed in Access-Control-Expose-Headers is it normal ? do I have to manually change the Access-Control-Expose-Headers ?
r

rp

03/09/2023, 2:54 PM
No. Just update the backend SDK as well
r

ronflai

03/09/2023, 3:09 PM
Yeah that what I did but still I have this issue
r

rp

03/09/2023, 3:10 PM
Can I see the error on the browser console?
And what are the response headers for the OPTIONS api call? And for the subsequent POST API call (if that happens)
r

ronflai

03/09/2023, 3:21 PM
response header from api option call
access-control-allow-credentials: true
access-control-allow-headers: Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token,anti-csrf,rid,fdi-version
access-control-allow-methods: OPTIONS,DELETE,GET,HEAD,PATCH,POST,PUT
access-control-allow-origin: http://localhost:3001
content-length: 1
content-type: application/json
date: Thu, 09 Mar 2023 15:19:35 GMT
via: 1.1 8cea2743cbaa04c70ebc2ec4f5892fa6.cloudfront.net (CloudFront)
x-amz-apigw-id: BhPZNFNFliAFYPA=
x-amz-cf-id: WEmof5X7ZtZWyyf6IHPrriP5E-lhMZ7rlrXyohwZ_jegi43mPcRmyQ==
x-amz-cf-pop: CDG52-P4
x-amzn-requestid: 91db72e8-86d0-4f7c-9aa4-439b931ea796
x-cache: Miss from cloudfront
r

rp

03/09/2023, 3:21 PM
Right, so you need to add st-auth-mode header to AWS CORS setting too. Similar to how you added rid
r

ronflai

03/09/2023, 3:30 PM
Oh yes you right I forgot about that
I see that now we have st-xxx cookies for access token and refresh token but the access token has a validity of several days instead of 1 hour as before
so there is no refresh mechanism ?
r

rp

03/09/2023, 6:02 PM
there is
the access token cookie saved in storage is saved for a long time, but the token's expiry itself is just 1 hour
so even if the token is sent to the backend and it's been more than an hour, the backend will reject it and trigger a refresh flow.
r

ronflai

03/09/2023, 6:07 PM
ok so the expiration is in your system right ?
r

rp

03/09/2023, 6:07 PM
Yes
r

ronflai

03/09/2023, 6:20 PM
Ok thank for the clarifications, I also noticed that the
attemptRefreshingSession()
is returning a 401 now instead of returning false if the st-access-token is not there
r

rp

03/09/2023, 6:22 PM
right yea. Cause the st-access-token needs to be there for it to work (this is an implementation detail). But even if the access token has expired, st-access-token will still be there resulting in
attemptRefreshingSession
to continue working
the only time it will break is if you manually clear the st-access-token (Which is what i assume you did right now)
r

ronflai

03/09/2023, 6:22 PM
yes indeed I'm testing flow
again thanks for the clarifications
and in which case the
attemptRefreshingSession
could return false ?
r

rp

03/09/2023, 6:23 PM
when the user is completely logged out
r

ronflai

03/09/2023, 6:24 PM
alright gotcha ! Thanks
r

rp

03/09/2023, 6:24 PM
i.e., no access token, no refresh token and also
st-last-access-token-update
is present in the cookie storage