Channels
bot-training
community
contributing
general
github-activity
info
introductions
new-releases
random
security
support-questions
welcome-0xdelusion
welcome-aj-ya
welcome-aleksandrc
welcome-alpinjs
welcome-amberlamps1
welcome-andrew-rodriguez
welcome-ankit-choudhary
welcome-anthony-stod-custodio
welcome-call-in
welcome-chwalbox
welcome-claybiokiller
welcome-co7e
welcome-cosmoecwsa
welcome-devdag
welcome-dinso
welcome-drebotelho
welcome-elio
welcome-ernest
welcome-foxbarrington
welcome-fromscratch
welcome-galto4ir
welcome-goetzum
welcome-hay-kot
welcome-himanshu-kukreja
welcome-hossambarakat
welcome-ichikawakazuto
welcome-jahir9991
welcome-jamesl
welcome-jerry123424
welcome-john-oliver
welcome-jonas-alexanderson
welcome-jxyz
welcome-kelvinwop
welcome-kraz
welcome-lancekey
welcome-leoo
welcome-lukeacollins
welcome-m-j-mon
welcome-malik-khoja
welcome-marco
welcome-mardadi
welcome-meshguy
welcome-metamorph
welcome-mike-tectu
welcome-mirzok
welcome-mozomig
welcome-naberyou66_
welcome-nacer
welcome-namratha
welcome-naveenkumar
welcome-nightlight
welcome-nischith
welcome-notankit
welcome-olawumi
welcome-pavan-kumar-reddy-n
welcome-pineappaul
welcome-poothebear
welcome-rick
welcome-samuel-qosenergy
welcome-samuelstroschein
welcome-shubhamgoel23
welcome-shubhamkaushal
welcome-sidebar
welcome-surajsli
welcome-suyash_
welcome-syntaxerror
welcome-tauno
welcome-tawnoz
welcome-teclali
welcome-tls
welcome-turbosepp
welcome-vikram_shadow
Title
r
ronflai
03/09/2023, 10:40 AMHello guys ! I have an issue with the logout on safari and on mobile. The server send a 200 but without the set-cookie header so the user is still login after the logout. Is is a known issue ? Is there a workaround ?
r
rp
03/09/2023, 10:44 AMhey @ronflai can i see the set-cookie response header when you call the sign in API? A screenshot will do.
Also, whats the value of your apiDomain and websiteDomain?
r
ronflai
03/09/2023, 10:50 AMthe set token response is too long to be display in our monitoring tool but there is main part
r
rp
03/09/2023, 10:50 AMwhats the value of sameSite for the cookies?
r
ronflai
03/09/2023, 10:51 AMSameSite=none;
r
rp
03/09/2023, 10:51 AMright. So safari doesn't respect that
switch to using header based auth instead of cookie based
search in our docs for "token transfer method"
and then things should work
r
ronflai
03/09/2023, 10:52 AMcan you indicate me the correct doc to follow for safari ?
r
rp
03/09/2023, 10:53 AMthere is no docs specific to safari
r
ronflai
03/09/2023, 10:53 AMbut in safari and on desktop it s work
r
rp
03/09/2023, 10:53 AMyou should just change to using header based auth
safari desktop should not work with sameSite none eithert
unless you have changed the browser's setting
r
ronflai
03/09/2023, 10:54 AMwhat change should we make for this to work ?
r
rp
03/09/2023, 10:59 AMsearch for "token transfer method" in our docs please
or you can tell me which recipe you use and i can send a link
r
ronflai
03/09/2023, 10:59 AMok I found the doc but to understand it will send the token using header and not cookie right ?
r
rp
03/09/2023, 11:00 AMyes.
You don't need to do anythign really
just set the config as per the docs
and try again - it should work
r
ronflai
03/09/2023, 11:01 AMbut it s not really safe to send the token using header ?
r
rp
03/09/2023, 11:01 AMit's less secure - yea
the only other way to solve this is to use websiteDomain and apiDomain that share a same base domain
so that the cookie sameSite resolves to
laxr
ronflai
03/09/2023, 11:02 AMok thanks for the info
And why the signin work then ? because now the signin is working fine is juste the logout
r
rp
03/09/2023, 11:07 AMcause sign in sends the cookies.. it's the browser which is ignoring it
and logout requires cookies to work. So since the browser did not save them, it won't work
r
ronflai
03/09/2023, 11:11 AMbut we have the token in browser because otherwise the Session.doesSessionExist() in the front end should return false ?
r
rp
03/09/2023, 11:12 AMnot really.. there are other tokens on the frontend which are saved using which doesSessionExist works. The ones that the browser ignores are httpOnly cookies.
r
ronflai
03/09/2023, 1:18 PMwhen I try to use the transferMethod: "header" in js app ts complaining that
tokenTransferMethod' does not exist in type 'UserInput'what i did is just
recipeList: [
Session.init({
tokenTransferMethod: "header",
}),
Passwordless.init({
preAPIHook: (context) =>
addLocaleToCreateCodeRequest(context, activeLocale),
}),
],r
rp
03/09/2023, 1:20 PMright. Which version of the frontend sdk are you using?
and which frontend SDK?
r
ronflai
03/09/2023, 1:20 PM"supertokens-web-js": "^0.3.0"
r
rp
03/09/2023, 1:21 PMright. So this feature is only available in version >= 0.5.0
so update to that. Be sure to check the changelog: https://github.com/supertokens/supertokens-web-js/blob/master/CHANGELOG.md
you would also need to update the backend sdk as mentioned in the above changlog
so be sure to checkout the changelog of the backend sdk as well
r
ronflai
03/09/2023, 1:24 PMOk thanks I'll try
I have a new error saying st-auth-mode is not allowed in Access-Control-Expose-Headers is it normal ? do I have to manually change the Access-Control-Expose-Headers ?
r
rp
03/09/2023, 2:54 PMNo. Just update the backend SDK as well
r
ronflai
03/09/2023, 3:09 PMYeah that what I did but still I have this issue
r
rp
03/09/2023, 3:10 PMCan I see the error on the browser console?
And what are the response headers for the OPTIONS api call? And for the subsequent POST API call (if that happens)
r
ronflai
03/09/2023, 3:21 PMresponse header from api option call
access-control-allow-credentials: true
access-control-allow-headers: Content-Type,X-Amz-Date,Authorization,X-Api-Key,X-Amz-Security-Token,anti-csrf,rid,fdi-version
access-control-allow-methods: OPTIONS,DELETE,GET,HEAD,PATCH,POST,PUT
access-control-allow-origin: http://localhost:3001
content-length: 1
content-type: application/json
date: Thu, 09 Mar 2023 15:19:35 GMT
via: 1.1 8cea2743cbaa04c70ebc2ec4f5892fa6.cloudfront.net (CloudFront)
x-amz-apigw-id: BhPZNFNFliAFYPA=
x-amz-cf-id: WEmof5X7ZtZWyyf6IHPrriP5E-lhMZ7rlrXyohwZ_jegi43mPcRmyQ==
x-amz-cf-pop: CDG52-P4
x-amzn-requestid: 91db72e8-86d0-4f7c-9aa4-439b931ea796
x-cache: Miss from cloudfrontr
rp
03/09/2023, 3:21 PMRight, so you need to add st-auth-mode header to AWS CORS setting too. Similar to how you added rid
r
ronflai
03/09/2023, 3:30 PMOh yes you right I forgot about that
I see that now we have st-xxx cookies for access token and refresh token but the access token has a validity of several days instead of 1 hour as before
so there is no refresh mechanism ?
r
rp
03/09/2023, 6:02 PMthere is
the access token cookie saved in storage is saved for a long time, but the token's expiry itself is just 1 hour
so even if the token is sent to the backend and it's been more than an hour, the backend will reject it and trigger a refresh flow.
r
ronflai
03/09/2023, 6:07 PMok so the expiration is in your system right ?
r
rp
03/09/2023, 6:07 PMYes
r
ronflai
03/09/2023, 6:20 PMOk thank for the clarifications, I also noticed that the
attemptRefreshingSession()r
rp
03/09/2023, 6:22 PMright yea. Cause the st-access-token needs to be there for it to work (this is an implementation detail). But even if the access token has expired, st-access-token will still be there resulting in
attemptRefreshingSessionthe only time it will break is if you manually clear the st-access-token (Which is what i assume you did right now)
r
ronflai
03/09/2023, 6:22 PMyes indeed I'm testing flow
again thanks for the clarifications
and in which case the
attemptRefreshingSessionr
rp
03/09/2023, 6:23 PMwhen the user is completely logged out
r
ronflai
03/09/2023, 6:24 PMalright gotcha ! Thanks
r
rp
03/09/2023, 6:24 PMi.e., no access token, no refresh token and also
st-last-access-token-update