-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Possible reasons why session doesn't work (for debugging user's app) #68
Comments
Hi there, not sure if this is the right place to inquire but I'm wondering what to do in this case:
i.e my web app is served on app.example.com and my API is available on api.example.com |
@snipebin |
Appinfo config related issues
|
Please see supertokens/supertokens-core#1044 instead |
Please see this instead: supertokens/supertokens-core#1044
When using cookie based auth
Access-Control-Expose-Headers
not set properly - which prevents frontend from reading the id-refresh-token, which prevents setting that state on the frontend.Access-Control-Expose-Headers
set to*
- which prevents frontend from reading the front-token, which prevents setting that state on the frontend. Even though it's star, it won't work cause of using credentials.api.example.com
and website is not on*.example.com
and not onexample.com
), so Safari will not send cookies even if sameSite isnone
. Switch to using header based auth.node-fetch
instead of browser fetch even on client side. People might be using node-fetch for server side rendering and then not realising that they are using that for client as well. Our interceptors are added to window.fetch so their node-fetch wouldn't get the interceptors added, preventing a call to the refresh API.credentials: "same-origin",
to the headers for that lib, the cookies won't be sent.CookieManager.clearAllCookies
or they might be manually adding cookies while replacing existing ones.verifySession
returns 403, and the response containsclaimValidationErrors: id: st-ev
, this means that the user needs to go through the email verification flowFailed to retrieve local session state from cookies after a successful session refresh. This indicates a configuration error or that the browser is preventing cookie writes.
res.setHeader('Cache-Control', 'no-cache, no-store, max-age=0, must-revalidate');
to your apis.rid,fdi-version,anti-csrf,st-auth-mode
to the existingAccess-Control-Allow-Headers
in the API gateway settingsThe "listener" argument must be of type function. Received an instance of Object
, then see this thread: https://discord.com/channels/603466164219281420/1278371807925108791/1278371807925108791on the frontend, then it is most likely due to a misconfig of the
sessionTokenFrontendDomain` (if you have set it). Either remove that config, or set it to a value that has the same top level domain as the current browser url.Access-Control-Expose-Headers
does not containfront-token
The text was updated successfully, but these errors were encountered: