important
This is a contributors guide and NOT a user guide. Please visit these docs if you are using or evaluating SuperTokens.
supertokens-auth-reactSession verification should check headers then cookies
Status
This is just a proposal so far, it hasn't been accepted and needs further discussion.
- Status:
- proposed
- Deciders:
- rishabhpoddar, porcellus
- Proposed by:
- porcellus
- Created:
- 2022-10-25
- Last updated:
- 2022-11-24
Context and Problem Statement#
If the FE sends a request using the wrong authentication method (e.g.: using headers instead of cookies), it could mean:
- There is an old session present on the FE
- Our SDK is outdated on the FE
- Manual requests (SSR)
- Postman without appropriate headers
Depends on default auth mode decision 0003
Example usecases:
- Browser w/ SDK
Browser w/ old SDK(we require sync update of FE and BE)Browser wo/ SDK(we are not optimizing for this, but basically the same as Postman)- Mobile apps w/ SDK
- Mobile apps wo/ SDK
- CLI
- M2M
SSR (same as M2M)- Postman (basically CLI w/ cookie storage)
Native/desktop apps(same as mobile apps)E2E testing(Same as mobile without SDK)Browser extension w/ SDK(same as browser w/ SDK + some customization)- Migration (from other services using
Authorizationheader with a JWT)
These can be reduced to two things:
- Access to our FE SDK
- Built-in cookie support
Considered Options#
- Reject
- Allow fallback
- Allow fallback if rid header not set
- Allow fallback if auth mode header not set
- Session verification should check headers then cookies
Decision Outcome#
Session verification should check headers then cookies:
- If idRefreshToken is present, we reject with
TRY_REFRESH_TOKEN - Headers is the default method as per this decision
- Make sure that updating the access token updates in the fallback case use the same as the incoming request. (e.g: if we read a session from cookies then
updateAccessTokenPayloadshould update the cookies, not headers)
Expected behaviour as a table#
| getTokenTransferMethod | sessionRequired | Authorization header | Access token cookie | Output |
|---|---|---|---|---|
| * | false | none | none | undefined |
| cookie | false | exists | none | undefined |
| header | false | none | exists | undefined |
| * | true | none | none | UNAUTHORISED |
| cookie | true | exists | none | UNAUTHORISED |
| header | true | none | exists | UNAUTHORISED |
| any | * | exists | exist | Based on session validation of header |
| header | * | exists | exist | Based on session validation of header |
| cookie | * | exists | exist | Based on session validation of cookie |
| any | * | exists | none | Based on session validation of header |
| header | * | exists | none | Based on session validation of header |
| any | * | none | exists | Based on session validation of cookie |
| cookie | * | none | exists | Based on session validation of cookie |
- Also check this decision: Treat Authorization header as empty if it doesn't contain a SuperTokens token
- Also check this decision: Optional session verification should throw TRY_REFRESH_TOKEN errors
Pros and Cons of the Options#
Reject#
Allow fallback#
Allow fallback if rid header not set#
Allow fallback if auth mode header not set#
Session verification should check headers then cookies#
Meaning, it always uses fallback, ignoring the auth mode header