supertokens-node
Advanced tools
Changelog
[17.1.0] - 2024-04-25
olderCookieDomain
config option in the session recipe. This will allow users to clear cookies from the older domain when the cookieDomain
is changed.verifySession
detects multiple access tokens in the request, it will return a 401 error, prompting a refresh, even if one of the tokens is valid.refreshPOST
(/auth/session/refresh
by default) API changes:
config.olderCookieDomain
is not set.olderCookieDomain
is specified and multiple refresh/access token cookies exist, without updating the front-token or any of the tokens.This update addresses an edge case where changing the cookieDomain
config on the server can lead to session integrity issues. For instance, if the API server URL is 'api.example.com' with a cookie domain of '.example.com', and the server updates the cookie domain to 'api.example.com', the client may retain cookies with both '.example.com' and 'api.example.com' domains, resulting in multiple sets of session token cookies existing.
Previously, verifySession would select one of the access tokens from the incoming request. If it chose the older cookie, it would return a 401 status code, prompting a refresh request. However, the refreshPOST
API would then set new session token cookies with the updated cookieDomain
, but older cookies will persist, leading to repeated 401 errors and refresh loops.
With this update, verifySession will return a 401 error if it detects multiple access tokens in the request, prompting a refresh request. The refreshPOST
API will clear cookies from the old domain if olderCookieDomain
is specified in the configuration, then return a 200 status. If olderCookieDomain
is not configured, the refreshPOST
API will return a 500 error with a message instructing to set olderCookieDomain
.
Example:
apiDomain
: 'api.example.com'cookieDomain
: 'api.example.com'Flow:
domain=api.example.com
, but the access token has expired.cookieDomain
to .example.com
.domain=api.example.com
) results in a 401 response.domain=.example.com
.olderCookieDomain
is not set, the refresh fails with a 500 error. - The user remains stuck until they clear cookies manually or olderCookieDomain
is set. - If olderCookieDomain
is set, the refresh clears the older cookie, returning a 200 response. - The frontend retries the original API call, sending only the new cookie (domain=.example.com
), resulting in a successful request.Changelog
[17.0.7] - 2024-05-03
no-cache
header when querying core, so that frameworks like NextJS don't cache GET requests (https://nextjs.org/docs/app/building-your-application/caching#data-cache)Changelog
[17.0.6] - 2024-05-02
Changelog
[17.0.5] - 2024-04-25
.local
: https://github.com/supertokens/supertokens-node/issues/823Changelog
[17.0.4] - 2024-04-09
resyncSessionAndFetchMFAInfoPUT
will throw if the user is in a stuck state, because they are required to complete factors, but they are not allowed to because of some configuration issue.Changelog
[17.0.3] - 2024-04-08
Passwordless
:
createCodePOST
where the flowtype wasn't appropriately set in some MFA casesfirstFactors
config of the MultiFactorAuth
recipe in createCodePOST
resendCodePOST
where the email/text message included a magic link when it shouldn't have in some MFA casesChangelog
[17.0.2] - 2024-03-20
getTenantLoginMethodsInfo
dashboard API to remove querying core in loop and return only firstFactors.Changelog
[17.0.1] - 2024-03-08