important
This is a contributors guide and NOT a user guide. Please visit these docs if you are using or evaluating SuperTokens.
Introduce a new setting to expose entire access token to FE
Status
This is just a proposal so far, it hasn't been accepted and needs further discussion.
- Status:
- proposed
- Deciders:
- rishabhpoddar, porcellus
- Proposed by:
- porcellus
- Created:
- 2022-12-06
- Last updated:
- 2023-01-02
#
Context and Problem StatementIn the SSR + accessing access token on the frontend (i.e.: websocket) usecase, the user may want to access the entire access token on the FE, but also needs the BE to access them during SSR. To access them on the FE we'd have to use header based auth, but that'd mean that the BE wouldn't have access to it during SSR.
#
Considered Options- Use header-based auth and set cookies for auth on the FE
- Always set cookies (even in header mode)
- Introduce a new auth mode
- Introduce a new setting (
exposeAccessTokenToFrontendInCookieBasedAuth
)
#
Decision OutcomeIntroduce a new setting that will send the access token to the frontend even if using cookie based auth.
- We can use the header we are already using during header based auth
- This will be automatically saved by the FE SDK, we only need to change when the auth header is added (only if both refresh and acces token is present)
- We need to add a new function to make it accessible. (this will work for both header based auth and explicitly exposed access tokens)
- Mention this in web-socket docs
- This should also be set to true by the legacy
jwt: {enable: true }
setting.