important
This is a contributors guide and NOT a user guide. Please visit these docs if you are using or evaluating SuperTokens.
Pre built UITreat Authorization header as empty if it doesn't contain a SuperTokens token
Status
This is just a proposal so far, it hasn't been accepted and needs further discussion.
- Status:
- proposed
- Deciders:
- rishabhpoddar, porcellus
- Proposed by:
- porcellus
- Created:
- 2022-10-25
Context and Problem Statement#
People could try and call an API protected by verifySession with an access token from another provider (e.g.: during migration)
Considered Options#
- Keep try refresh token
- Return UNAUTHORISED without clearing cookies
- Handle it as if it was not sent
Decision Outcome#
Handle it as if it was not sent, because:
- Devs could try to attach an Authorization header meant for a different middleware - we can just use our own cookies if they exist
- This is the way we handled things before adding header based auth - this way it can keep working the same for people who don't opt into using headers
This means:
- We fall back to cookies if we detect the Authorization header contains anything that is not our accesstoken
- If cookies don't exist we return TRY_REFRESH_TOKEN
- If cookies exist we go through the usual validation steps
