Skip to main content
important

This is a contributors guide and NOT a user guide. Please visit these docs if you are using or evaluating SuperTokens.

Auth-mode should be set to the configured preference

Status

This is just a proposal so far, it hasn't been accepted and needs further discussion.

Status:
proposed
Deciders:
rishabhpoddar, porcellus
Proposed by:
porcellus
Created:
2022-11-22

Context and Problem Statement#

  • As per this decision active sessions can't change auth-methods even through refreshing.
  • As per this decision the backend ignores the contents of the auth-mode header in verifySession

Now we need to decide what to do if the preference set in the frontend config doesn't match the active session.

Considered Options#

  • Skip attaching the auth-mode to requests
  • Always send the auth-mode preference set in the config
  • Auth-mode should be set to the mode of the active session if present and the configured value otherwise

Decision Outcome#

Always send the auth-mode preference set in the config. Reasons:

  • We only use the auth-mode header to decide the token transfer method of new sessions
  • It signifies the preference of the frontend - doesn't mean that the backend will respect it
  • Since both getSession and refreshSession ignores it, it's safe to attach to every request
  • We should attach it to every request, because then this information will get to createNewSession in every case
Looking for older versions of the documentation?
Which UI do you use?
Custom UI
Pre built UI