Using the verifySession middleware

Requiring an active session#

For your APIs that require a user to be logged in, use the verifySession middleware:

NodeJS
GoLang
Python

let { verifySession } = require("supertokens-node/recipe/session/framework/express");let { SessionRequest } = require("supertokens-node/framework/express");
app.post("/like-comment", verifySession(), (req: SessionRequest, res) => {    let userId = req.session!.getUserId();     //....});

let { verifySession } = require("supertokens-node/recipe/session/framework/hapi");let { SessionRequest } = require("supertokens-node/framework/hapi");
server.route({    path: "/like-comment",    method: "post",    options: {        pre: [            {                method: verifySession()            },        ],    },    handler: async (req: SessionRequest, res) => {        let userId = req.session!.getUserId();        //...    }})

let { verifySession } = require("supertokens-node/recipe/session/framework/fastify");let { SessionRequest } = require("supertokens-node/framework/fastify");
fastify.post("/like-comment", {    preHandler: verifySession(),}, (req: SessionRequest, res) => {    let userId = req.session!.getUserId();    //....});

let { verifySession } = require("supertokens-node/recipe/session/framework/awsLambda");let { SessionEventV2 } = require("supertokens-node/framework/awsLambda");
async function likeComment(awsEvent: SessionEventV2, _) => {    let userId = awsEvent.session!.getUserId();    //....});
exports.handler = verifySession(likeComment);

let { verifySession } = require("supertokens-node/recipe/session/framework/koa");let { SessionContext } = require("supertokens-node/framework/koa");
router.post("/like-comment", verifySession(), (ctx: SessionContext, next) => {    let userId = ctx.session!.getUserId();    //....});

import { verifySession } from "supertokens-node/recipe/session/framework/loopback";import Session from "supertokens-node/recipe/session";let { SessionContext } = require("supertokens-node/framework/loopback");
class LikeComment {    constructor(@inject(RestBindings.Http.CONTEXT) private ctx: MiddlewareContext) {}    @post("/like-comment")    @intercept(verifySession())    @response(200)    handler() {        let userId = (this.ctx as SessionContext).session!.getUserId();        //....    }}

import { superTokensNextWrapper } from 'supertokens-node/nextjs'import { verifySession } from "supertokens-node/recipe/session/framework/express";import { SessionRequest } = from "supertokens-node/framework/express";
export default async function likeComment(req, res) {    await superTokensNextWrapper(        async (next) => {            await verifySession()(req, res, next);        },        req,        res    )
    let userId = (req as SessionRequest).session!.getUserId();     //....}

@Controller()export class ExampleController {  @Post('example')  @UseGuards(AuthGuard) // For more information about this guard please read our NestJS guide.  async postExample(@Request() req, @Session() session, @Response({passthrough: true}) res): Promise<boolean> {    let userId = session.getUserId();
    //....  }}

Chi
net/http
Gin
Mux

func main() {    // Wrap the API handler in session.VerifySession    session.VerifySession(nil, likeCommentAPI).ServeHTTP(rw, r)}
func likeCommentAPI(w http.ResponseWriter, r *http.Request) {    // retrieve the session object as shown below    sessionContainer := session.GetSessionFromRequestContext(r.Context())
    userID := sessionContainer.GetUserID()}

func main() {    // Wrap the API handler in session.VerifySession    router.POST("/likecomment", verifySession(nil), likeCommentAPI)}
// This is a function that wraps the supertokens verification function// to work the ginfunc verifySession(options *sessmodels.VerifySessionOptions) gin.HandlerFunc {    return func(c *gin.Context) {        session.VerifySession(options, func(rw http.ResponseWriter, r *http.Request) {            c.Request = c.Request.WithContext(r.Context())            c.Next()        })(c.Writer, c.Request)        // we call Abort so that the next handler in the chain is not called, unless we call Next explicitly        c.Abort()    }}
func likeCommentAPI(c *gin.Context) {    // retrieve the session object as shown below    sessionContainer := session.GetSessionFromRequestContext(c.Request.Context())
    userID := sessionContainer.GetUserID()}

func main() {    // Wrap the API handler in session.VerifySession    r.Post("/likecomment", session.VerifySession(nil, likeCommentAPI))}
func likeCommentAPI(w http.ResponseWriter, r *http.Request) {    // retrieve the session object as shown below    sessionContainer := session.GetSessionFromRequestContext(r.Context())
    userID := sessionContainer.GetUserID()}

func main() {    // Wrap the API handler in session.VerifySession    router.HandleFunc("/likecomment", session.VerifySession(nil, likeCommentAPI)).Methods(http.MethodPost)}
func likeCommentAPI(w http.ResponseWriter, r *http.Request) {    // retrieve the session object as shown below    sessionContainer := session.GetSessionFromRequestContext(r.Context())
    userID := sessionContainer.GetUserID()}

FastAPI
Flask
Django

from supertokens_python.recipe.session.framework.fastapi import verify_sessionfrom supertokens_python.recipe.session import Session
@app.post('/update-jwt')async def update_jwt(session: Session = Depends(verify_session())):    user_id = session.user_id()


from supertokens_python.recipe.session.framework.flask import verify_session
@app.route('/update-jwt', methods=['POST'])@verify_session()def update_jwt():    session = g.supertokens
    user_id = session.user_id()

from supertokens_python.recipe.session.framework.django.asyncio import verify_session
@verify_session()async def update_jwt(request):    session = request.supertokens
    user_id = session.user_id()

The `session` object#

This object exposes the following functions:

getHandle: Returns the sessionHandle for this session. This is a constant, unique string per session that never changes for its session.
getUserId: Returns the userId of logged in user
getSessionData: Returns the session data (stored in the db) that is associated with the session
updateSessionData: Set a new JSON object to the session data (stored in the db)
getAccessTokenPayload: Returns the access token's payload for this session.
updateAccessTokenPayload: Set a new JSON object in the access token (Also available on the frontend)
revokeSession: Destroys this session in the db and on the frontend
getTimeCreated: Returns the time in milliseconds of when this session was created
getExpiry: Returns the time in milliseconds of when this session will expire if not refreshed.
getAccessToken: Returns the raw string access token

Optional session verification#

Sometimes, you want an API to be accessible even if there is no session. In that case, you can use the sessionRequired flag:

NodeJS
GoLang
Python

let { verifySession } = require("supertokens-node/recipe/session/framework/express");let { SessionRequest } = require("supertokens-node/framework/express");
app.post("/like-comment",     verifySession({sessionRequired: false}),     (req: SessionRequest, res) => {        if (req.session !== undefined) {            let userId = req.session.getUserId();        } else {            // user is not logged in...        }    });

let { verifySession } = require("supertokens-node/recipe/session/framework/hapi");let { SessionRequest } = require("supertokens-node/framework/hapi");

server.route({    path: "/like-comment",    method: "post",    options: {        pre: [            {                method: verifySession({sessionRequired: false})            },        ],    },    handler: async (req: SessionRequest, res) => {        if (req.session !== undefined) {            let userId = req.session.getUserId();        } else {            // user is not logged in...        }    }})

let { verifySession } = require("supertokens-node/recipe/session/framework/fastify");let { SessionRequest } = require("supertokens-node/framework/fastify");
fastify.post("/like-comment", {    preHandler: verifySession({sessionRequired: false}),}, (req: SessionRequest, res) => {    if (req.session !== undefined) {        let userId = req.session.getUserId();    } else {        // user is not logged in...    }});

let { verifySession } = require("supertokens-node/recipe/session/framework/awsLambda");let { SessionEventV2 } = require("supertokens-node/framework/awsLambda");
async function likeComment(awsEvent: SessionEventV2, _) => {    if (awsEvent.session !== undefined) {        let userId = awsEvent.session.getUserId();    } else {        // user is not logged in...    }});
exports.handler = verifySession(likeComment, {sessionRequired: false});

let { verifySession } = require("supertokens-node/recipe/session/framework/koa");let { SessionContext } = require("supertokens-node/framework/koa");
router.post("/like-comment",    verifySession({sessionRequired: false}),    (ctx: SessionContext, next) => {        if (ctx.session !== undefined) {            let userId = ctx.session.getUserId();        } else {            // user is not logged in...        }    });

import { verifySession } from "supertokens-node/recipe/session/framework/loopback";import Session from "supertokens-node/recipe/session";import { SessionContext } from "supertokens-node/framework/loopback";
class LikeComment {    constructor(@inject(RestBindings.Http.CONTEXT) private ctx: MiddlewareContext) {}    @post("/like-comment")    @intercept(verifySession({sessionRequired: false}))    @response(200)    handler() {        let session = (this.ctx as SessionContext).session;        if (session !== undefined) {            let userId = session.getUserId();        } else {            // user is not logged in...        }    }}

import { superTokensNextWrapper } from 'supertokens-node/nextjs'import { verifySession } from "supertokens-node/recipe/session/framework/express";import { SessionRequest } = from "supertokens-node/framework/express";
export default async function likeComment(req, res) {    await superTokensNextWrapper(        async (next) => {            await verifySession({sessionRequired: false})(req, res, next);        },        req,        res    )
    let session = (req as SessionRequest).session;
    if (session !== undefined) {        let userId = session.getUserId();        // session exists    } else {        // session doesn't exist    }    //....}

@Controller()export class ExampleController {  @Post('example')  @UseGuards(OptionalAuthGuard) // For more information about this guard please read our NestJS guide.  async postExample(@Request() req, @Session() session, @Response({passthrough: true}) res): Promise<boolean> {    if (session !== undefined) {        let userId = session.getUserId();        // session exists    } else {        // session doesn't exist    }
    //....  }}

Chi
net/http
Gin
Mux

func main() {    // Wrap the API handler in session.VerifySession    sessionRequired := false    session.VerifySession(&sessmodels.VerifySessionOptions{        SessionRequired: &sessionRequired,    }, likeCommentAPI).ServeHTTP(rw, r)}
func likeCommentAPI(w http.ResponseWriter, r *http.Request) {    // retrieve the session object as shown below    sessionContainer := session.GetSessionFromRequestContext(r.Context())
    userID := sessionContainer.GetUserID()}

func main() {    // Wrap the API handler in session.VerifySession    sessionRequired := false    router.POST("/likecomment", verifySession(&sessmodels.VerifySessionOptions{        SessionRequired: &sessionRequired,    }), likeCommentAPI)}
// This is a function that wraps the supertokens verification function// to work the ginfunc verifySession(options *sessmodels.VerifySessionOptions) gin.HandlerFunc {    return func(c *gin.Context) {        session.VerifySession(options, func(rw http.ResponseWriter, r *http.Request) {            c.Request = c.Request.WithContext(r.Context())            c.Next()        })(c.Writer, c.Request)        // we call Abort so that the next handler in the chain is not called, unless we call Next explicitly        c.Abort()    }}
func likeCommentAPI(c *gin.Context) {    // retrieve the session object as shown below    sessionContainer := session.GetSessionFromRequestContext(c.Request.Context())
    userID := sessionContainer.GetUserID()}

func main() {    // Wrap the API handler in session.VerifySession    sessionRequired := false    r.Post("/likecomment", session.VerifySession(&sessmodels.VerifySessionOptions{        SessionRequired: &sessionRequired,    }, likeCommentAPI))}
func likeCommentAPI(w http.ResponseWriter, r *http.Request) {    // retrieve the session object as shown below    sessionContainer := session.GetSessionFromRequestContext(r.Context())
    userID := sessionContainer.GetUserID()}

func main() {    // Wrap the API handler in session.VerifySession    sessionRequired := false    router.HandleFunc("/likecomment", session.VerifySession(&sessmodels.VerifySessionOptions{        SessionRequired: &sessionRequired,    }, likeCommentAPI)).Methods(http.MethodPost)}
func likeCommentAPI(w http.ResponseWriter, r *http.Request) {    // retrieve the session object as shown below    sessionContainer := session.GetSessionFromRequestContext(r.Context())
    userID := sessionContainer.GetUserID()}

FastAPI
Flask
Django

from supertokens_python.recipe.session.framework.fastapi import verify_session
@app.post('/update-jwt')async def update_jwt(session: Session = Depends(verify_session(session_required=False))):    if session is not None:        user_id = session.get_user_id()    else:        # user is not logged in


from supertokens_python.recipe.session.framework.flask import verify_session
@app.route('/update-jwt', methods=['POST'])@verify_session(session_required=False)def update_jwt():    session = g.supertokens
    if session is not None:        user_id = session.get_user_id()    else:        # user is not logged in

from supertokens_python.recipe.session.framework.django.asyncio import verify_session
@verify_session(session_required=False)async def update_jwt(request):    session = request.supertokens        if session is not None:        user_id = session.get_user_id()    else:        # user is not logged in

Requiring an active session#

The session object#

Optional session verification#

The `session` object#