getSession
getSession(req, res, enableCsrfProtection)
Parameters
req- type:
Express.Request
- type:
res- type:
Express.Response
- type:
enableCsrfProtection- type:
boolean - description: If
enable_anti_csrf(in the SuperTokens config.yaml) is set to false, this value will be considered as false even if value true is passed
- type:
Returns
Promise<Session>on successful verification of a session. To know more about theSessionobject, click here
Throws
- GENERAL_ERROR
- UNAUTHORISED
- This is thrown if a session does not exist, or has been revoked (if blacklisting is switched on).
- When this is thrown, all the relevant auth cookies are cleared by this function call, so you can redirect the user to a login page.
- TRY_REFRESH_TOKEN
- This will be thrown if JWT verification fails. This happens, for example, if the token has expired or the JWT signing key has changed.
- This will be thrown if CSRF protection is on and anti-csrf token is missing or invalid.
- When this is thrown, none of the auth cookies are removed - you should return a session expired status code which will instruct your frontend to call the refresh token API endpoint.
Additional information
- Verifies the current session using the req object.
- This function will mostly never require an I/O operation since we are using JWT access tokens (assuming that blacklisting is disabled).
- If
enableCsrfProtectionis true andenable_anti_csrf(in the SuperTokens config.yaml) is set to true, this function also provides CSRF protection. We strongly recommend that you set it to true for any non-GET API that requires user auth (except for the refresh session API). - May change the access token - but this is taken care of by this function and our frontend SDKs. You do need to worry about handling this.
getSession(accessToken, antiCsrfToken, doAntiCsrfCheck, idRefreshToken)
Parameters
accessToken- type:
string
- type:
antiCsrfToken- type:
string OR undefined - Pass undefined if you do not want to have CSRF protection for this auth call.
- If
enable_anti_csrf(in the SuperTokens config.yaml) is set to false, this value will be considered as undefined even if a string value is passed
- type:
doAntiCsrfCheck- type:
boolean
- type:
idRefreshToken- type:
string OR undefined
- type:
Returns
Promise{
session: {
handle: string;
userId: string;
userDataInJWT: any;
};
accessToken?: {
token: string;
expiry: number;
createdTime: number;
cookiePath: string;
cookieSecure: boolean;
domain: string;
};
}>
Throws
- GENERAL_ERROR
- UNAUTHORISED
- This is thrown if a session does not exist, or has been revoked (if blacklisting is switched on).
- When this is thrown, please be sure to remove all relevant auth cookies and redirect the user to a login page. See the Error Handling section for more information.
- TRY_REFRESH_TOKEN
- This will be thrown if JWT verification fails. This happens, for example, if the token has expired or the JWT signing key has changed.
- This will be thrown if CSRF protection is on and anti-csrf token is missing or invalid.
- When this is thrown, none of the auth cookies are removed - you should return a session expired status code which will instruct your frontend to call the refresh token API endpoint. Do not remove any auth cookie here. Our frontend SDKs takes care of this for you in most cases.
Additional information
- This function will mostly never require an I/O operation since we are using JWT access tokens (assuming that blacklisting is disabled).
- Verifies the current session using input tokens.
- If
antiCsrfTokenis not undefined andenable_anti_csrf(in the SuperTokens config.yaml) is set to true, it also provides CSRF protection. We strongly recommend that you use this feature for all your non-GET APIs (except for the refresh session API).