Customize error handling
Overview
The following page shows the errors that the SuperTokens Session recipe throws and how you can customize them.
Unauthorised error
The system generates the error when someone accesses a protected backend API without a session. The default behavior is to clear session tokens (if any) and send a 401 to the frontend.
import SuperTokens from "supertokens-node";
import Session from "supertokens-node/recipe/session";
SuperTokens.init({
supertokens: {
connectionURI: "...",
},
appInfo: {
apiDomain: "...",
appName: "...",
websiteDomain: "..."
},
recipeList: [
Session.init({
errorHandlers: {
onUnauthorised: async (message, request, response, userContext) => {
// TODO: Write your own logic and then send a 401 response to the frontend
},
}
})
]
});
Invalid claim error
The system generates the error when someone accesses a protected backend API with a session that doesn't pass the claim validators. The default behavior is to send a 403 to the frontend with the errors included in the body.
import SuperTokens from "supertokens-node";
import Session from "supertokens-node/recipe/session";
SuperTokens.init({
supertokens: {
connectionURI: "...",
},
appInfo: {
apiDomain: "...",
appName: "...",
websiteDomain: "..."
},
recipeList: [
Session.init({
errorHandlers: {
onInvalidClaim: async (validatorErrors, request, response, userContext) => {
// TODO: Write your own logic and then send a 403 response to the frontend
},
}
})
]
});
Token theft detected error
The system generates the error when the system detects a session hijacking attempt. This happens through the use of rotating refresh tokens. The default behavior is to revoke the session and send a 401 to the frontend.
import SuperTokens from "supertokens-node";
import Session from "supertokens-node/recipe/session";
SuperTokens.init({
supertokens: {
connectionURI: "...",
},
appInfo: {
apiDomain: "...",
appName: "...",
websiteDomain: "..."
},
recipeList: [
Session.init({
errorHandlers: {
onTokenTheftDetected: async (sessionHandle, userId, req, res, userContext) => {
// TODO: Write your own logic and then send a 401 response to the frontend
},
}
})
]
});
Try refresh token error
Thrown when the access token expires or is invalid. The session refresh endpoint can also throw this if multiple access tokens are present in the request cookies. The default behavior is to send a 401 to the frontend.
import SuperTokens from "supertokens-node";
import Session from "supertokens-node/recipe/session";
SuperTokens.init({
supertokens: {
connectionURI: "...",
},
appInfo: {
apiDomain: "...",
appName: "...",
websiteDomain: "..."
},
recipeList: [
Session.init({
errorHandlers: {
onTryRefreshToken: async (message, request, response, userContext) => {
// TODO: Write your own logic and then send a 401 response to the frontend
},
}
})
]
});
Clear duplicate session cookies error
Thrown when the refresh session API clears session cookies from the olderCookieDomain because it found multiple access tokens in the request cookies. See this issue for more information. The default behavior is to send a 200 to the frontend.
import SuperTokens from "supertokens-node";
import Session from "supertokens-node/recipe/session";
SuperTokens.init({
supertokens: {
connectionURI: "...",
},
appInfo: {
apiDomain: "...",
appName: "...",
websiteDomain: "..."
},
recipeList: [
Session.init({
errorHandlers: {
onClearDuplicateSessionCookies: async (message, request, response, userContext) => {
// TODO: Write your own logic and then send a 200 response to the frontend
},
}
})
]
});