Skip to main content

3. Session verification / Building your APIs

CAUTION

This guide only applies to scenarios which involve SuperTokens Session Access Tokens.

If you are implementing either, Unified Login or Microservice Authentication, features that make use of OAuth2 Access Tokens, please check the separate page that shows you how to verify those types of tokens.

When building your own APIs, you may need to verify the session of the user before proceeding further. SuperTokens SDK exposes a verifySession function that can be utilized for this. In this guide, we will be creating a /user GET route that will return the current session information.

1. Add /user GET route in your API Gateway

Create a /user resource and then GET method in your API Gateway. Configure the lambda integration and CORS just like we did for the auth routes.

2. Create a file in your lambda to handle the /user route.

An example of this is here.

user.mjs
import supertokens from "supertokens-node";
import { getBackendConfig } from "./config.mjs";
import { SessionEvent } from "supertokens-node/framework/awsLambda"; 
import { verifySession } from "supertokens-node/recipe/session/framework/awsLambda";
import middy from "@middy/core";
import cors from "@middy/http-cors";

supertokens.init(getBackendConfig());

type AuthorizerEvent = SessionEvent & APIGatewayAuthorizerEvent; 

const lambdaHandler = async (event: AuthorizerEvent) => {
    return {
        body: JSON.stringify({
            sessionHandle: event.session?.getHandle(),
            userId: event.session?.getUserId(),
            accessTokenPayload: event.session?.getAccessTokenPayload(),
        }),
        statusCode: 200,
    };
};

export const handler = middy(verifySession(lambdaHandler))
    .use(
        cors({
            origin: getBackendConfig().appInfo.websiteDomain,
            credentials: true,
            headers: ["Content-Type", ...supertokens.getAllCORSHeaders()].join(", "),
            methods: "OPTIONS,POST,GET,PUT,DELETE",
        })
    )
    .onError((request) => {
        throw request.error;
    });

Now, import this function in your index.mjs handler file as shown below:

index.mjs
import supertokens from "supertokens-node";
import { middleware } from "supertokens-node/framework/awsLambda";
import { getBackendConfig } from "./config.mjs";
import middy from "@middy/core";
import cors from "@middy/http-cors";
import { handler as userHandler } from "./user.mjs";

supertokens.init(getBackendConfig());

export const handler = middy(
    middleware((event) => {

        if (event.path === "/user") {
            return userHandler(event);
        }
      
        return {
            body: JSON.stringify({
                msg: "Hello!",
            }),
            statusCode: 200,
        };
    })
)
    .use(
        cors({
            origin: getBackendConfig().appInfo.websiteDomain,
            credentials: true,
            headers: ["Content-Type", ...supertokens.getAllCORSHeaders()].join(", "),
            methods: "OPTIONS,POST,GET,PUT,DELETE",
        })
    )
    .onError((request) => {
        throw request.error;
    });
note

The verifySession middleware automatically returns a 401 Unauthorised error if the session is not valid. You can alter the default behaviour by passing { sessionRequired: false } as the second argument to the verifySession middleware.

If each API route has its own lambda function, you can skip using the SuperTokens auth middleware. Instead, ensure to call supertokens.init and include the Session recipe in the recipeList for each respective lambda function.