cookie token expires immediately after login

[mihaa1]

Version: 1.1.70

Describe the bug Hello, I am using Authorizer instance deployed on railway. React + express. On production, for some reason, right after login, the token is no longer valid, and all subsequent requests fail.

My setup:

• passing the token in the cookie to the backend
• using getSession() to authenticate and get the user

Note: I didn't get getSession() to work as described in the docs - with bearer token. I'm passing the cookie to it as below:

const session = await authorizerRef.getSession({
  cookie: `cookie_session=${token}`,
});

Response I'm getting:

[ { message: 'unauthorized', path: [ 'session' ] } ]

Desktop (please complete the following information):

• OS: Mac
• Browser: chrome

[lakhansamani]

@mihaa1 for backend cookie session is not recommended, We refresh cookie session with session query for security reasons.

For backend I recommend using access_token.

[mihaa1]

Thanks. Will it make sense to return the token I receive in the server to the client with Set-cookie?

[bright-coder]

@mihaa1 In my project, i have

1. Vue3 (Frontend)
2. Backend (Golang API)
3. Authorizer (without MFA)

1. Frontend -> Authorizer

1. My Frontend (Vue3) login direct to Authorizer and get Cookie (httpOnly with 365 days expire time) with json (access_token, ...etc) from response.
2. Now I'm save access_token to store (Pinia).

*** access_token will only store in memory when u close browser or tab it will remove. (for security reason) *** Cookie that get from login (It not remove) now use have to use

const res = await authorizerRef.getSession();

to get new access_token

2. Backend -> Authorizer

1. My Backend (Golang API) I create middleware with receive access_token from Frontend (Vue3) and send it to Authorizer to Verify token 1.1 Valid token -> do handler 1.2 Invalid -> return 401

[mihaa1]

@bright-coder thank u. Which method do u use on the backend to check the token?

[bright-coder]

@mihaa1

Example in Golang SDK `func (s *jwtAuthorizer) IsAuth() fiber.Handler { return func(c *fiber.Ctx) error {

	      authHeader := c.GetReqHeaders()["Authorization"]
	      tokenSplit := strings.Split(authHeader, " ")
  
	      if len(tokenSplit) < 2 || tokenSplit[1] == "" {
		      return fiber.ErrUnauthorized
	      }
  
	      client, err := s.authorizerAdatper.GetClient(map[string]string{})
	      if err != nil {
		      return fiber.ErrUnauthorized
	      }
  
	      res, err := client.ValidateJWTToken(&authorizer.ValidateJWTTokenInput{
		      TokenType: authorizer.TokenTypeAccessToken,
		      Token:     tokenSplit[1],
	      })
  
	      if err != nil {
		      return fiber.ErrUnauthorized
	      }
  
	      if !res.IsValid {
		      return fiber.ErrUnauthorized
	      }
  
	      // res.Claims["allowed_roles"] => ["users", "admin"]
	      // res.Claims["sub"] => uuid
  
	      if !slices.Contains(res.Claims["allowed_roles"].([]interface{}), "admin") {
		      return fiber.ErrForbidden
	      }
  
	      c.Locals("user_id", res.Claims["sub"])
  
	      return c.Next()
      }
  
  }

`

but i don't know the different between access_token and id_token.

[lakhansamani]

@bright-coder access_token is used for accessing the APIs of authorizer You can use id_token to user identity and authorizing your apis

[bright-coder]

@lakhansamani Thank you. I think we should add this to document. ?

[lakhansamani]

Sure will add it thanks 👍

[mihaa1]

@lakhansamani Im using the following code to authenticate on the backend:

const user = await authorizerRef.getProfile({
	Authorization: `Bearer ${authorization}`,
})

Is this the correct way?

[lakhansamani]

Yes