-
Notifications
You must be signed in to change notification settings - Fork 80
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Refactor appInfo #342
Comments
If type is string:
If type is string[]:
If type is function (userContext) => Promise:
|
How the above solution solves the above problem:
|
Hi guys, great project! Wanted to ask about the status of this one, and will it be coming to Python backend soon? |
hey @whydinkov this will be worked on in the coming 2-3 months |
For those who are following this issue, we have resumed work on this and are approaching this in separate stages:
|
@nkshah2 Hi, any news on point n°2? I use capacitorJs and my origin scheme is capacitor:// I set the origin in the appInfo but the normaliseURLDomainOrThrowError prevents me from using supertokens with capacitorjs |
jeu @zaosoula we havent had time to work on this. You could consider making a PR for it :) |
@rishabhpoddar No problem that's why I asked, I need to fix this ASAP, can you provide me with explanations on why this function is needed/used |
This function is required to normalise any input url to only get the domain (and protocol) part of it for further use. For example, if you give it Also, it acts as an enforcer everywhere that whenever we are passing around a domain / path in our SDK, we must normalise is first cause in all places, we accept the object of type NormaliseURLDomain instead of a string. |
Okay thank you, i will be back if a fix in 20 minutes |
Allow multiple websiteDomains. Right now we accept just one value, which causes issues when sharing the same backend for multiple frontends (dev env, testing env)
The name websiteDomain is confusing for use where we have mobile apps. Maybe we can change the name to frontendDomain?
We should accept non https / http URLs for frontend native apps.
Issue with multiple sub domains:
https://auth.example.com
, but then the name websiteDomain is confusing. It has to imply that this is the URL in which the login UI is shown.This has affect on the docs (the appInfo form)
This has effect on analytics API -> it will change based on changes to the structure of websiteDomain.
Do we need to also have multiple apiDomains? Not sure.. We should check issues on discord about people expressing issues with just one apiDomain.
Usage of apiGatewayPath is not at all obvious. Maybe this is a documentation issue, but is there something we can do on the backend to eliminate this config and just automatically infer it?
Should we allow regex for websiteDomain? Why or why not?
Need to investigate if there are any other issues with the appInfo object?
Should we allow multiple values for apiDomain? For example, if someone is using one single backend process which can be reached via many hosts, how do we handle that?
If a function is defined for
origin
, what should happen if the request is from an origin that's not a part of the whitelist in the function?We should also discuss how we can enable network interception on the frontend SDK related to several backends having the same domain but different ports (for example localhost:8080 and localhost:8081). In this case we have decided to ignore the port in the api domain when deciding to do interception
Redo example apps for (for deeplinks):
Add tests for normalisedurldomain and normlaisedurlpath to work with any protocol (deep links)
Add tests where we pass in deep link to supertokens.init and check for session token properties.
Add tests for how the anti csrf stuff behaves for without request / response session functions
Apple redirection stuff - get origin from state instead of origin var
One edge case to think about here: If the sign in etc APIs are called in an m2m situation, how will the function method work? Cause in that case, returning
undefined
may not be the right thing to do in the function for the user.Changes to the dashboard APIs where in we generate email verification emails etc.. how will those be affected?
The APIs for dashboard will need to take into account that the request object is not one of the allowed origins perhaps?
Always doing based on req does not work. For example, in case of multi tenancy, we want to get the domain based on tenant id as well to avoid mismatch of origin and tenant.. In case of email verification emails, we want to do it based on which domain the user has access to as well?
Fix this as well: cookieSameSite resolution issue #506
Change the apple redirect POST API to be able to handle non http protocol links as well. Currently we try to convert the value in state to a URL object which fails for custom protocols, ideally it should just use the value set in the state. One more thing is to be able to attach query params in a custom way, for example the library we recommend for apple sign in for Flutter requires that the query is added in a specific place. Maybe we can check for a specific pattern/string in the state url and if present attach the query params there instead of the end
Frontend should ignore the port of the api domain when deciding to do interception. This is for all FE SDKs
It should be possible to decide between cookie and header based aurth depending on the request origin
In docs:
Once all the backend SDKs have
origin
in app info, mark the websiteDomain property as deprecatedMake sure that our email sending service on api.supertokens.com works for deep links too.
Modify multi tenancy example app in auth-react (for sub domain one) to use the new origin function on the backend instead of overriding sendEmail functions
The text was updated successfully, but these errors were encountered: