Skip to main content
important

This is a contributors guide and NOT a user guide. Please visit these docs if you are using or evaluating SuperTokens.

Auth-mode should be set to the configured preference

Status

This is just a proposal so far, it hasn't been accepted and needs further discussion.

Status:
proposed
Deciders:
rishabhpoddar, porcellus
Proposed by:
porcellus
Created:
2022-11-22

Context and Problem Statement#

  • As per this decision active sessions can't change auth-methods even through refreshing.
  • As per this decision the backend ignores the contents of the auth-mode header in verifySession

Now we need to decide what to do if the preference set in the frontend config doesn't match the active session.

Considered Options#

  • Skip attaching the auth-mode to requests
  • Always send the auth-mode preference set in the config
  • Auth-mode should be set to the mode of the active session if present and the configured value otherwise

Decision Outcome#

Always send the auth-mode preference set in the config. Reasons:

  • We only use the auth-mode header to decide the token transfer method of new sessions
  • It signifies the preference of the frontend - doesn't mean that the backend will respect it
  • Since both getSession and refreshSession ignores it, it's safe to attach to every request
  • We should attach it to every request, because then this information will get to createNewSession in every case