important
This is a contributors guide and NOT a user guide. Please visit these docs if you are using or evaluating SuperTokens.
Pre built UIAuth-mode should be set to the configured preference
Status
This is just a proposal so far, it hasn't been accepted and needs further discussion.
- Status:
- proposed
- Deciders:
- rishabhpoddar, porcellus
- Proposed by:
- porcellus
- Created:
- 2022-11-22
Context and Problem Statement#
- As per this decision active sessions can't change auth-methods even through refreshing.
- As per this decision the backend ignores the contents of the auth-mode header in
verifySession
Now we need to decide what to do if the preference set in the frontend config doesn't match the active session.
Considered Options#
- Skip attaching the auth-mode to requests
- Always send the auth-mode preference set in the config
- Auth-mode should be set to the mode of the active session if present and the configured value otherwise
Decision Outcome#
Always send the auth-mode preference set in the config. Reasons:
- We only use the auth-mode header to decide the token transfer method of new sessions
- It signifies the preference of the frontend - doesn't mean that the backend will respect it
- Since both
getSessionandrefreshSessionignores it, it's safe to attach to every request - We should attach it to every request, because then this information will get to
createNewSessionin every case