https://www.ory.sh/ logo
Join Slack
Powered by
hey! using the js client, is there a built in way ...
# talk-kratos
w
hey! using the js client, is there a built in way to track a session expiry? or do i have to track the session myself?
h
the session should have an “expires at” time field
w
it does, my question is if the client has some automatic refresh functionality, or should i track this myself and refresh at will?
h
refresh currently only works when you have access to the admin API due to security concerns. there is also a bug related to it at the moment: https://github.com/ory/kratos/issues/2562 hope this helps somewhat 🙂
w
I was gonna say I'm getting some csrf error but it's probably unrelated... Thanks, i'll consider this!
@high-optician-2097 i actually am getting a csrf error but only on the extend route...
Copy code
{
  "docs": "<https://www.ory.sh/kratos/docs/debug/csrf>",
  "hint": "The anti-CSRF cookie was found but the CSRF token was not included in the HTTP request body (csrf_token) nor in the HTTP Header (X-CSRF-Token).",
  "reject_reason": "The HTTP Cookie Header was set and a CSRF token was sent but they do not match. We recommend deleting all cookies for this domain and retrying the flow."
}
any idea about why this might be? is it because it's an admin route?
h
can you show the full request please?
w
the request? it's done through
Copy code
ory.adminExtendSession(sessionId)
which sends a request to
Copy code
<http://localhost:3000/api/.ory/admin/sessions/0c265514-66b8-4348-87ca-7e3c3fbd5e21/extend>
with this cookie:
Copy code
csrf_token_2bba5bc92d1ceadb8101f6494f1cdb7bd3475db07f08765d50b0106bdd62d178=MPlxotz505JKRMOEAjCYEJMBGH1KebwjPG8i17m3BGI=; ory_kratos_session=MTY1NzUzNDQzMnxzcFJCc3ZqQzhKM2xqNnBySWlRbkxFTWhuckZpYXVPVlFubHQycGg5aFpCbDFMSDc5alMtS0xsRTZibWJvNjRDdWRlc1ctaGFhN1dXWUQtdzVtVkh3dUZFRmVwTFVYaGtGQk1taWhWSnJ2dGFleGJYTTF2b3JxMW9KYU9XV1JXdEl1YV9FOW93OVE9PXyQvgE_X5g_dzs_h5Cee5GHWVteizJK7V7hu0hvMT26Pw==
h
ok that is very strange, and that request is responding with a CSRF error?
w
aye
h
that endpoint doesn’t have csrf protection, that error is very very strange 😮 do you have a reproduction case in a github repo or something?
w
no, it's a company repo... but really all i'm doing is
Copy code
ory.toSession()
    .then(({ data: oldSession }) =>
        ory.adminExtendSession(oldSession.id).then(({ data: newSession }) => setSession(newSession)),
                )
    .catch(() => setSession(undefined));
h
ory cloud or ory open kratos?
w
kratos
i thought it was cloud but then they let me know it's not
h
ok, in that case make sure you’re calling the right port. this isn’t a problem in cloud as we’ve wired up everything correctly so you can use just one URL, but in open source it’s operated differently
w
sorry, what do you mean by right port? how can i choose the port when using the js client? x_x
h
ask your team who deployed it, they know where it is
w
no but i mean, you said "make sure you're calling the right port", but the js ory client doesn't have an option to configure a port, only an sdk url, so what exactly do you mean?
h
the sdk url
w
Oh... We do have 2 separate subdomaind, we have one regular and one admin, so that must be it... But does the admin one have all the normal routes as well? Or is it inherently different? Or is it set up wrong entirely?
@high-optician-2097 Sorry to bother again but I'm just trying to see what I'm looking for. Our normal/admin kratos is divided into 2 services hosted on 2 separate subdomains. Is it at all possible to handle 2 services on the client side with the ory client or do I need to tell my devops that it's all wrong?
h
two subdomains is fine 🙂 as long as they have a common top level domain
w
they do. but then, how do i make the ory client use the admin url for admin routes and the normal url for normal routes? It only takes one SDK_URL from env 🤔
h
ah i see, I think you should be able to use the custom domain url for all the subdomains in the SDK
so e.g. SDK_URL=https://ory.myapp.com
w
uh
I might be misunderstanding this
out two urls are
Copy code
<https://auth-dev.myapp.com>
<https://auth-admin-dev.myapp.com>
my SDK_URL is currently set to the former
h
is auth-dev connected to an ory custom domain? or is your app running there?
w
the ory domain IS 
auth-dev
with 
<http://myapp.com|myapp.com>
in this case being the TLD for the entire app with all the services
h
ok, i think auth-dev.myapp.com as the SDK url should work if you have cors enabled: https://www.ory.sh/docs/guides/custom-domains#cors
and dont forget to set withCredentials to true: const sdk = new V0alpha2Api( new Configuration({ basePath: “https://auth-dev.yourdomain.com” baseOptions: { withCredentials: true, }, }), )
w
oh my god what are the credentials? X_X
h
hm?
w
what are the credentials in "withCredentials"?
There really is very little in terms of documentation on this 😞
h
copy paste it as i wrote it
withCredentials: true
is the value
it’s basically just a fix to tell AJAX to include cookies in CORS requests
w
actually i've been running with 'edgeConfig' this whole time which already has this set to 
true
, but I'll give it a shot anyway
h
ah i see, ok, just trying to remove some error sources ;)
w
uh
I'm being blocked by cors AFTER setting 
withCredentials
Copy code
The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.
h
ok, make sure to set the domain in your cors settings to the concrete URLs you want to allow the requests from 🙂
w
that would be on the ory side, yeah?
h
in the console yes
w
right, well i have no access to that so that's fantastic but i'll get someone on it right away
@helpful-monkey-1971 read through this when you can please, it's about the admin routes. I don't know if I got the problem across correctly or what you need to reconfigure
2 Views
Open in Slack
PreviousNext
Powered by