API returning a 401 error can lead to Axios infinite request loop about supertokens-website HOT 2 OPEN

Thanks for the detailed description @fa-sharp. This is a good point. There is no easy way for the frontend (on its own) to know if the 401 is cause of an expired access token vs some other reason.

The only reliable solution is for the backend to send a message along with the 401 indicating to the frontend that the 401 is cause of an expired access token.

Right now, from our SDKs, the backend sends a message like "try refresh token" which the frontend could check for, however, we do have several users who have made their own backend SDK and there is no guarantee that they will return the same message to the frontend.

Due to this, if we have to enforce such a message (which I think is a good idea), then this would be a breaking change. As a result, we will want to release this coupled with other breaking changes. So it's not going to happen very soon.

As a work around, you can:

• Send a different status code for your custom need (as described by you)
• You can set a different status code for session expiry using the sessionExpiredStatusCode config (will need to be set on the backend and frontend)
• You could fork the supertokens-website repo and make the change to also check the response body in these places:
  • If using axios:
    • https://github.com/supertokens/supertokens-website/blob/master/lib/ts/axios.ts#L157
    • https://github.com/supertokens/supertokens-website/blob/master/lib/ts/axios.ts#L203
    • https://github.com/supertokens/supertokens-website/blob/master/lib/ts/axios.ts#L344
    • https://github.com/supertokens/supertokens-website/blob/master/lib/ts/axios.ts#L374
  • If using fetch:
    • https://github.com/supertokens/supertokens-website/blob/master/lib/ts/fetch.ts#L254

Keeping this issue open until it's resolved.

from supertokens-website.

Sounds good 👍, thank you! I didn't realize you can set a custom status code for session expiry, that's an interesting solution.

from supertokens-website.