What is the best way to separate sensitive (access tokens) and non-sensitive (user) data? #74
Replies: 2 comments 1 reply
-
I figured out how to do it. In the server you need to throw a redirect instead of returning the user. This appears to be the only way to ensure the cookie is actually set. async ({ accessToken, refreshToken, extraParams, request }) => {
const idDecoded = await validateToken('id', extraParams.id_token)
const accessDecoded = await validateToken('access', accessToken)
const cookie = request.headers.get('Cookie')
const session = await getSession(cookie)
const user: AuthorizedSession = {
id: idDecoded.profile as string,
name: idDecoded.name as string,
email: idDecoded.email as string,
exp: accessDecoded.exp as number,
}
session.set('user', user)
session.set('accessToken', accessToken)
session.set('refreshToken', refreshToken)
throw redirect('/', {
headers: {
'Set-Cookie': await commitSession(session, {
maxAge: accessDecoded.exp,
}),
},
})
} |
Beta Was this translation helpful? Give feedback.
0 replies
-
If you don't set successRedirect on the callback route, you will get the value returned by the strategy. Then you can set yourself the session and keep part of the data somewhere else. |
Beta Was this translation helpful? Give feedback.
1 reply
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
I'm not quite sure how to get this working. If I attempt to set session data like so:
I'm not able to access it later in a loader:
Is it possible to store sensitive accessTokens in the session while also only returning the user from the authenticator? Or do I need to store the accessToken as part of the user data returned from the authenticator? This means devs need to "be careful" not to expose the token in a loader.
Beta Was this translation helpful? Give feedback.
All reactions