https://descope.com logo
Join Slack
Powered by
Hi! I've got another question :sweat_smile: I am u...
# ask-a-descoper
c
Hi! I've got another question 😅 I am using the descope react-sdk, and I am managing my refresh token in my cookies. my question is during local development how does this work without getting CORS issues? the cname I set up does not work because I am using localhost. do y'all have any tips?
d
Could you try and handle the refresh token using localStorage rather than cookies, just to see if that resolves the issue?
c
oh it probably would but i would be nervous of drift between local dev and production
is there anyway that can manifest in bugs or different implemenations?
d
Obviously this is not a fix, but I'm curious to see if that resolves the CORS issue, since you don't have the 
httpOnly
restriction
c
ahhh I see
okay let me check
👍🏼 1
d
Yes ok I think it's due to the fact that the cookies are 
strict
1
c
I forgot to mention i'm using Oauth. google social login. when I click sign in with google and I have a baseURL
Copy code
<DescopeAuthProvider
        projectId={import.meta.env.VITE_DESCOPE_PROJECT_ID}
        baseUrl="<http://auth.app.dopt.com>"
      >
it doesn't work because of cors. So I'm not even at the point of getting a refresh token back
and if i remove the baseURL its exactly as you say the cookie doesn't stick because the same-site=strict property
so i'm wondering how do I get this to work with localhost. in prod this should work but I need a way to test this locally first
s
a way to separate it , is create 2 projects 1 for PROD 1 for DEV (localhost) in PROD, project use cookies with your domain in DEV project, use localhost in the cookie (or keep empty) OR don't use cookies
the backend SDKs support moving flows and themes between projects Also, you can export/import flows from UI
c
okay so i've got it set up like that! now when you say
use localhost in the cookie (or keep empty) OR
do you mean in i should put localhost as my custom domain?
Token response method
or put localhost in approved domain or both?
s
so both options should work, either you choose 
Manage in response body
, in that case it will store refresh and session tokens in local storage
c
I would ike to have it as mange in cookies in dev as well
just so I don't have drift
okay if i have localhost as both approvedDomain and CustomDomain. what should I put as the baseUrl
Copy code
<DescopeAuthProvider
        projectId={import.meta.env.VITE_DESCOPE_PROJECT_ID}
        baseUrl=?
      >
this is where I run into problems because of the samesite strict attribute on the cookies
from what I can tell the only way to have this work is to have a reverse proxy. but that seems like a bit of a hassle for our local dev. so I'm curious if y'all had any way around this
s
Few options: 1. Tunnel, there are services like Ngrok/Cloudflare for that 2. Setup a staging env, a replica of your prod, with diff domain, that is usually a general deployment best practice Both will require another CNAME configured of course On a side note, we planning to work soon on a feature to better streamline this part, have easy way to manage several environments
c
oh bummer. hmm what are the consequences of using two different mechanisms for storing refresh tokens. one in prod and one in dev? you can't use 
sessionTokenViaCookie
in the DescopeAuthProvider? but other than that is it the same? are the access patterns the same in both methods in the react-sdk? what about the web-js-sdk? Edit: what about automatic token refresh? and sending the token to the backend for session validation? I would really not like to have different logic for local dev and prod
d
sessionTokenViaCookie
will force send the session token as a cookie but not the refresh token. The refresh token is handled in the console settings
👍 1
It should be fine to use two different mechanisms in dev and prod, the additional security of using 
samesite=strict
is not really relevant in dev. It should behave the same way if you're using the react-sdk, correct me if I'm wrong @great-diamond-35515?
1
c
nice that sounds good
👍🏼 1
Open in Slack
PreviousNext
Powered by