Answering questions about us (in us vs others)

[rishabhpoddar]

Questions

• [x] Can you easily add a custom social provider?
• [x] How well do they support various platforms and SDKs?
• [x] How can we go about customising the UI? From colours to full customisation
• [x] How do we do things like handle sign up success?
• [x] Social account consolidation?
• [x] Can sessions be used with httpOnly cookies?
• [ ] Setting up for the two use cases of multi tenancy?
• [x] If one needs to do something like paginating across all users in the app in their API, how can they do that?
• [x] If someone wants to tweak the sign up / sign in APIs, how can they do that?
• [x] How would adding custom sign up fields work?
• [x] How would adding custom sign up validators work?
• [x] Describe the dev setup experience (how many steps and what are they + time overall)
• [x] How do go about sending emails yourself if you want to?
• [x] How to go about customising the email design and or the sender's domain?
• [x] How to implement sign out functionality?
• [x] How to implement revoking a user's session functionality?
• [x] What if you want to embed the sign up / in page into your website UI (As opposed to opening a new tab..). Is that possible?
• [x] Will their solution work with serverless env like in nextjs or netlify?
• [x] Email verification with Social providers, how does it work
• [x] Changing Email for social provider, how it works
• [x] if you want to add a password strength meter to registration, how does it work
• [x] User has multiple sessions, only want to revoke a couple of them, how does that work
• [x] For social account consolidation, how does changing the email work.
• [ ] Multi tenancy, properly how it works, redirection works with the frontend
• [x] RBAC, check properly, how to get the role of the user within the API for custom logic for both frontend and backend.
• [ ] How to set roles for a user on backend, set multiple roles for a user.
• [x] Documentation review
• [x] Changing password validation(or some similar feature) for sign up does this get propagated to other places(Signin, password reset)
• [x] what are the supported databases
• [x] In multi-tenancy, can you share cookies between subdomains
• [x] Is there a mechanism for protecting routes (similar to the supertokens auth wrapper). How easy is it to protect multiple pages and what does the code look like?
• [x] If a session expires is there a pop-up? does the user have to handle it?
• [x] mobile implementation, IOS and Android
• [x] Email is not verified but password reset is done, does that verify email?
• [x] implementation with ssr
• [x] Migration to and away
• [x] API customisability
• [x] sharing session across sub domains
• [ ] How to disallow sign up and only have sign in?

[rishabhpoddar]

Describe the dev setup experience (how many steps and what are they + time overall)

• See video here
• Frontend
  • Install frontend SDK
  • Call the init function
  • Add routing handler
  • Add session interceptor (if using axios)
• Backend
  • Install backend SDK
  • Call the init function
  • Add middleware and error handler
• Core
  • If managed service
    • Sign up
    • Select region
    • Use instance
  • If self hosted
    • Download docker image / zip binary
    • Install binary (if used that)
    • Run the core
    • Connect core to your db

Can you easily add a custom social provider?

• Yes. We support any OAuth 2.0 provider: See docs. All the code required to add a custom provider + extract profile info from their payload is within your own backend SDK, as a simple callback function.

How well do they support various platforms and SDKs?

• As of this writing, we have support for NodeJS and react + vanilla JS sessions. One can build their own UI + backend using our APIs (a few days of work), as long as we support sessions for their frontend (as that is really complex for them to build out).

How can we go about customising the UI? From colours to full customisation

• We have a palette object for simple colour styling
• One can use any CSS construct (including media queries) to change our CSS in a "safe way" (without affecting their CSS)
• Once can replace any react component we have with their own thereby adding custom UX to our widgets without rewriting the entire frontend.
• One can embed our UI in any page of theirs, easily adding headers and footers.

How do we do things like handle sign up success?

• We have a frontend event that's fired that providers them details of the new user
• We allow users to easily override the backend (their backend) APIs that our SDK adds to handle post sign up like functionality. Within that override, they can call the original implementation so as to not have to implement everything within that API.

Social account consolidation?

• We do not provide this (due to security issues). But we have open issues that will prevent users from creating duplicate accounts unintentionally.
• Users can implement this functionality by overriding our APIs and working with them.

Social account consolidation?

• Yes. This is default and only option (for security purposes)

If one needs to do something like paginating across all users in the app in their API, how can they do that?

• Our SDK has functions for that.
• We also allow devs to export all users as CSV from our dashboard

If someone wants to tweak the sign up / sign in APIs, how can they do that?

• They can use our override feature to provide tweaks
• They can disable our sign up / in API altogether and implement it themselves using our core wrapper functions.

How would adding custom sign up fields work?

• See docs
• They would need to handle those custom fields themselves post sign up

How would adding custom sign up validators work?

• See docs

How do go about sending emails yourself if you want to?

• We have callback functions for sending email, which you can use to send custom designed emails using whichever method you want.

How to go about customising the email design and or the sender's domain?

• We have callback functions for sending email, which you can use to send custom designed emails using whichever method you want.

How to implement sign out functionality?

• The API for sign out is automatically exposed via our backend SDK. You have to use the signOut function exposed by the frontend SDK and you are done.

How to implement revoking a user's session functionality?

• The backend SDK has revokeSession function which takes various inputs...

What if you want to embed the sign up / in page into your website UI (As opposed to opening a new tab..). Is that possible?

• Yes. It is possible. See this as an example.

Will their solution work with serverless env like in nextjs or netlify?

• Yes.

Email verification with Social providers, how does it work

• If the provider gives us that the email is verified already, we mark it as verified in our db
• Else we show the email verification screen to the end user (if it is switched on by the dev).
• If the email changes on the social provider's side, it is marked as unverified again.

Changing Email for social provider, how it works

• Each login will update the email used by the end user in our db. So if the social provider has changed the email, ours will change too.

if you want to add a password strength meter to registration, how does it work

• You can override the specific component that show the password field, and add the password strength meter to it.

User has multiple sessions, only want to revoke a couple of them, how does that work

• Each session has a unique ID (that we call sessionHandle). You can call revokeSession with a specific sessionHandle in your backend.

For social account consolidation, how does changing the email work.

• We don't have social account consolidation (for security reasons)

RBAC, check properly, how to get the role of the user within the API for custom logic for both frontend and backend.

• Devs can add a role to a session on creation (based on the userID).
• This role can be fetched on the backend (post session verification) and on the frontend.
• Roles can be edited in the session on the backend (post session verification).

Documentation review

• It is split into recipes.
• Each recipe doc has all the steps needed to use it from getting started to customisations, to overrides, to integrations with other frameworks like NextJS or AWS lambda or Hasura

Changing password validation(or some similar feature) for sign up does this get propagated to other places(Signin, password reset)

• Yes

what are the supported databases

• If you are using managed service, it doesn't matter which db you use.
• If you are self hosted, you must use mysql or postgresql (or mongdb too if you only use sessions)

In multi-tenancy, can you share cookies between subdomains

• Yes

Is there a mechanism for protecting routes (similar to the supertokens auth wrapper). How easy is it to protect multiple pages and what does the code look like?

• yes.

If a session expires is there a pop-up? does the user have to handle it?

• As of now, the user has to handle it. But we have open issues for this.

mobile implementation, IOS and Android

• The UI can be natively made and use our APIs exposed via the backend SDK
• Devs will need to use our session management lib for their framework (we support iOS, Android, React native)

Email is not verified but password reset is done, does that verify email?

• No. But this is an open issue at the moment.

implementation with ssr

• Yes.
• With NextJS we have dedicated docs for this here

Migration to and away

• Using our override features, you can smoothly migrate into and out of supertokens
• Existing users can be asked to use the forgot password flow
• If coming from another service (like Auth0), devs can provide "sign in with Auth0" as an option for existing users.

API customisability

• Can be done easily using our override feature.

sharing session across sub domains

• Possible by setting the cookieDomain to be .example.com via our frontend and backend configs.

How to disallow sign up and only have sign in?

• Can override the backend API to disallow sign up (by throwing an error in that case)
• Can override the frontend component that lets users switch to the sign up view.