know if refreh_token exists in the frontend?

ssssadsadasd · 2025-10-07T14:27:17.001+00:00

whe I do "get http-only cookie -> refresh_token" I get back "{{ cookies.refresh_token }}" in the frontend whether the refresh_token exists or not. how can I know from the frontend whether there is actually a refresh_token in the cookies or not? thanks

ssssadsadasd

7 days ago

whe I do "get http-only cookie -> refresh_token" I get back "{{ cookies.refresh_token }}" in the frontend whether the refresh_token exists or not. how can I know from the frontend whether there is actually a refresh_token in the cookies or not? thanks
MartinF

7 days ago

If it's a http-only cookie, you can't know in the front-end. You can include it in a call to an edge-function or something and return an error if it is missing. If you're trying to refresh a session i would error if missing, else try the token and then return the new session or error if unable to refresh.
ssssadsadasd

7 days ago

just fyi,the reason I am asking is this.
I have "get own profile" call which happens on server side and, if it returns an id, means the user is logged in basically. most of the show/hide logic is based on this.
I also have a refresh token logic which does not happen serve side (otherwise it does not work).

in suapbase I have the token limit to 1 hour. if I am logged in, and close the tab then return after two hours the server side profile call returns null (because the access_token is invalid I guess) but the refresh token is still valid. so I say: run the refresh token call on load and then also make the get profile call (only if token_expires_at is less than 5 minuts from now; this is a data point that I save in sessio storage).
but this is does not have a good effect since for a split second the user seems to be logged out @MartinF @Andreas Møller
ssssadsadasd

7 days ago

@MartinF I need this for a UI reason. so I would need to have access to it "immediately"
MartinF

7 days ago

Yes, it's difficult. You could have a loader which show across the whole page when get_own_profile returns null and the refresh_token is loading? I had a redirect that runs server side that redirects to a page that handles refresh and then routes back to the page they were on, which did the job too. Now I use an edge function that i call on page load which handles everything. Couldn't figure a good way to get UI to show/hide based on custom claims without it.
👍1
ssssadsadasd

7 days ago

thanks @MartinF
@Andreas Møller just tagging you in case you have anything to what Martin explained above. thanks
@ssssadsadasd
just fyi,the reason I am asking is this.
I have "get own profile" call which happens on server side and, if it returns an id, means the user is logged in basically. most of the show/hide logic is based on this.
I also have a refresh token logic which does not happen serve side (otherwise it does not work).

in suapbase I have the token limit to 1 hour. if I am logged in, and close the tab then return after two hours the server side profile call returns null (because the access_token is invalid I guess) but the refresh token is still valid. so I say: run the refresh token call on load and then also make the get profile call (only if token_expires_at is less than 5 minuts from now; this is a data point that I save in sessio storage).
but this is does not have a good effect since for a split second the user seems to be logged out @MartinF @Andreas Møller
Erik Beuschau

6 days ago

Not sure if it will solve your issue, but it's possible to run an API request only during SSR by setting the autofetch formula to being truthy only when running on the server. You could also decide only to run your API request during SSR if a specific cookie exists (using the [Get Cookie](https://docs.nordcraft.com/references/formulas#get-cookie) formula).
We use this approach on nordcraft.com to only try and fetch the user's session if a cookie exists - otherwise we never call the API that fetches the user's' session.
@Erik Beuschau
Not sure if it will solve your issue, but it's possible to run an API request only during SSR by setting the autofetch formula to being truthy only when running on the server. You could also decide only to run your API request during SSR if a specific cookie exists (using the [Get Cookie](https://docs.nordcraft.com/references/formulas#get-cookie) formula).
We use this approach on nordcraft.com to only try and fetch the user's session if a cookie exists - otherwise we never call the API that fetches the user's' session.
MartinF

6 days ago

That's awesome! Hadn't appreciated you could use the existence of cookies to determine if a call should run. That will help cut down on some unnecessary calls.
👍1
MartinF

6 days ago

Hey @Erik Beuschau , just thinking, given that cookies can be read during ssr, is there the possibility for variables to take cookie values as initial values in future? Would be super helpful for checking things like custom claims to make UI decisions quickly? For example i could show the sign in button in the header if the variable was null. This is useful as if the API doesn't run because of the formula then there is no event to work from.
Erik Beuschau

6 days ago

We've considered this in the past, but it does open up for quite a lot of bad practices around exposing http-only cookies to the client's JS. Instead, I suggest you run a session API call during SSR (but only if your cookie is available) that returns the necessary information for you. You can then read directly from that API response (no variable needed), and that will also work during SSR
❤️1
@Erik Beuschau
We've considered this in the past, but it does open up for quite a lot of bad practices around exposing http-only cookies to the client's JS. Instead, I suggest you run a session API call during SSR (but only if your cookie is available) that returns the necessary information for you. You can then read directly from that API response (no variable needed), and that will also work during SSR
MartinF

6 days ago

Cool, I've been using the getClaims() method in an Edge Function as the main thing i need is the contents of the access_token jwt. Will keep doing this. Thanks!
👍1
saillmone

3 days ago

Hi,

I'm trying to retrieve the refresh_token value (supabase) following a server-side redirect (image 1).

When I hard-enter the value instead of retrieving the cookie, my entire workflow works fine (that means it's running correctly in SSR, right?)

But I can't get this value from http-cookies. I've tried auto-fetching or fetching if IsServer. (My redirect is SSR, so auto-fetching should be enough?)

I'm stuck. I'd like to do this without having to call an edge function and manage authentication 100% via NC.

Thanks in advance!

know if refreh_token exists in the frontend?

ssssadsadasd

MartinF

ssssadsadasd

ssssadsadasd

MartinF

ssssadsadasd

Erik Beuschau

MartinF

MartinF

Erik Beuschau

MartinF

saillmone