know if refreh_token exists in the frontend?

ssssadsadasd · 2025-10-07T14:27:17.001+00:00

whe I do "get http-only cookie -> refresh_token" I get back "{{ cookies.refresh_token }}" in the frontend whether the refresh_token exists or not. how can I know from the frontend whether there is actually a refresh_token in the cookies or not? thanks

ssssadsadasd
4 months ago
whe I do "get http-only cookie -> refresh_token" I get back "{{ cookies.refresh_token }}" in the frontend whether the refresh_token exists or not. how can I know from the frontend whether there is actually a refresh_token in the cookies or not? thanks
MartinF
4 months ago
If it's a http-only cookie, you can't know in the front-end. You can include it in a call to an edge-function or something and return an error if it is missing. If you're trying to refresh a session i would error if missing, else try the token and then return the new session or error if unable to refresh.
ssssadsadasd
4 months ago
just fyi,the reason I am asking is this.
I have "get own profile" call which happens on server side and, if it returns an id, means the user is logged in basically. most of the show/hide logic is based on this.
I also have a refresh token logic which does not happen serve side (otherwise it does not work).

in suapbase I have the token limit to 1 hour. if I am logged in, and close the tab then return after two hours the server side profile call returns null (because the access_token is invalid I guess) but the refresh token is still valid. so I say: run the refresh token call on load and then also make the get profile call (only if token_expires_at is less than 5 minuts from now; this is a data point that I save in sessio storage).
but this is does not have a good effect since for a split second the user seems to be logged out @MartinF @Andreas Møller
ssssadsadasd
4 months ago
@MartinF I need this for a UI reason. so I would need to have access to it "immediately"
MartinF
4 months ago
Yes, it's difficult. You could have a loader which show across the whole page when get_own_profile returns null and the refresh_token is loading? I had a redirect that runs server side that redirects to a page that handles refresh and then routes back to the page they were on, which did the job too. Now I use an edge function that i call on page load which handles everything. Couldn't figure a good way to get UI to show/hide based on custom claims without it.
👍1
ssssadsadasd
4 months ago
thanks @MartinF
@Andreas Møller just tagging you in case you have anything to what Martin explained above. thanks
@ssssadsadasd
just fyi,the reason I am asking is this.
I have "get own profile" call which happens on server side and, if it returns an id, means the user is logged in basically. most of the show/hide logic is based on this.
I also have a refresh token logic which does not happen serve side (otherwise it does not work).

in suapbase I have the token limit to 1 hour. if I am logged in, and close the tab then return after two hours the server side profile call returns null (because the access_token is invalid I guess) but the refresh token is still valid. so I say: run the refresh token call on load and then also make the get profile call (only if token_expires_at is less than 5 minuts from now; this is a data point that I save in sessio storage).
but this is does not have a good effect since for a split second the user seems to be logged out @MartinF @Andreas Møller
Erik Beuschau
4 months ago
Not sure if it will solve your issue, but it's possible to run an API request only during SSR by setting the autofetch formula to being truthy only when running on the server. You could also decide only to run your API request during SSR if a specific cookie exists (using the [Get Cookie](https://docs.nordcraft.com/references/formulas#get-cookie) formula).
We use this approach on nordcraft.com to only try and fetch the user's session if a cookie exists - otherwise we never call the API that fetches the user's' session.
@Erik Beuschau
Not sure if it will solve your issue, but it's possible to run an API request only during SSR by setting the autofetch formula to being truthy only when running on the server. You could also decide only to run your API request during SSR if a specific cookie exists (using the [Get Cookie](https://docs.nordcraft.com/references/formulas#get-cookie) formula).
We use this approach on nordcraft.com to only try and fetch the user's session if a cookie exists - otherwise we never call the API that fetches the user's' session.
MartinF
4 months ago
That's awesome! Hadn't appreciated you could use the existence of cookies to determine if a call should run. That will help cut down on some unnecessary calls.
👍1
MartinF
4 months ago
Hey @Erik Beuschau , just thinking, given that cookies can be read during ssr, is there the possibility for variables to take cookie values as initial values in future? Would be super helpful for checking things like custom claims to make UI decisions quickly? For example i could show the sign in button in the header if the variable was null. This is useful as if the API doesn't run because of the formula then there is no event to work from.
Erik Beuschau
4 months ago
We've considered this in the past, but it does open up for quite a lot of bad practices around exposing http-only cookies to the client's JS. Instead, I suggest you run a session API call during SSR (but only if your cookie is available) that returns the necessary information for you. You can then read directly from that API response (no variable needed), and that will also work during SSR
❤️1
@Erik Beuschau
We've considered this in the past, but it does open up for quite a lot of bad practices around exposing http-only cookies to the client's JS. Instead, I suggest you run a session API call during SSR (but only if your cookie is available) that returns the necessary information for you. You can then read directly from that API response (no variable needed), and that will also work during SSR
MartinF
4 months ago
Cool, I've been using the getClaims() method in an Edge Function as the main thing i need is the contents of the access_token jwt. Will keep doing this. Thanks!
👍1
saillmone
4 months ago
Hi,

I'm trying to retrieve the refresh_token value (supabase) following a server-side redirect (image 1).

When I hard-enter the value instead of retrieving the cookie, my entire workflow works fine (that means it's running correctly in SSR, right?)

But I can't get this value from http-cookies. I've tried auto-fetching or fetching if IsServer. (My redirect is SSR, so auto-fetching should be enough?)

I'm stuck. I'd like to do this without having to call an edge function and manage authentication 100% via NC.

Thanks in advance!
Erik Beuschau
4 months ago
Are you using Supabase? In that case, I suggest you check how the Nordbase project was built (using Supabase Connect) https://editor.nordcraft.com/projects/nordbase/branches/main/components/signin
saillmone
4 months ago
Thanks Eric for your feedback. I'm indeed using Supabase.

I managed to get this refresh_session page working (thanks to Supa Connect and Kedde!) by leaving the page client-side.

Is there a way to do this server-side? I'd like to get rid of this "flash"?
Erik Beuschau
4 months ago
I'm not sure how you implemented it, so I don't know. Could you explain what you mean by "flash"?
saillmone
4 months ago
We are on the home page:
- if the user is logged in, we stay
- if the user is logged out, redirect rules to the refresh session page

On this refresh session page, we are required to call auth/refresh-token on the client side and not use redirect rules to avoid this flash.

I just want the user to never see the "refresh session page" URL and to be redirected to the home page if successful, or to login if error.
Erik Beuschau
4 months ago
Right. I don't believe that's currently possible actually 🤔 It would probably require that we allow a redirect rule to also send set cookie headers. Let me get back to you 👍
🙌1
@saillmone
We are on the home page:
- if the user is logged in, we stay
- if the user is logged out, redirect rules to the refresh session page

On this refresh session page, we are required to call auth/refresh-token on the client side and not use redirect rules to avoid this flash.

I just want the user to never see the "refresh session page" URL and to be redirected to the home page if successful, or to login if error.
MartinF
4 months ago
You could create an edge function that handles refresh and returns cookie headers in the response with a status. Then use redirect rules on the API call in Nordcraft. This way you won't need to use any set http cookie actions as cookies included. Not sure if this would completely solve it but need to modify my edge function to do this so will let you know how it goes. Previously the proxy would only return one cookie but this is now fixed and access_token & refresh_token can now be passed.
🔥1
Tod
4 months ago
Great job @MartinF! Your contribution to the Nordcraft Community just made you advance to Community Level 9! 🌲
@Erik Beuschau
Right. I don't believe that's currently possible actually 🤔 It would probably require that we allow a redirect rule to also send set cookie headers. Let me get back to you 👍
MartinF
4 months ago
This would be a cool feature

know if refreh_token exists in the frontend?

ssssadsadasd

MartinF

ssssadsadasd

ssssadsadasd

MartinF

ssssadsadasd

Erik Beuschau

MartinF

MartinF

Erik Beuschau

MartinF

saillmone

Erik Beuschau

saillmone

Erik Beuschau

saillmone

Erik Beuschau

MartinF

Tod

MartinF