#apprwite sdk session unauthorized

Hey I'm using appwrite sdk for nodejs and while I'm trying to get sessions of user it's giving unauthorized role error can anyone help me in this?

As said in #👷│maintainers, it means you aren't logged in.

Also, what are you using, the SDK or Rest API?

Sdk

Then don't use the REST API tag. It's not the same.
What does your code look like?

I'm using sdk in rest apis

const authMiddleware = (client) => {
console.log('hiiiiiiiiiiiii')
return async (req, res, next) => {
console.log(req);
const sessionId = req.headers['session-id'];
if (!sessionId) {
return res.status(401).send('Unauthorized: No session ID provided');
}
console.log(sessionId);

    const users = new sdk.Account(client);

    try {
        // Check if the session exists for the user
        const session = await users.getSession(sessionId);
        console.log(session);
        if (!session || session.$id !== sessionId) {
            return res.status(401).send('Unauthorized: Invalid session');
        }

        req.userId = session.userId;  
        next();  
    } catch (error) {
        console.error('Authorization Error:', error.message);
        return res.status(401).send('Unauthorized: Invalid session');
    }
};

};
this is my middleware function but when i am trying to get session it is giving error

and where does the user login?

there is another api of user login

in response i got session object from that object i am sending session id in headers in another api from postman

Are you sure that the middleware is getting the session-id header?

yes i am sending in header from postman and using debugger

const session = await users.getSession(sessionId);
on this line i got error

Authorization Error: app.66fcf60100140e524d82@service.cloud.appwrite.io (role: applications) missing scope (account)

what does console.log(sessionId) say?

its returning sessionId that i've send through headers

Only think I can think of is that the session id isn't the actual session id, what I'd rather do is set the jwt from the session secret as a httponly cookie and use that jwt with account.get() instead

@turbid moss any idea?

I've doing without frontend i am hitting apis one after another so in another api to validate user we have to validate session also

For that I think that you need to use the server side SDK or api with a valid API key.
Be careful with that as it can't be done client sice since the API key needs to be secured and not known by the client.

If you need to interact like an user server side, probably you can follow the SSR tutorial in order to handle auth server side: https://appwrite.io/docs/products/auth/server-side-rendering

i am already using sdk

I think the issue is that that user needs to be signed in to actually check if the session is valid.

So as said, you need the actual session, best practice is to use cookies with the session secret as a value, or as D5 said use an API key

in normal scenario after login if there is any api that need to be authenticate user then we need to authenticate again at backend side that this user is valid user . so for that how we validate that user is authorized one

api key will be same for all users we can't differentiate users

As said, use cookies.

Also, what about using Appwrite as the backend? Do you need SSR?

You can then just easily send the cookies via the Cookie header to your backend, which contains your jwt, with that you can authenticate using .setJWT

Yes, the API key will be in the server, so it's the same. You don't use it to authenticate the users, but to interact with the appwrite server in a priviliged way and get sessions from users, etc