jwt vs cookies in next-auth
we recommend using sessions in t3-app but i don't know why. theo says to use sessions but what are the exact reasons one would pick one over the other while using next-auth?
93 Replies
Unknown User•3y ago
Message Not Public
Sign In & Join Server To View
meant cookies]
Unknown User•3y ago
Message Not Public
Sign In & Join Server To View
dude i really dk the technicalities lol
Unknown User•3y ago
Message Not Public
Sign In & Join Server To View
i mean whatever the strategies are in next-auth
one is jwt, other is the thing we use in ct3a
no
jwt vs database sessions?
next auth is using cookies
Unknown User•3y ago
Message Not Public
Sign In & Join Server To View
jwt is just the encoding
cookie is the way of transport
yes this
oh
oh
adonis uses database sessions
a smaller token and such
but is one way better than the other?
but you hammer the database with requests to decode
a friend of mine is using jwt because db sessions are slow for them
and cookies are sent on every req
this was their explanation
Unknown User•3y ago
Message Not Public
Sign In & Join Server To View
that makes sense
plus if you add db lookup
if for some reason the db is down
auth is down as a whole
so it generally results in a faster client side app?
if db is down in most cases the app wont work.
that makes sense
Unknown User•3y ago
Message Not Public
Sign In & Join Server To View
or atleast a lot of the functionality probably doesnt work.
indexing if fine for the case too
plus its easier to invalidate
also is this a thing?
because you just purge 
Unknown User•3y ago
Message Not Public
Sign In & Join Server To View
i think refreshing the jwt token in next-auth is also manual right?
Unknown User•3y ago
Message Not Public
Sign In & Join Server To View
ohhh
does that have any impact on performance?
Unknown User•3y ago
Message Not Public
Sign In & Join Server To View
technically probably since you check session with a db query but dont need to for jwt
that makes sense
if doing a db lookup is slow then adding caching would help with that. but I think for it to be noticeable you need a lot of traffic
if the lookup is an issue
Unknown User•3y ago
Message Not Public
Sign In & Join Server To View
you can add a redis or memcached
Unknown User•3y ago
Message Not Public
Sign In & Join Server To View
it is a kv for the sort
token:some-payloadUnknown User•3y ago
Message Not Public
Sign In & Join Server To View
adonis as example allow you to do both
oh yea that reminds me, you cant invalidate a jwt token. so signing out technically isnt possible and invalidating sessions also isnt possible.
i should read up more on this
thanks for the info!
super helpful for noobs like me
no way you're a noob :3
noob at auth*
:)
Unknown User•3y ago
Message Not Public
Sign In & Join Server To View
upstash
Unknown User•3y ago
Message Not Public
Sign In & Join Server To View
Upstash Redis | NextAuth.js
To use this Adapter, you need to install @upstash/redis and @next-auth/upstash-redis-adapter package:
Unknown User•3y ago
Message Not Public
Sign In & Join Server To View
upstash is a provider
same for railway
Unknown User•3y ago
Message Not Public
Sign In & Join Server To View
the speed difference would be on redis location
Unknown User•3y ago
Message Not Public
Sign In & Join Server To View
not only that
upstash have a redis serverless client
Unknown User•3y ago
Message Not Public
Sign In & Join Server To View
connection pool
Unknown User•3y ago
Message Not Public
Sign In & Join Server To View
with db lookup you dont need to store the user info on the token
create a row on the database, encrypt the row id
even if you decrypt the key, you cant access any decent info
Unknown User•3y ago
Message Not Public
Sign In & Join Server To View
user if or token id?
Unknown User•3y ago
Message Not Public
Sign In & Join Server To View
its kind of ok
but with getting the user profile
you expose either way
lol
Unknown User•3y ago
Message Not Public
Sign In & Join Server To View
A bit late to the party but I found this cool flowchart that describes some problems with using JWT for sessions http://cryto.net/~joepie91/blog/attachments/jwt-flowchart.png
I am saving that because that I so useful.
Explains shit better than I could lol
Found the blog with that flowchart on the prisma-session-store readme if you want to read the rest of it (there's a couple other links mentioned in the readme that are pretty good reads too) https://github.com/kleydon/prisma-session-store
GitHub
GitHub - kleydon/prisma-session-store: Express session store for Pr...
Express session store for Prisma. Contribute to kleydon/prisma-session-store development by creating an account on GitHub.
Unknown User•3y ago
Message Not Public
Sign In & Join Server To View
i saw this a few days back
looks cool! will try it
yeah database sessions seem much more straightforward than jwts
Unknown User•3y ago
Message Not Public
Sign In & Join Server To View
very cool
don't think there's a solid start adapter yet tho
are there any plans for that?
Unknown User•3y ago
Message Not Public
Sign In & Join Server To View
i can help in contribute docs, im guessing it would be similar to the next or astro api
Unknown User•3y ago
Message Not Public
Sign In & Join Server To View
Unknown User•3y ago
Message Not Public
Sign In & Join Server To View
oh yeah focus on exams!
Conceptually cookies and local storage are the same (data stored clientside).
Unknown User•3y ago
Message Not Public
Sign In & Join Server To View
An http only cookie is quite different
U can't read it from the application
https://stytch.com/blog/jwts-vs-sessions-which-is-right-for-you/ to understand the difference between jwt auth and session auth i can recommend this article
Lydia Gorham
Stytch
JWTs vs. sessions: which authentication approach is right for you?
Your application just received a login request, and the credentials passed successfully prove the identity of a user in your system. Wonderful, you have a high degree of confidence in who this user is and what they should be able to access! …but wait, what happens on the next API call where they don’t include […]
The browser can send it along with requests and it's unreadable from inside
I tried understanding the point of jwts but opted for a userinfo endpoint to get any data I needed about the user instead
Exactly, nowadays u can even declare cookies as https only additionally - which makes them the best storage for such access tokens. But at the end that is an implementation detail. For understanding the different auth concept this is not relevant
when i heard about jwts 2 years ago i didn’t really see a good use case for them for 95% of applications
Fair
Unknown User•3y ago
Message Not Public
Sign In & Join Server To View
Many people especially here say that there is no security difference all the time
So I'm just in auto mode when I see that line
Yeah i agree. The only real advantage they have is performance wise and their stateless nature making them easier for cross microservice communication. But they come with a pretty big disadvantage for real life use cases where fine grained control of user access is necessary
If u have no dedicated backend then Yea probably, but if you have your own backend and an spa should just do cookie stuff
Have you got any up-to-date documentation on how I could go about adopting lucia in my trpc/ct3a stack? I've got myself into a bit of a messy state trying to get lucia integrated