TTC
Theo's Typesafe Cult•2y ago
ippo

cookie session - express-session with tRPC

Does anybody use express-session with tRPC? What is the best solution to use cookie sessions with tRPC? (using redis as a storage)
23 Replies
ippo
ippoOP•2y ago
hmmm..... 🤔
Endgame1013
Endgame1013•2y ago
It depends on your backend. Personally, I’ve used both express session (for express backend) and fastify session (for fastify backend) with tRPC. If your backend is Next.js, I would recommend checking out the next-session package and using a custom store using Redis. Here are the docs: https://github.com/hoangvvo/next-session
GitHub
GitHub - hoangvvo/next-session: Simple promise-based session middle...
Simple promise-based session middleware for Next.js, micro, Express, and more - GitHub - hoangvvo/next-session: Simple promise-based session middleware for Next.js, micro, Express, and more
ippo
ippoOP•2y ago
whats about next-auth? is it possible to create session authentication with it like in express-session? next-session is still supported? does anybody know a repo with session authentication that uses database/redis/memory to store the id and gets the user from the database of the session for each request? I only found JWT examples or example that use authentication servers like google and others
Endgame1013
Endgame1013•2y ago
You can do session auth with next-auth, but only if you're using some sort of OAuth provider. It doesn't support sessions when using credential-based auth. Next-session still works. It's a pretty lightweight package, so I wouldn't expect a lot of activity on the GitHub repo. There are not many repos out there that showcase session auth + Next.js. My guess is because Next.js is popular with the serverless community, hence the use of JWTs. If you read the next-session docs, you'll see you can write your own custom Session Store (I think the example in the repo is an in-Memory store). You can write all the logic to lookup the user from whatever DB you choose, using whatever ORM you choose. Then, you could use next-session and a custom session store using Redis to save and update the user session in Redis.
Anna | DevMiner
Anna | DevMiner•2y ago
jwt > sessions
Endgame1013
Endgame1013•2y ago
I'm personally not a fan of next-auth, as I feel it is too opinioned for my use-case. I would suggest installing next-session and giving it a spin with a custom Redis store.
ippo
ippoOP•2y ago
Anna | DevMiner
Anna | DevMiner•2y ago
Anna | DevMiner
Anna | DevMiner•2y ago
too long
ippo
ippoOP•2y ago
@Anna | DevMiner do not read it now, just bookmark them and give them a look if you find the time this article is a very good summary: http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/ take your time and give it a look if you feel ready 🙂
Endgame1013
Endgame1013•2y ago
@ippo I personally like next-session, although I'm not actively using it in any apps actually in production. To be fair, everyone has different preferences when it comes to NPM packages, so I would suggest installing it for yourself and see if it fits well in your stack.
ippo
ippoOP•2y ago
so what do you use in production for session based authentication?
Endgame1013
Endgame1013•2y ago
Next.js is still pretty new to our stack at my day job. Most our apps are still on CRA/Express JS, so we're using express-session. At the point we transition to Next.js, we'll probably reach for next-session, lucia-auth, or next-auth. It all depends on what OAuth providers we will support, etc. Here's a post I made a few weeks back when I was asking the same questions as you are: https://discordapp.com/channels/966627436387266600/1091389956695539823
Endgame1013
Endgame1013•2y ago
You may also want to check out Lucia Auth. It just hit its 1.0 release and you can use Redis to store your user sessions. They have a pretty active Discord as well, so I'm sure others would be happy to help answer any questions you may have. https://lucia-auth.com/
Lucia Documentation
Lucia
ippo
ippoOP•2y ago
I am not sure but next-auth feels wrong can not say why :/ @Endgame1013 can you elaborate on OAuth and session based authentication? OAuth is a protocol for token based authentication at the moment I can not see how next-auth and OAuth with session work together 😦 ?
Endgame1013
Endgame1013•2y ago
I’m not going to be as much help as reading the docs. In short, next-auth is only going to allow you to use JWTs, unless you use an OAuth provider to authenticate users. If you’re wanting a way to save user sessions to a db like Redis, regardless of how the user is authenticated (credentials, OAuth, magic link, etc.), you’re going to want to reach for another library besides next-auth. This all ties back to my original point that I think next-auth is too opinionated.
ippo
ippoOP•2y ago
long story short: there is a provider that offers you session authentication with next-auth, but you never tested that, right? side comment: is it me or is it normal that I feel alone using session authentication? it feels like you are stupid if you do not use JWT and there is almost no native session solution or support
Endgame1013
Endgame1013•2y ago
I sent a link a couple messages up that links to a repo I made using next-session with a custom redis store. You may want to check that out and clone the repo for yourself. And the reason JWTs are so popular with Next.js is because they are more portable than sessions and work better with serverless deployments.
Endgame1013
Endgame1013•2y ago
https://github.com/nick-cheatwood7/redis-next-session
GitHub
GitHub - nick-cheatwood7/redis-next-session
Contribute to nick-cheatwood7/redis-next-session development by creating an account on GitHub.
ippo
ippoOP•2y ago
@Endgame1013 do you have a tRPC server with next-session example?
Endgame1013
Endgame1013•2y ago
I don’t, but you should be able to reuse the same logic in a tRPC router.
ippo
ippoOP•2y ago
hmmm... will give it a try will need your help, but will try it alone before 🙂 this is how I setup my cookie with express-session: 
  app.use(
    session({
      name: "COOKIE_ID",
      store: new RedisStore({
        client: redis,
        disableTouch: true,
      }),
      cookie: {
        maxAge: 1000 * 60 * 60 * 24, // 1 day
        httpOnly: true,
        sameSite: "lax",  // reLAXed CSRF - Cross Site Request Forgery
        secure: true, // cookie only works in https
        domain: ".myapp.com", // cookie only works if request comes from this domain
      },
      saveUninitialized: false,  // not every session will be stored, only modified once
      secret: "very complicated string", // this string is used to sign the cookie and protect it from modifications.
      resave: false, // will not save the session in store on every request, only if was modified
    })
  );
  app.use(
    session({
      name: "COOKIE_ID",
      store: new RedisStore({
        client: redis,
        disableTouch: true,
      }),
      cookie: {
        maxAge: 1000 * 60 * 60 * 24, // 1 day
        httpOnly: true,
        sameSite: "lax",  // reLAXed CSRF - Cross Site Request Forgery
        secure: true, // cookie only works in https
        domain: ".myapp.com", // cookie only works if request comes from this domain
      },
      saveUninitialized: false,  // not every session will be stored, only modified once
      secret: "very complicated string", // this string is used to sign the cookie and protect it from modifications.
      resave: false, // will not save the session in store on every request, only if was modified
    })
  );
is there a next-auth equivalent to this?
Endgame1013
Endgame1013•2y ago
Want results from more Discord servers?
Add your server