next-auth

Im working on auth in this next app using next auth with google and credentials providers, and custom sign in and register page . I definitely don't knw if I'm doing it in the right safest way to prevent my data from attackers. I made only the
play
play
route redirect u to the login page when u're not logged in i'll do the same for the rest of the pages later except blogs, home, sign in routes Also the dashboard route will be protected route with user based auth
For now i wanna knw if my method is correct or not and what the things that i missed or did wrong. This is the github repo pls feel free to check it out : https://github.com/CLOG9/PuzChess/tree/main
GitHub
GitHub - CLOG9/PuzChess: a new chess puzzles platform made with nex...
a new chess puzzles platform made with next js. Contribute to CLOG9/PuzChess development by creating an account on GitHub.
261 Replies
Lumberjack
LumberjackOP2y ago
@smolcheeld
KP
KP2y ago
you on app dir or pages dir ?
Lumberjack
LumberjackOP2y ago
App Check the repo
KP
KP2y ago
u can write a middleware to do it as well. this way isnt too bad tho i have done this way personally a few times as well in the form of making a HOC that redirects to other pages this is the better way to do it tho. google around for some examples for this
Lumberjack
LumberjackOP2y ago
I saw how to make middleware Just two lines of code and u did it
KP
KP2y ago
yea do that then, its a safer option than HOC
Lumberjack
LumberjackOP2y ago
Really?
KP
KP2y ago
yes
Lumberjack
LumberjackOP2y ago
I thought the HOC is safer
KP
KP2y ago
btw u will still have to check if user is auth to make typescript happy for either way
Lumberjack
LumberjackOP2y ago
Wdym
KP
KP2y ago
next auths useSession hook that returns data it wont know if ur middleware has checked for it or not i believe so ts will show data returned by useSession as session | null
Lumberjack
LumberjackOP2y ago
Aaaah okay i got it So i don't need getServerSession? For the admin panel
KP
KP2y ago
yea its not needed thats one of the advantages of middleware, u dont need to make HOCs for diff scenarios
Lumberjack
LumberjackOP2y ago
Or just i have to make special key in the .env file for the admin user? Yeh i'll use middleware then
KP
KP2y ago
write the middleware. for each page thats for authed users only, do an if(status === "unauthenticated") redirect or do something uhm u shld assume anything on the client can be hacked and so rely on making ur serverside apis secure this way even if they hack the js and get to the admin page, all the fetch requests wont respond anythin coz u auth on the server
Lumberjack
LumberjackOP2y ago
Do u have any real projects have this type of middleware?
KP
KP2y ago
not on the app dir
Lumberjack
LumberjackOP2y ago
Aah okay
KP
KP2y ago
search it up, u shld easily find multiple examples for this
Lumberjack
LumberjackOP2y ago
Nd in my repo i did right or? For sure so just changing to middleware and make sure the admin route is safer Im bit confused in the second one
KP
KP2y ago
wdym by second one where are u makin requests ? i dont see any server code here
Lumberjack
LumberjackOP2y ago
I didn't make the api yet I'll put the code in the api route
KP
KP2y ago
basically what i meant by making it safe on server side is like on the api u do: if(!authed || !isAdmin) throw unauthrozied
Lumberjack
LumberjackOP2y ago
Ooooooooh 🤦‍♂️🤦‍♂️🤦‍♂️🤦‍♂️ Silly me So i have to check in both client and server sides
KP
KP2y ago
yes always do validations on both the client and server. and always on server at the very least never do client side only
Lumberjack
LumberjackOP2y ago
I got it now, but how the server or the API will get the
authed
authed
and
isAdmin
isAdmin
props? Just passing them through the headers with axios or any lib?
KP
KP2y ago
uhm u get the session on the server from next auth
Lumberjack
LumberjackOP2y ago
🤦‍♂️🤦‍♂️🤦‍♂️🤦‍♂️🤦‍♂️🤦‍♂️
KP
KP2y ago
and have a property on the session called role or wotever
Lumberjack
LumberjackOP2y ago
I can pass the data from session🤦‍♂️ Thanks bro im stupid today idk what happend to me lol
armanda 🇮🇩
hi, i have similar question but im using pages route. do i need to use getServerSideProps on protected page to check the session?
Lumberjack
LumberjackOP2y ago
@smolcheeld u here ? anyway i tried to make this in middleware but its making weird behaivor
Lumberjack
LumberjackOP2y ago
Lumberjack
LumberjackOP2y ago
when i load the page nd make a session(sign in ) it renders the other routes but when i navigate between them it gets frozen until i open the route in other tab. and even if im logged in it requires me to re-log when i try to navigate to those routes also i can access the routes from the URL so actually it still not protected
KP
KP2y ago
hmm thats weird. i havent used next auth with app dir so cant help u much there sorry not necessarily. u can check if user is authed via middleware, in getserversideprops or inside the pages render function. all 3 options have diff user exps
Lumberjack
LumberjackOP2y ago
is there any other suggestions
KP
KP2y ago
check out shadcn's taxonomy repo. that has a nextauth middleware example iirc
KP
KP2y ago
GitHub
GitHub - shadcn/taxonomy: An open source application built using th...
An open source application built using the new router, server components and everything new in Next.js 13. - GitHub - shadcn/taxonomy: An open source application built using the new router, server ...
Lumberjack
LumberjackOP2y ago
@smolcheeld hey, i fixed the issues. I just changed the middleware file to the src dir and it worked totally fine lol, anyway now im going to make user authorization and register using mysql but do u suggest using raw SQL or using drizzle? I remember that u said use prizma latter in other projects to learn SQL well. but what about now?
KP
KP2y ago
use drizzle coz it makes workin with ts easier and safer
Lumberjack
LumberjackOP2y ago
i heared that i cant use drizzle with next auth ?
KP
KP2y ago
havent tried it with next auth, but i dont see why u shldnt try askin in drizzles discord or searching for examples
Lumberjack
LumberjackOP2y ago
check this
KP
KP2y ago
ah the adapter is a WIP
KP
KP2y ago
welp, u can try to follow and clone this https://github.com/nextauthjs/next-auth/pull/7165 and ask in their discord for help when u get stuck
GitHub
[WIP] feat(adapters): add Drizzle adapter by anthonyshew · Pull Req...
☕️ Reasoning Introducing a drizzle-orm adapter! With drizzle's increasing popularity, it's no surprise that there's a discussion for an adapter. This PR adds it. 🧢 Checklist Documenta...
KP
KP2y ago
or use clerk or something else 🤷‍♂️
Lumberjack
LumberjackOP2y ago
i think i'll use prizma instead and use cleark with drizzle in the next project
KP
KP2y ago
fair enough
Lumberjack
LumberjackOP2y ago
thanks tho and sorry for annoying u
KP
KP2y ago
nah its all good
Lumberjack
LumberjackOP2y ago
@smolcheeld u here? I don't understand smthng, i saw a prizma t3 boilerplate nd it has session, verification token models I don't understand why wee beed them . I mean yes u need to check session but doesn't nextauth do that for me? Or its just ob the client side ?
KP
KP2y ago
@CLOG read the next auth docs adapters section The tldr is u need to store info somewhere - jwt or db, when u store on db u need to make some tables and shit first And so for prisma the schema needs to look like that which the t3 boilerplate gives u
Lumberjack
LumberjackOP2y ago
To make things clear: nextauth create a jwt for me or should i generate one?
KP
KP2y ago
Nah u dont need to do anything Just follow the prisma setup for next auth and thats it
Lumberjack
LumberjackOP2y ago
What user based role Aah okay
KP
KP2y ago
Wdym ? Are u askin how to add role based auth ?
Lumberjack
LumberjackOP2y ago
Well what will happen if i don't store the session on the db?
KP
KP2y ago
I havent tested this in next auth but with most auth solutions what happens is when u login and close the tab, next time u open the site again u will have to login again
Lumberjack
LumberjackOP2y ago
Oh i miss spell it, what about user based role should i make a different jwt for it?
KP
KP2y ago
But if u store sessions,u wont have to login until the sess expires Nah just add the role field to the session Thats what i did for impl role based auth and it works well
Lumberjack
LumberjackOP2y ago
And check it on the server
KP
KP2y ago
Yep For promotion to admin, i made a route that can only be navigated by typing it in And u have to give a server secret to chck if u are admin Then if its correct the persons role gets promoted For simple setups this works well eno
Lumberjack
LumberjackOP2y ago
I think i should make a jwt only if im making reset password feature Is that server secret a jwt or just an openssl key?
KP
KP2y ago
Openssl key I think u are mistaking the purpose of jwt U dont need a jwt for this either tbh
Lumberjack
LumberjackOP2y ago
I didn't understand how the client would have that key How
KP
KP2y ago
Well if its only gonna be for u and a circle of ppl u personally trust, u manually generate a key and add it to env vars and check against that Otherwise wot u wanna do is have a table wit a single entry in which u store the key but everytime its used it gets rolled over. This way there is no risk of ppl using old keys to make their friends admin without u knowing
Lumberjack
LumberjackOP2y ago
So that server secret must be typed in the url?
KP
KP2y ago
For this u generate a random crypto secure hash and store it on the users table. U send them an email with that hash in the route param and when they open that url u compare the hashes Not necessarily. Totally upto u how and where u check it If u wanna send links that ppl judt click and its done then do it that way
Lumberjack
LumberjackOP2y ago
Or just make a login page I think i understand a bit
KP
KP2y ago
Its not conceptually complicated tbh. The email part can be a bit of a pain to setup tho
Lumberjack
LumberjackOP2y ago
And that crypto should be regenerated every time the specified user try to reset his password
KP
KP2y ago
Yes. In case if ppls email gets leaked u dont want ppl with old links resetting Also u wanna store the key as hashed not in plain form, basically the same way we store passwords in db using bcrypt or some other algo The reason u wanna hash is, if ur db gets leaked somehow, anyone can reset anyones password if its not hashed
Lumberjack
LumberjackOP2y ago
Oh that's why then ...
KP
KP2y ago
Yea this is also why some companies dont let u see ur api keys more than once btw
Lumberjack
LumberjackOP2y ago
I understand now but the only thing that i don't knw why i need it is why should store the session in the db If its already known by the auth provider
KP
KP2y ago
u own ur auth with next auth u arent checking against their server
Lumberjack
LumberjackOP2y ago
I checked the next auth adapters section and its only showing how to make the model and add the prizma adapter to the options, is that it? Or should make api endpoints and POST the data?
KP
KP2y ago
u need to make a catch all api route atleast for pages dir not sure about app dir, search around or look for examples
Lumberjack
LumberjackOP2y ago
Sure
Lumberjack
LumberjackOP2y ago
@smolcheeld why im getting this
KP
KP2y ago
is this local or on planetscale ?
Lumberjack
LumberjackOP2y ago
planetscale
KP
KP2y ago
read the Making schema changes with db push part
Lumberjack
LumberjackOP2y ago
relationMode = "prisma" lol, thanks budd i don't know how i would make this app without your help
KP
KP2y ago
:D
Lumberjack
LumberjackOP2y ago
I think i miss spelled it but u got me anyway lol
KP
KP2y ago
xD
Lumberjack
LumberjackOP2y ago
@smolcheeld i made this api route i still didn't add zod validation to it but i want to make an API key to it
const API_KEY: string = process.env.DATA_API_KEY as string;

export async function POST(request: Request, response: Response) {
const { username, email, chessElo } = await request.json();

if (!username || !email)
return NextResponse.json({ message: "Missing required data" });

const res = await createUser(username, email, chessElo);

console.log(request.headers.get("authorization"));

return NextResponse.json(response);
}
const API_KEY: string = process.env.DATA_API_KEY as string;

export async function POST(request: Request, response: Response) {
const { username, email, chessElo } = await request.json();

if (!username || !email)
return NextResponse.json({ message: "Missing required data" });

const res = await createUser(username, email, chessElo);

console.log(request.headers.get("authorization"));

return NextResponse.json(response);
}
and thats the create user function
import prisma from "@/server/db/seed";
export const createUser = async (
username: string,

email: string,
chessElo?: number,
role?: "roles" | undefined,

badge?: "budges" | undefined
) => {
const user = await prisma.user.create({
data: <userType>{
username,
email,
chessElo,
role,

badge,
},
});
return user;
};
import prisma from "@/server/db/seed";
export const createUser = async (
username: string,

email: string,
chessElo?: number,
role?: "roles" | undefined,

badge?: "budges" | undefined
) => {
const user = await prisma.user.create({
data: <userType>{
username,
email,
chessElo,
role,

badge,
},
});
return user;
};
KP
KP2y ago
so what u tryin to do here
Lumberjack
LumberjackOP2y ago
Well i have two problems first i want to make a secret key to the header of this api to protect it Also idk if should i make zod validation before or after encrypting the data
KP
KP2y ago
why are u doin this ? either i dont fully understand what u are doin or u are doin something wrong is this related to role based auth where u are tryin to promote the user to admin ?
Lumberjack
LumberjackOP2y ago
I wanna make a GET method that fetchs all the users in the db but i don't want anyone to have the ability to fetch it except the admin(because i need all the uses to appear in the dashboard)
KP
KP2y ago
ah so u dont need to do this all u do is check if the user is admin inside the route i mean in the api request
Lumberjack
LumberjackOP2y ago
Aaaa okay pretty simple then What about the zod question?
KP
KP2y ago
i dont think u need to encrypt anythin
Lumberjack
LumberjackOP2y ago
Really? Why I mean everyone highly suggest to do sort of bcrypt or something like that
KP
KP2y ago
wait what specifically are u tryin to encrypt here
Lumberjack
LumberjackOP2y ago
Passwords and emails
KP
KP2y ago
u dont need to encrypt emails only encrypt things that need to stay hidden coz with any secure crypto algo like bcrypt its one way only e.g. if u do myemail@com -> somehash, u cant do somehash -> myemail@com
Lumberjack
LumberjackOP2y ago
Okay so encrypting passwords
KP
KP2y ago
yes encrypt passwords and the reset hash only
Lumberjack
LumberjackOP2y ago
Oh one way then
KP
KP2y ago
also fyi, u cant decrypt somethin after u have encrypted it but u can compare them yes, once its done, no matter what u wont get the original string
Lumberjack
LumberjackOP2y ago
Well when i add new user to the db should encrypt first then do zod validation or the opposite?
KP
KP2y ago
so this what u wanna do -> get post request -> validate stuff with zod -> bcrypt hash password -> save everything to db
Lumberjack
LumberjackOP2y ago
a POST yes
KP
KP2y ago
and if u are doin email resets, generate a random 32 digit key similar to what openssl command gives u, bcrypt hash that and store in the db
Lumberjack
LumberjackOP2y ago
I don't understand
KP
KP2y ago
also there is no point encrypting after validation coz u wont be saving the user coz the data is invalid xD
Lumberjack
LumberjackOP2y ago
Ps: I realized that im talking with u more than my mom lol, u're a life saver buddy
KP
KP2y ago
lmao
Lumberjack
LumberjackOP2y ago
I think the point of encryption is protecting the database
KP
KP2y ago
uh basically u generate a random string, hash that and save it in ur db, when the user requests email reset, u send that in the email and u compare hashes to verify if the request made is legit yes but ur idea of encryption is wrong. u dont encrypt the entire db, u encrypt certain fields of tables and u only do the encryption once before entering/updating that item/row
Lumberjack
LumberjackOP2y ago
Should it be in one of the users table columns or just a temporary key?
KP
KP2y ago
put it inside the users table col
Lumberjack
LumberjackOP2y ago
If im wrong what is the right method
KP
KP2y ago
this
Lumberjack
LumberjackOP2y ago
No problem then, i think it would be the same for password reset too?
KP
KP2y ago
yep
Lumberjack
LumberjackOP2y ago
That's great no need for jwt then
KP
KP2y ago
also if u are confused about encryption. we dont encrypt the db because like i said its a one way process for good algos so we cant use the data coz it gets converted to meaningless hashes
Lumberjack
LumberjackOP2y ago
I got it i just want to implement the best practices Just two more questions pls🙂
KP
KP2y ago
yea what i said is compliant with them go ahead, i will prob answer in a bit, got food to take
Lumberjack
LumberjackOP2y ago
First is that the right method to make an api? (The code i sent) Enjoy Second if im not going to use any sort of jwt, when should i use them ? And third (yes i knw i said two sorry ) i did session storage in the db but only for the OAuth, what about the credentials login ?
KP
KP2y ago
the logic is right but i am not sure if thats how next auth expects u to do it. i havent implemented email and password login on next itself. with nextauth i use social passwords and magic link. if i do email pass its when i have another backend.
Lumberjack
LumberjackOP2y ago
Oh okay i see, i'll search for nextauth method then
KP
KP2y ago
the jwt is a loaded question, u shld honestly just google it. as for the creds provider question idk tbh
Lumberjack
LumberjackOP2y ago
Okay, thank u bro i really appreciate ur help I think its out of context but how u guys knw that huge stuff of backed functionality and best practices? Is there a specific source or path should i take to get that knowledge cuz the most thing i hate is when i don't knw that something exists even if i don't knw how to use it
KP
KP2y ago
Watch a basic tutorial and build stuff But dont get trapped in tutorials. Watch the tut to only learn the foundational pieces
Lumberjack
LumberjackOP2y ago
I do this since 3 years but the how u guys (lets say u in this example) know some things that aren't available in the tuts. e.g. u said use middleware instead of the server session or sometimes i read the chat in the tech discussion room and i wounder how u get this info
KP
KP2y ago
a lot of those things are - we did something, searched how others are doing it and found better ways ^ do the above. doesnt matter in what order and u will learn stuff since u dont know a lot, google even the obvious stuff. i am not a backend guy, i am a frontend one but even then i google stuff i already know just to see if there isnt a better way
Lumberjack
LumberjackOP2y ago
U're correct, now i knw that using middleware in protecting routes is the great solution now and i didn't knw that before. What about blogs, articles which ones u suggest to read
KP
KP2y ago
for blogs - tkdodo's for react query stuff, read brendanovich's form blog post for specific stuff just read whatever article coz u cant really tell if its gonna be good or not for backend, i highly encourage writing an auth from scratch, dont have to connect it to a frontend or anything. just make like a simple express app, that has a login and register page and u can sign in
Lumberjack
LumberjackOP2y ago
Awesome! But sometimes i don't get certain type of answers to my questions by search, for example: what are the optimal use cases for middleware.
KP
KP2y ago
well for questions like these, first understand the meaning of it, see a few examples and that shld be eno to extrapolate use cases for it
Lumberjack
LumberjackOP2y ago
In this project, i mada auth and role based and actually i learned a lot of stuff and every day i feel my app is getting more secure but still didn't reach the point that i can handle all the app problems The meaning of middleware?
KP
KP2y ago
yes if u know how stuff works on a fundamental level u can come up with use cases urself for e.g. if u validate only in a client react comp, its gonna be less secure than doin it thru middleware because the first option is clientside and the second u are checkin on ur server
Lumberjack
LumberjackOP2y ago
Well i guess it comes before the api so any data that needs a specific thing before it gets to the endpoint, it should come across the middleware. And that's another question why should i check in the middleware and not in the api route lol
KP
KP2y ago
convenience
Lumberjack
LumberjackOP2y ago
Either im dumb or just i miss something
KP
KP2y ago
middlewares also let u reuse code u just need to sit down and make a backend side app tbh, or u could break down the taxonomy next js github repo i sent u
Lumberjack
LumberjackOP2y ago
Hmmm i definitely have to do it, well based on ur info, i have to make the zod validation and the encryption in the middleware?
KP
KP2y ago
u dont need to do the validation in the middleware or the encryption
Lumberjack
LumberjackOP2y ago
Why
KP
KP2y ago
middleware = reusable logic u want to do before ur api route so it works really well when u want to do the same thing everytime but things like validation which in one route u validate diff fields and in the other diff its not as easy to setup to make it worth it. esp with typescript and there is no reason to do encryption outside ur api route
Lumberjack
LumberjackOP2y ago
Oooh like protecting routes
KP
KP2y ago
yea coz with protecting u will always only check if loggedin, thats it
Lumberjack
LumberjackOP2y ago
Cuz the data should be sent encrypted? I got it, but is there another use cases for middleware?
KP
KP2y ago
yea but think what u are goin to do after encrypting the password, add it to the db. so this is why u shld do it in the api route because this is the core purpose of ur api route not really. just reusable code. most middlewares u see will check for auth, do cors stuff, session management stuff, etc. stuff thats common to all/multiple routes u can make validation middlewares and such but getting types to work with them is hard so ppl usually dont bother
Lumberjack
LumberjackOP2y ago
To send and encrypt the data? I think the easiest solution is doing it in the api route
KP
KP2y ago
yes it is no its to add the user to the db. encrypting the password before u do that is just a step. to make it simpler think about this, are u going to ever reuse encrypting ur password in a route other than create user and change password ? prob not so it makes no sense to create a middleware for it
Lumberjack
LumberjackOP2y ago
Well a question came to me, basically in my app when someone register the data went to the api route and it calls the prisma function to store the data, so i wondered why do i even need the api route (i know api routes are important ) i just can call the prisma function directly Finally i got the middleware use case
KP
KP2y ago
coz u connect to ur db by a connection url that shld be kept secret if u make direct requests on the client, anyone can find out ur connection url from the browser and can write stuff directly to ur db
Lumberjack
LumberjackOP2y ago
U mean The url is connected with prisma client?
KP
KP2y ago
yes ur planetscale db url and secrets next js separates public env vars (available on client and server) and private ones (only available on server)
Lumberjack
LumberjackOP2y ago
Hmmm i got it now, what about the api route i see some ppl make a type of url in the api itself Lemme send an example
KP
KP2y ago
wdym i dont understand what u mean by this
Lumberjack
LumberjackOP2y ago
I'll show u an example
Lumberjack
LumberjackOP2y ago
Lumberjack
LumberjackOP2y ago
Why he used the jsonplaceholder api?
KP
KP2y ago
to get dummy data ? like what are u really askin with this question
Lumberjack
LumberjackOP2y ago
My question is should the api's have a type of urls inside or just he did that to simulate fetching from database
KP
KP2y ago
u can fetch inside api routes and he also did it to simulate fetching from db u can do this but dont fetch ur own server's other route, re use functions instead
Lumberjack
LumberjackOP2y ago
I got it now, i guess i'll work on the form validation and the credentials login now. Also i did some search about if nextauth is okay with my method of making the api and i found out that nextauth doesn't have an adapter for credentials so either hard code it or just use OAuth.
KP
KP2y ago
there is a credentials provider but u have to do a lot of implementation urself
Lumberjack
LumberjackOP2y ago
Yes i used it but im talking about the prisma adapter it doesn't work for the credentials provider so idk i think i'll hard code a prisma function that stores a session in the users table
KP
KP2y ago
u can implement it with prisma sure the creds provider is not a plug and play option. if u see the docs they even mention why
Lumberjack
LumberjackOP2y ago
What about this? Does it help or just send the session directly to the db
callbacks: {
async jwt({ token, user }) {
if (user) {
token.accessToken = user.jwt
}

return token
},
async session({ session, token, user }) {
session.accessToken = token.accessToken
return session
}
}
callbacks: {
async jwt({ token, user }) {
if (user) {
token.accessToken = user.jwt
}

return token
},
async session({ session, token, user }) {
session.accessToken = token.accessToken
return session
}
}
KP
KP2y ago
Just refer the docs for this. But seems fine to me
Lumberjack
LumberjackOP2y ago
So no need for db? Or i have to store the jwt in the db too
KP
KP2y ago
no just look at a tutorial or example its a lot to explain
Lumberjack
LumberjackOP2y ago
"next/server";
import { form } from "@/schemas/forms";
const bcrypt = require("bcrypt");

export async function POST(request: Request, response: Response) {
const { username, password, email, confirmPassword } = await request.json();

if (!username || !email || !password) {
return NextResponse.json(
{ message: "Missing required data" },
{ status: 400 }
);
}

try {
const parsedData = await form.parse({
username,
password,
email,
confirmPassword,
});
await bcrypt.hash(parsedData.password, 10, (err: string, hash: string) => {
try {
createUser(
parsedData.username as string,
hash as string,
parsedData.email as string
);
} catch (error) {
throw error;
}
});

return NextResponse.json(parsedData);
} catch (error: unknown) {
console.log(error);
const castedError = error as {
issues?: Array<{ message: string; code: string }>;
};
const errorMessage = castedError.issues?.[0]?.message || error;

return NextResponse.json({ message: errorMessage }, { status: 400 });
}
}
"next/server";
import { form } from "@/schemas/forms";
const bcrypt = require("bcrypt");

export async function POST(request: Request, response: Response) {
const { username, password, email, confirmPassword } = await request.json();

if (!username || !email || !password) {
return NextResponse.json(
{ message: "Missing required data" },
{ status: 400 }
);
}

try {
const parsedData = await form.parse({
username,
password,
email,
confirmPassword,
});
await bcrypt.hash(parsedData.password, 10, (err: string, hash: string) => {
try {
createUser(
parsedData.username as string,
hash as string,
parsedData.email as string
);
} catch (error) {
throw error;
}
});

return NextResponse.json(parsedData);
} catch (error: unknown) {
console.log(error);
const castedError = error as {
issues?: Array<{ message: string; code: string }>;
};
const errorMessage = castedError.issues?.[0]?.message || error;

return NextResponse.json({ message: errorMessage }, { status: 400 });
}
}
what do u think
KP
KP2y ago
seems fine this is cursed tho
catch (error) {
throw error;
}
catch (error) {
throw error;
}
Lumberjack
LumberjackOP2y ago
well im having a bug, lemme show u first i made a user in the db with a unique username, its created and returns 201 status. when i recreate another one with the same username it should returns an error with a message but instead of that its not creating the recreated user but returning 201 status and logging this in the console - error unhandledRejection: { source: 'server' } when i removed the hashing method everything worked fine but i need to hash the password. i fixed it!
Lumberjack
LumberjackOP2y ago
i made some changes and i dont knw if im doing it right thats the repo pls if u dont mind check it https://github.com/CLOG9/PuzChess
GitHub
GitHub - CLOG9/PuzChess: a new chess puzzles platform made with nex...
a new chess puzzles platform made with next js. Contribute to CLOG9/PuzChess development by creating an account on GitHub.
Lumberjack
LumberjackOP2y ago
@smolcheeld u here?
KP
KP2y ago
not home today, will check tmrw when i am back
Lumberjack
LumberjackOP2y ago
Oh sorry, have fun
KP
KP2y ago
nah its ok :D
Lumberjack
LumberjackOP2y ago
@smolcheeld u here?
KP
KP2y ago
Ye
Lumberjack
LumberjackOP2y ago
first hooe your doing well. im having a problem with middleware even if im logged in its asking me to re sign in and it keeps doing that thats the next auth page :
export const options: NextAuthOptions = {
secret: process.env.JWT_SECRET,
session: {
strategy: "jwt",
maxAge: 3600 * 6,
},
callbacks: {



jwt: async ({ token, account, user }) => {
user && (token.user = user);
console.log(token);
return token;
},
session: async ({ session, token }) => {
if (token && token.user) {
session.user = token.user as any;
}
return session;
},
},
adapter: PrismaAdapter(prisma) as Adapter,
pages: {
signIn: "/auth/signin",
},
providers: [
GoogleProvider({
// profile(profile: GoogleProfile) {
// return {
// ...profile,
// role: profile.role ?? "BASIC",
// id: profile.id,
// };
// },
clientId: process.env.GOOGLE_CLIENT_ID as string,
clientSecret: process.env.GOOGLE_CLIENT_SECRET as string,
}),
CredentialsProvider({
name: "Credentials",
credentials: {
username: {
type: "text",
},
password: {
type: "password",
},
},
async authorize(credentials) {
const user = await getUser(credentials?.username as string);
if (user === null) {
//no user
throw Error("user or password not valid");
}
const ismatch = await bcrypt.compare(
credentials?.password,
user?.password
);
console.log(ismatch);
if (ismatch) {
return {
id: user.id,
role: user.role,
name: user.name,
email: user.email,
chessElo: user.chessElo,
badge: user.badge,
image: user.image,
};
} else {
// invalid pass
throw Error("user or password not valid");
}
},
}),
],
};
export const options: NextAuthOptions = {
secret: process.env.JWT_SECRET,
session: {
strategy: "jwt",
maxAge: 3600 * 6,
},
callbacks: {



jwt: async ({ token, account, user }) => {
user && (token.user = user);
console.log(token);
return token;
},
session: async ({ session, token }) => {
if (token && token.user) {
session.user = token.user as any;
}
return session;
},
},
adapter: PrismaAdapter(prisma) as Adapter,
pages: {
signIn: "/auth/signin",
},
providers: [
GoogleProvider({
// profile(profile: GoogleProfile) {
// return {
// ...profile,
// role: profile.role ?? "BASIC",
// id: profile.id,
// };
// },
clientId: process.env.GOOGLE_CLIENT_ID as string,
clientSecret: process.env.GOOGLE_CLIENT_SECRET as string,
}),
CredentialsProvider({
name: "Credentials",
credentials: {
username: {
type: "text",
},
password: {
type: "password",
},
},
async authorize(credentials) {
const user = await getUser(credentials?.username as string);
if (user === null) {
//no user
throw Error("user or password not valid");
}
const ismatch = await bcrypt.compare(
credentials?.password,
user?.password
);
console.log(ismatch);
if (ismatch) {
return {
id: user.id,
role: user.role,
name: user.name,
email: user.email,
chessElo: user.chessElo,
badge: user.badge,
image: user.image,
};
} else {
// invalid pass
throw Error("user or password not valid");
}
},
}),
],
};
and thats the middlare
export { default } from "next-auth/middleware"

export const config = { matcher: ["/dashboard"] }
export { default } from "next-auth/middleware"

export const config = { matcher: ["/dashboard"] }
so when i navigate to the dashboard route it requiring me to sign in even if im already signed in
KP
KP2y ago
GitHub
taxonomy/middleware.ts at main · shadcn/taxonomy
An open source application built using the new router, server components and everything new in Next.js 13. - taxonomy/middleware.ts at main · shadcn/taxonomy
KP
KP2y ago
also i am doing great, hope u are too :D
Lumberjack
LumberjackOP2y ago
trust me, im not lol
KP
KP2y ago
lmfao take a look at that link, that shld work for u
Lumberjack
LumberjackOP2y ago
hmmm i didnt get the most of it can you explain?
KP
KP2y ago
basically u need to make a list of pages that shld be only accessible to signed in users and then in the cb u check if they are authed or not and redirect them just copy paste his code and replace your routes and stuff and thats it pretty much
Lumberjack
LumberjackOP2y ago
i think its causing infinte redirects?
KP
KP2y ago
what is causing infinite redirects ?
KP
KP2y ago
his code shld def work coz https://tx.shadcn.com/ works
Taxonomy
Taxonomy
An open source application built using the new router, server components and everything new in Next.js 13.
Lumberjack
LumberjackOP2y ago
i'll check the options i won't se credentials provider ever again if im going to use it ill use it with clerk idk its a hell @smolcheeld if u don't mind i'll sent u the repo and check it
Lumberjack
LumberjackOP2y ago
GitHub
GitHub - CLOG9/PuzChess: a new chess puzzles platform made with nex...
a new chess puzzles platform made with next js. Contribute to CLOG9/PuzChess development by creating an account on GitHub.
KP
KP2y ago
most things seem fine here yep thats why i dont personally use it either. they intentionally dont help u out with to discourage it. sadly if thats what u need then its gonna be hard
Lumberjack
LumberjackOP2y ago
I can give u the secrets and try it by urself The sad thing is clients still ask for them to be in the design
KP
KP2y ago
is this ur own side project or for a client if its for clients u shld really just use clerk or some other auth service
Lumberjack
LumberjackOP2y ago
Its a side project Im trying to learn auth
KP
KP2y ago
welp i dont have personal exp implementing cred provider so cant help u there
Lumberjack
LumberjackOP2y ago
I think i'll switch to email provider theb Then
Endgame1013
Endgame10132y ago
Exactly why I haven’t been using next-auth for credential auth lmao
Lumberjack
LumberjackOP2y ago
Believe me when i say this project gave me trauma Hey, i used getServerSession instead of middleware cause it didn't help, now the problem is the session only return 3 values instead of the full data i tried to edit it in the callback Like this :
session.user = user
return session
session.user = user
return session
But when i check it in the server component it doesn't work @smolcheeld
KP
KP2y ago
U need to add ,user in the jwt cb and in the session cb acc to the docs
KP
KP2y ago
Callbacks | NextAuth.js
Callbacks are asynchronous functions you can use to control what happens when an action is performed.
Lumberjack
LumberjackOP2y ago
i think that is available only for jwt strategy right? or both jwt and db sessions?
KP
KP2y ago
Not sure, check the docs
Lumberjack
LumberjackOP2y ago
@smolcheeld should make friendship table relationship one to many or many to many?
KP
KP2y ago
many to many coz if i am friends with X, he is also friends with me xd
Lumberjack
LumberjackOP2y ago
something like that?
model User {
id String @id @default(cuid())
role roles @default(BASIC)
name String @unique
chessElo Int?
badge budges @default(ROCKIE)
email String? @unique
emailVerified DateTime?
image String?
followedBy Follows[] @relation("following")
following Follows[] @relation("follower")
accounts Account[]
sessions Session[]
}

model Follows {
follower User @relation("follower", fields: [followerId], references: [id])
followerId String
following User @relation("following", fields: [followingId], references: [id])
followingId String

@@id([followerId, followingId])
}
model User {
id String @id @default(cuid())
role roles @default(BASIC)
name String @unique
chessElo Int?
badge budges @default(ROCKIE)
email String? @unique
emailVerified DateTime?
image String?
followedBy Follows[] @relation("following")
following Follows[] @relation("follower")
accounts Account[]
sessions Session[]
}

model Follows {
follower User @relation("follower", fields: [followerId], references: [id])
followerId String
following User @relation("following", fields: [followingId], references: [id])
followingId String

@@id([followerId, followingId])
}
KP
KP2y ago
Prisma
Many-to-many relations
How to define and work with many-to-many relations in Prisma.
KP
KP2y ago
Read the implicit section
Coded_58
Coded_582y ago
sorry for diverting the conversation a bit, but i saw the heading was about next-auth and i needed to understand smthing.... So i've an application (pretty big) with multiple users and their roles and access level (thank goodness for the new next.js route grouping) i was able to group different UI for different users now i'm implementing next-auth credentials providers and i will like to redirect different users based on their roles to their specific route group i created a role-checking server component that run on the server and checks your session from next-auth, it then directs the user to their route... i really am beating myself if this is the best implementation for this use case or theres another way to run a function on next-auth sign-in handler @smolcheeld please help, thanks
Lumberjack
LumberjackOP2y ago
The thing that i learned from next auth is don't use their credentials provider. Use clerk or smthng else. What is the session strategy?
Coded_58
Coded_582y ago
its a seperate frontend from the backend... i only work on the frontend so i dont have much of an option... the backend developers control the authetication database just get the session from next-auth on the server and run some checks before routing users to specific route... that's what i want to know if that is a good strategy or there's a better way of implementing role-based-acces control on the overall application what i did in the middleware was check for each path if the user is authenticated and authorized to vie that route
Lumberjack
LumberjackOP2y ago
So used the middleware here? I guess u can do that, either all in one place ur Middleware or in each router if its a server component
Coded_58
Coded_582y ago
yeah. the main question is how to route users after they sign-in with next-auth sign-in function... is it okay that i have a special route page for checking their roles or is there a better way to go about it
Lumberjack
LumberjackOP2y ago
In the callbacks set the paths based on their role After u get the session, check the role then redirect them based on that Or use middleware either Just make the checking in both client and server side More important in server
Coded_58
Coded_582y ago
yeah every authenticated is being done on the server... thanks one more thing.... what i actually need is like a guide, i feel i'm doing it right but also need opionion from other devs... lets say after i created different route-groups for different users, inside each route there's also a very granular access level, lets say for example i defined a sidebar that holds 7 different link menus, the head or let's say admin of that particular route give access and authorization to different users the admin goes to the settings page, choose a particular user and gives them access to some part of the sidebar menu that basically means every menu on the sidebar must go thru an authorization check. what i implemented was each sidebar menu gets the user details from the database and check if they are authorized to view that page or not please is there a better way to go about it cuz that basically mean each sub page of each menu will also go thru that check... sorry for the long a** message desperately need some clarity
Lumberjack
LumberjackOP2y ago
So u're checking in every single route?
KP
KP2y ago
U can try middlewares for this Ur current approach isnt bad either. Middleware is a more "clean" way to do it
Lumberjack
LumberjackOP2y ago
U used tauri before right?
KP
KP2y ago
a bit yea
Coded_58
Coded_582y ago
yeah exactly... how can i go about it correctly sending the next-auth callback to the middleware or?? a bit confused
Lumberjack
LumberjackOP2y ago
Since i used database session as my strategy i used server components to check the user roles So make sure u use them U check the role in the middleware and redirect the user based on that
Coded_58
Coded_582y ago
thanks
Lumberjack
LumberjackOP2y ago
U still can use middleware tho
Coded_58
Coded_582y ago
ohh yeah, already implemented that... just extra checks and making sure the frontend authentication is perfect
Lumberjack
LumberjackOP2y ago
Im looking to make a feature that allows me to use an external printer Make sure to query that via an api
KP
KP2y ago
u just check it in the middleware. look at this for e.g. https://github.com/shadcn/taxonomy/blob/main/middleware.ts
GitHub
taxonomy/middleware.ts at main · shadcn/taxonomy
An open source application built using the new router, server components and everything new in Next.js 13. - shadcn/taxonomy
KP
KP2y ago
interesting. would suggest u check the stuff it supports first tho coz when i tried it i found very often i need x but tauri doesnt have it and electron does
Lumberjack
LumberjackOP2y ago
I see, electron is cursed tho but it is what it is
KP
KP2y ago
using a cursed thing is better than somethin that literally doesnt do what u want tho 🤷‍♂️
Lumberjack
LumberjackOP2y ago
Even if the performance is the tradeoff?
KP
KP2y ago
yea. somethin workin will nearly always be better than nothin at all.
Coded_58
Coded_582y ago
🙌 few minutes into the repo and i have already refactored a bit🫡
KP
KP2y ago
yea its a great resource fr. have fun with ur learning :D
Lumberjack
LumberjackOP2y ago
GitHub
[feat] Provide print API · Issue #4917 · tauri-apps/tauri
Describe the problem Tauri lacks a print API and this make it very difficult for electron based apps that perform lots of work with printers to migrate to Tauri, there are many use cases Unable to ...
Lumberjack
LumberjackOP2y ago
i think electron is the way for this project
KP
KP2y ago
yea tauri has lot of shit electron doesnt deranged
Lumberjack
LumberjackOP2y ago
electron is slow poohheh
KP
KP2y ago
vs code and discord are electron it will be fine for ur usecase unless ram is ur issue
Lumberjack
LumberjackOP2y ago
basically im making a store management app. user receipt, stock and revenue,etc.. but i want to make it with complex ui (shadows, animations )
KP
KP2y ago
electron shld be fine for this
Lumberjack
LumberjackOP2y ago
am i able to use react stuff with it? like framer motion, tailwind?
KP
KP2y ago
u can use any framework u want with it
Lumberjack
LumberjackOP2y ago
theowat
Sturlen
Sturlen2y ago
I'd be careful with animations for such a system. I've made similar industrial applications and there is nothing more annoying to a worker putting in a hundred orders per day, than long-winded or flashy animations
KP
KP2y ago
yes although idk why u would want next with it
Lumberjack
LumberjackOP2y ago
the animations im trying to make just the page transitions, pop out , fades in/out spinners how would i handle the backend (works local)?
KP
KP2y ago
oh i thought this purely a clientside thing yea t3 shld be pretty good for this or next app dir if uwant that
Lumberjack
LumberjackOP2y ago
im going to use sqlite for the records trpc sounds pretty handy for this project
Coded_58
Coded_582y ago
please how can i solve this error, i cant seem to use the apostrophe
Coded_58
Coded_582y ago
i just started using typescript
KP
KP2y ago
You can write it as {`Text with apostraphe here } any type of string declaration works in there not just
Coded_58
Coded_582y ago
but thats just plain text, i wasnt even evaluating an expression... what about if my database returns an apostraphe??
KP
KP2y ago
vars dont have this problem. the problem here is a js syntax problem nothin else.
Coded_58
Coded_582y ago
alright... thank you
dingo
dingo2y ago
Yes, except you mean a hash 🙂
KP
KP2y ago
yea i meant hashes
Want results from more Discord servers?
Add your server