Signup & Next Auth

Hey all! I'm new to sign up and Next Auth and had a question about handling both. I'm using T3 Stack for my app and have a signup form setup and working. I'm wondering when it comes to signin, I query the DB with the user input, if successful should I be using Next Auth Email Provider or Credentials Provider? There are a ton of guides out there for Next Auth but pretty much all of them cover OAuth and not handling email/password signup/login. I like the MFA provided by Next Auth Email Provider so it'd be nice to keep and and not have to build it from scratch
81 Replies
barry
barry17mo ago
Because it sucks at email or username auth
SiiR
SiiROP17mo ago
What does? That doesn't answer my question I'm here to learn so I'm open to being taught. I've never dealt with account creating and auth so it's a brand new thing to me. If I should ditch Next Auth that's cool, but why and what else?
barry
barry17mo ago
next-auth sucks at anything not oauth
SiiR
SiiROP17mo ago
Ok I'll look into alternatives. I liked the idea of Next Auth since it would handle sessions and JWT's for me as well as the MFA but if there are better solutions then I'm all for it. Thanks for the feedback
Ryan
Ryan17mo ago
I'm doing credentials with Next Auth right now it just checks the credentials against a database and returns a JWT to the browser if its a match. and you get to handle your own verification logic inside the authorize() function in auth/[...nextauth]/route.ts can you explain in detail what makes it suck at credential based auth? I might jump ship if its bad enough also what would you reccomend for implementing auth
barry
barry17mo ago
jwt's, the fact you need to use a jwt because it's credentials is dumb
barry
barry17mo ago
if you're doing credentials then https://lucia-auth.com/ or rolling auth yourself is what i would do
Lucia
Lucia
Ryan
Ryan17mo ago
whats wrong with jwts for credentials? what are the downsides to requests getting prefixed by a token unique to that user? and what would a better alternative be
barry
barry17mo ago
I kinda just follow OWASP's recommendations, to use sessions whenever you have stateful auth. The major downside of JWT's is you can't kill a session, or change a role of a person. Or, it won't be reflected until a new JWT is generated So if someone is promoted to admin, they won't see until a new JWT is made If a user is banned off of a service, they're not banned until the JWT runs out If a user wants to kill a session it can't be
Ryan
Ryan17mo ago
Hm. so if you ban a user, and they keep their old JWT, they can still act as if they weren't banned?
barry
barry17mo ago
Yup Since the JWT is either valid or not Based on encryption Not based on what the database says
Ryan
Ryan17mo ago
is there a way to quickly invalidate and replace their jwt so that doesn't happen
barry
barry17mo ago
That's the upside, you don't have to access the database to check By adding a check in the database, but now you've neglected the upside of JWT's And basically made sessions with JWT's Doesn't make sense Just use sessions lol
Ryan
Ryan17mo ago
So with sessions, do you do a db lookup everytime the user does a request? and verify it against the db?
barry
barry17mo ago
Yup
Ryan
Ryan17mo ago
damn LMAO
barry
barry17mo ago
That's not slow though It's pretty damn fast
Ryan
Ryan17mo ago
is there a go-to standard library for managing session auth? is lucia that library?
barry
barry17mo ago
Nope There's libraries for it for almost everything
Neto
Neto17mo ago
js is the wildwest of libraries if you can think of a problem that you dont want to solve, there is a library for you (probably) out there
barry
barry17mo ago
Express has express-session Fastify has fastify auth and fastify session Gorillamux has gorilla/sessions Fiber has their session middleware There's always going to be a library for doing it tbh It's been the standard way to do auth for decades
Ryan
Ryan17mo ago
so why do you like lucia
barry
barry17mo ago
Because it's in typescript land I also like doing it myself
Ryan
Ryan17mo ago
does next-auth really only support sessions for oauth? thats weird
Neto
Neto17mo ago
it does support password sessions but the experience of using it is awful next auth in general has a really weird experience of using it its fine until you find a very very very weird problem that is very hard to poohheh
barry
barry17mo ago
oauth is great so i dont mind but ive been playing around with passwords etc so its not viable for me
SiiR
SiiROP17mo ago
Do you have a repo I could look at? @thatbarryguy That's quite informative, thanks again for the feedback. This is my first time diving into account creation and auth so I'm completely in the dark with goto's and howto's
Ryan
Ryan17mo ago
https://github.com/machina20/prisma-learning-/ right now it just has username/password login/registration. Once you register an account, it sends an email using mailgun, and then once you nav to the link it sends you, your account is now verified and you can log in.
GitHub
GitHub - machina20/prisma-learning-
Contribute to machina20/prisma-learning- development by creating an account on GitHub.
Ryan
Ryan17mo ago
it uses prisma
SiiR
SiiROP17mo ago
Thanks, I just want to checkout how you handle Next Auth with this but from what I read above it seems to make sense to use Lucia
Ryan
Ryan17mo ago
seems that way haha @thatbarryguy @nyxawaits do you guys have a reccommended way to send emails? with a nextjs app
Neto
Neto17mo ago
resend
Neto
Neto17mo ago
Resend
Build, test, and send transactional emails at scale.
SiiR
SiiROP17mo ago
Thanks guys
Ryan
Ryan17mo ago
how does this stack up to node mailer, mailchimp etc looks cool
Neto
Neto17mo ago
resend you can use "react to write mails" node mailer, mailchimp and others only send the email you write the content and such
SiiR
SiiROP17mo ago
I remember looking at this in my last job. Anyone that's written email templates before knows the pain of not using React
Neto
Neto17mo ago
writing emails is painful overall so a provider that you can easily use something like react is very very nice not even react itself, writing emails is just annoying each provider render differently, so its a shit show
SiiR
SiiROP17mo ago
It really is, and there isn't an industry standard for sizing or light mode vs dark mode targeting across the different platforms
Ryan
Ryan17mo ago
damn this looks pretty cool. What would you say are the email services that dissenters would say are better than resend
Neto
Neto17mo ago
most of them do the same
send emails
what matter is what you want dx-wise resend feels the best
Ryan
Ryan17mo ago
what do you recommend as far as auth libaries go? lucia as well?
Neto
Neto17mo ago
next auth is okay im a fan of lucia most paid auth providrs are fine
Ryan
Ryan17mo ago
are clerk and supabase paid
Neto
Neto17mo ago
if they have a free tier is even ebtter
Ryan
Ryan17mo ago
one thing though is breaking changes
Neto
Neto17mo ago
clerk with free tier same with supabase
Ryan
Ryan17mo ago
would using a service like supabase or clerk be better just to avoid the breaking changes
Neto
Neto17mo ago
most major auth providers have a free tier offer
Ryan
Ryan17mo ago
what would you say is the most popular auth solution today
barry
barry17mo ago
Sendgrid I guess There isn’t really one
Neto
Neto17mo ago
most of them have tradeoffs
barry
barry17mo ago
Comes down to what the backend is made with
Ryan
Ryan17mo ago
what if its a nextjs project with a postgress backend running on a docker container
barry
barry17mo ago
Well hopefully that’s at least 2 containers
Ryan
Ryan17mo ago
you mean like a container for the application too?
barry
barry17mo ago
And a third for nginx or caddy or something 1 for next 1 for postgres 1 for nginx / caddy Could have more like a tls service etc
Ryan
Ryan17mo ago
is it better to deploy on vercel to use the regional edge functions for cheaper? i heard thats a lot cheaper than lambda and faster
barry
barry17mo ago
🤷
Ryan
Ryan17mo ago
have you ever used vercel
barry
barry17mo ago
Yes
Ryan
Ryan17mo ago
i'm using it to host my portfolio so i'm assuming it does the nginx load balancing stuff automatically. I'm scared of hidden scaling costs though
Neto
Neto17mo ago
vercel free tier is very generous
barry
barry17mo ago
For some things But image optimization and other features. Not so much
Ryan
Ryan17mo ago
how do you guys feel about clerk.dev?
barry
barry17mo ago
meh
Neto
Neto17mo ago
^
Ryan
Ryan17mo ago
People give good reviews for that on Reddit. Have you guys used clerk? Also what do you guys think is the best tech stack for a solo developer doing SaaS applications I’m always afraid of spending lots of time diving into something that may not be the widely recommended tool for a certain job
Neto
Neto17mo ago
unless you are experienced dont roll your own auth using clerk/auth0/whatever is fine as long its a recommended service you can try clerk and see what happens
barry
barry17mo ago
I personally don't like that take, it's not as complicated as it's made out to be
Neto
Neto17mo ago
if you are using oauth stuff, sure
barry
barry17mo ago
Email/Username & Passwords too OAuth is more complicated
Neto
Neto17mo ago
yes next auth exists for that
barry
barry17mo ago
Meh, it's more complicated but not necessary for an auth lib
Ryan
Ryan17mo ago
when you guys say "roll your own auth" do you mean something like lucia? or even more low level than that??
barry
barry17mo ago
literally just writing all the shit yourself
Ryan
Ryan17mo ago
I write my auth directly in assembly i prefer the control it gives me do you do this with REST api's? hm what is the traditional route to do the things that Resend does? What would need to be done under the hood?
Neto
Neto17mo ago
something like aws ses, sendgrid, or another basic mail sender then something to create the email content
Ryan
Ryan17mo ago
Is something like Resend worth it at the higher tiers? or would it be better to implement it yourself in the long run
Neto
Neto17mo ago
you can use https://github.com/resendlabs/react-email and use your own email provider
GitHub
GitHub - resendlabs/react-email: 💌 Build and send emails using Reac...
💌 Build and send emails using React. Contribute to resendlabs/react-email development by creating an account on GitHub.
herbertsmith
herbertsmith17mo ago
This was a fantastic read, thank you for your insights
Want results from more Discord servers?
Add your server