some confusion regarding authentication when accessing third-party APIs in SolidStart.
I have some confusion regarding authentication when accessing third-party APIs in SolidStart. Here’s the scenario:
1. I want to use Server-Side Rendering (SSR), so I chose SolidStart.
2. When accessing a third-party API, bearer authentication is required.
3. In SolidStart, both the client and server may make API requests.
4. For server-side requests, I store the token in a cookie attached to the HTTP request. The server then extracts the token and makes the third-party API request. This approach seems feasible and necessary (since only cookies can consistently carry the token with each request).
5. After rendering, the client-side may also need to access authenticated APIs. In this case, both cookies and localStorage can be used. However, localStorage is more convenient due to the security setting of httpOnly for cookies.
6. Handling client-side API requests requires same logic.
My questions are:
1. Should I explicitly differentiate between server-side rendering (using the token from cookies) and client-side rendering (using the token from localStorage)?
2. Are there any other better solutions?
Thanks a lot
8 Replies
If you want both the server and the client to talk directly to the third-party API, then you will need a method to grab the auth token from either the client or the request headers depending on the environment.
Another approach would be to only talk to the third party API via the server, so that you only ever retrieve the auth token from cookies. This would be pretty easy to do with a server function.
thanks. I am going to learn how to use server function which I have found in the doc of server runtime part. I hope the cost of lag that the request from user to solidStart server and and then to 3rd -party API is worthful.
It is very strange to first send a request to the solidstart server and then to an external server.
For this you can use HTTP client on the client side. And then the external server sets the httpOnly cookies. Solidstart could be used to render pages.
It would not be worth loading solistart with unnecessary traffic
not really, i’ve done it before + seen other apps do the same. works fine
can you show an example ?
don’t have one on hand no
Under this scenario, I will save a copy of Token in localStorage for client render such as request more data from 3rd-party API, because that JS cannot handle httpOnly cookie, and client have to get the token from localStorage. Thus, I think httpOnly could be removed.
I'll show you Tomorrow how I did it on solidstart + django