Better Auth•2mo ago

Use auth on client or server (NEXTJS)

Hey, for security and optimization reasons, should I use server-side authentication (e.g., await auth.api... in a server component) and pass the result to the client component when needed, or is it better to use the client-side authentication directly (authClient)? In which cases should I use one over the other?

8 Replies

bekacru•2mo ago

we suggest using authClient instead

MarkMiklos•2mo ago

What is the reason of the client side suggestion if I may ask?

bekacru•2mo ago

It's easier to set cookies. At the end of the day both methods make a fetch call.

SxYxuseOP•2mo ago

Okay ty

Glen Kurio•2w ago

How do I do server side validation of provided info during user sign-up/sign-in using authClient? How do I check for email being disposable? How do I set rate limits of my own (better-auth ones have bugs); How do I check if user is not trying to submit any harmful for db data bypassing the client validation ? Am I not understanding the design of better-auth properly? Could you clarify on these my concerns, please? I cannot do that in auth config:

export const auth = betterAuth({
  database: drizzleAdapter(db, {
    provider: "pg",
  }),

  emailAndPassword: {
    enabled: true,
    async sendResetPassword({ user, url, token }, request) {
      console.log("Email being sent with url: ", url);
      console.log("Email being sent to Email : ", user.email);
      await sendForgotPassword(url, "[email protected]");
    },
 
  },
}

export const auth = betterAuth({
  database: drizzleAdapter(db, {
    provider: "pg",
  }),

  emailAndPassword: {
    enabled: true,
    async sendResetPassword({ user, url, token }, request) {
      console.log("Email being sent with url: ", url);
      console.log("Email being sent to Email : ", user.email);
      await sendForgotPassword(url, "[email protected]");
    },
 
  },
}

Where shoul I do server-side stuff ?

bekacru•2w ago

have you checked out hooks? also what is the bug with the rate limter?

bekacru•2w ago

https://www.better-auth.com/docs/concepts/hooks

Hooks | Better Auth

Better Auth Hooks let you customize BetterAuth's behavior

Glen Kurio•2w ago

I setup the sign-in with

requireEmailVerification: true

requireEmailVerification: true

and custom rate-limit

 rateLimit: {
    enabled: true,
    customRules: {
      "/sign-in/email": {
        window: 120,
        max: 5,
      },
      "/send-verification-email": {
        window: 600,
        max: 2,
      },
}

 rateLimit: {
    enabled: true,
    customRules: {
      "/sign-in/email": {
        window: 120,
        max: 5,
      },
      "/send-verification-email": {
        window: 600,
        max: 2,
      },
}

So when user signs-in it sends the verification email if user's email is not verified. So despite send-verification-email rate limit is much stricter it uses the sing-in/email rate limit and sends 5 emails in 120 s instead of 2 in 600s in my example. So send-verification-email ratelimit is only applied when this endpoint is called directly Thank you. Somehow I missed this part , my bad 🤦‍♂️ I believe this rate limit "bug" I described is already known, this is from docs: Server-side requests made using auth.api aren't affected by rate limiting. Rate limits only apply to client-initiated requests. When I call sign-in it calls send-verification-email from the server thats why send-verification's rate limit is not applied ?

Gaming

Programming

Use auth on client or server (NEXTJS)

Did you find this page helpful?