andreasb
Explore posts from serversBABetter Auth
•Created by andreasb on 4/3/2025 in #help
2FA email login with `auth.api`: Ensure verification is completed?
Hey! When using
auth.api.signInEmail
to sign in to a user with 2FA (TOTP) enabled, how do I ensure that the 2FA verification has been completed for that session? I can always say that after signing in, the user is redirected to the 2FA verification flow, but I don't see any immediate Better-Auth-native way of blocking the user from simply changing the URL and go to a different page again and thus avoid 2FA.
Should the result of the auth.api.verifyTOTP
perhaps be stored in the Session
table for easy look-up to ensure that the user has indeed successfully completed the verification? Or am I completely missing something here, for instance that the user shouldn't actually be logged (i.e., no Session is created) in unless they complete 2FA?
Possible quirk: I don't use the client-side authClient, I have all interactions on server-side using auth.api.{method}
and I've done all necessary migrations and TOTP enabling/disabling from user profile works as expected. I use fullstack SvelteKit with interactions via form actions.3 replies
BABetter Auth
•Created by andreasb on 1/16/2025 in #help
Support for MSSQL (SQL Server) via Kysely
I'm attempting to use Better Auth in my SvelteKit project, connected via Kysely to MSSQL (Azure SQL Server) .
While some parts seem to work, I believe other parts of the Better-Auth internals rely on non-MSSQL compliant code.
Few things I've noticed so far:
1) Limiting the result set of a SQL query does not use for instance
2) Returning values from non-
SELECT * FROM Users LIMIT 10;
but instead SELECT TOP 10 * FROM Users;
2) Returning values from non-
SELECT
queries does not use RETURNING
but instead OUTPUT
. Examples:
Postgres:
MSSQL:
In the Kysely adapter there's a withReturning
function which specifies query building for specifically mysql and non-mysql queries [1]. Could this be a good place to replace the use of .returningAll()
with .outputAll('inserted')
?
3) Perhaps as a result of the issues raised in (2), I'm having issues with the signInEmail
both on the auth API and on the client-side auth client. It creates the Session entry in the database and sets the cookie, but the value is incomplete.
Cookie name: better-auth.session_token
Cookie value: undefined.1TfYi......
Notice the undefined
rather than containing the token(?). Am I mistaken if I believe that the cause can be seen in [2], where the session.session.token
is undefined
perhaps due to the lack of a returning value from the database INSERT statement, due to the difference between Postgres and MSSQL in handling RETURNING
vs OUTPUT
?
__
[1] https://github.com/better-auth/better-auth/blob/d2ce9da9b20ebb37444efea95c0d9bcf1d825119/packages/better-auth/src/adapters/kysely-adapter/kysely-adapter.ts#L200
[2] https://github.com/better-auth/better-auth/blob/f356bac8ea2d69836754725e08ef459a4d1573a1/packages/better-auth/src/cookies/index.ts#L1509 replies
Immutability & tamper-proofing?
Hey! Are there any plans to expand the scope of Xata into the immutability/ledger db space? We have solutions such as ImmuDB, Dolt SQL, XTDB, SQL Server 2022 Ledger and so on which provides cryptographically verifiable tamper-proofing of data (i.e., you cannot change data in the database without traces). Does Xata see this as something within its scope?
8 replies
KKinde
•Created by andreasb on 2/5/2024 in #💻┃support
Auth check in +layout.server.ts – known issues?
Hi! 🙌
From working in SvelteKit I've gotten used to avoiding +layout.server.ts for auth checks (reasons illustrated by Svelte connoisseur Hunter Johnston in [1] and [2]), but the Kinde docs uses +layout.server.ts as an example of auth checking [3].
Are there any particular implementation details in Kinde making the issues raised in [1] and [2] null and void?
[1] https://www.youtube.com/watch?v=UbhhJWV3bmI
[2] https://www.youtube.com/watch?v=K1Tya6ovVOI
[3] https://kinde.com/docs/developer-tools/sveltekit-sdk/#check-if-the-user-is-authenticated
8 replies
WWasp
•Created by andreasb on 1/30/2024 in #🙋questions
Tightly coupled to React?
Just came across Wasp-lang and OpenSaaS, both looking really interesting!
Looking through the docs and example code, it seems rather tightly coupled to React, so I might already know the answer here.
Would it be at best non-trivial to de-couple React and introduce for instance Svelte instead?
7 replies