andreasb
andreasb
Explore posts from servers
WWaspKKyselyXXataKKindeBABetter Auth
PostsComments
BABetter Auth
Created by andreasb on 4/3/2025 in #help
2FA email login with `auth.api`: Ensure verification is completed?
Hey! When using auth.api.signInEmail to sign in to a user with 2FA (TOTP) enabled, how do I ensure that the 2FA verification has been completed for that session? I can always say that after signing in, the user is redirected to the 2FA verification flow, but I don't see any immediate Better-Auth-native way of blocking the user from simply changing the URL and go to a different page again and thus avoid 2FA. Should the result of the auth.api.verifyTOTP perhaps be stored in the Session table for easy look-up to ensure that the user has indeed successfully completed the verification? Or am I completely missing something here, for instance that the user shouldn't actually be logged (i.e., no Session is created) in unless they complete 2FA? Possible quirk: I don't use the client-side authClient, I have all interactions on server-side using auth.api.{method} and I've done all necessary migrations and TOTP enabling/disabling from user profile works as expected. I use fullstack SvelteKit with interactions via form actions.
3 replies
BABetter Auth
Created by andreasb on 1/16/2025 in #help
Support for MSSQL (SQL Server) via Kysely
I'm attempting to use Better Auth in my SvelteKit project, connected via Kysely to MSSQL (Azure SQL Server) . While some parts seem to work, I believe other parts of the Better-Auth internals rely on non-MSSQL compliant code. Few things I've noticed so far: 1) Limiting the result set of a SQL query does not use for instance SELECT * FROM Users LIMIT 10; but instead SELECT TOP 10 * FROM Users;
2) Returning values from non-SELECT queries does not use RETURNING but instead OUTPUT. Examples: Postgres: 
INSERT INTO Users (Name, Email) 
VALUES ('John Doe', '[email protected]') 
RETURNING id, created_at
INSERT INTO Users (Name, Email) 
VALUES ('John Doe', '[email protected]') 
RETURNING id, created_at
MSSQL: 
INSERT INTO Users (Name, Email) 
OUTPUT INSERTED.id, INSERTED.created_at
VALUES ('John Doe', '[email protected]')
INSERT INTO Users (Name, Email) 
OUTPUT INSERTED.id, INSERTED.created_at
VALUES ('John Doe', '[email protected]')
In the Kysely adapter there's a withReturning function which specifies query building for specifically mysql and non-mysql queries [1]. Could this be a good place to replace the use of .returningAll() with .outputAll('inserted')? 3) Perhaps as a result of the issues raised in (2), I'm having issues with the signInEmail both on the auth API and on the client-side auth client. It creates the Session entry in the database and sets the cookie, but the value is incomplete. Cookie name: better-auth.session_token Cookie value: undefined.1TfYi...... Notice the undefined rather than containing the token(?). Am I mistaken if I believe that the cause can be seen in [2], where the session.session.token is undefined perhaps due to the lack of a returning value from the database INSERT statement, due to the difference between Postgres and MSSQL in handling RETURNING vs OUTPUT? __ [1] https://github.com/better-auth/better-auth/blob/d2ce9da9b20ebb37444efea95c0d9bcf1d825119/packages/better-auth/src/adapters/kysely-adapter/kysely-adapter.ts#L200 [2] https://github.com/better-auth/better-auth/blob/f356bac8ea2d69836754725e08ef459a4d1573a1/packages/better-auth/src/cookies/index.ts#L150
9 replies
XXata
Created by andreasb on 8/12/2024 in #help
Immutability & tamper-proofing?
Hey! Are there any plans to expand the scope of Xata into the immutability/ledger db space? We have solutions such as ImmuDB, Dolt SQL, XTDB, SQL Server 2022 Ledger and so on which provides cryptographically verifiable tamper-proofing of data (i.e., you cannot change data in the database without traces). Does Xata see this as something within its scope?
8 replies
KKinde
Created by andreasb on 2/5/2024 in #💻┃support
Auth check in +layout.server.ts – known issues?
Hi! 🙌 From working in SvelteKit I've gotten used to avoiding +layout.server.ts for auth checks (reasons illustrated by Svelte connoisseur Hunter Johnston in [1] and [2]), but the Kinde docs uses +layout.server.ts as an example of auth checking [3]. Are there any particular implementation details in Kinde making the issues raised in [1] and [2] null and void? [1] https://www.youtube.com/watch?v=UbhhJWV3bmI [2] https://www.youtube.com/watch?v=K1Tya6ovVOI [3] https://kinde.com/docs/developer-tools/sveltekit-sdk/#check-if-the-user-is-authenticated
8 replies
WWasp
Created by andreasb on 1/30/2024 in #🙋questions
Tightly coupled to React?
Just came across Wasp-lang and OpenSaaS, both looking really interesting! Looking through the docs and example code, it seems rather tightly coupled to React, so I might already know the answer here. Would it be at best non-trivial to de-couple React and introduce for instance Svelte instead?
7 replies