Maxi Calderón
TTCTheo's Typesafe Cult
•Created by Maxi Calderón on 10/3/2023 in #questions
Understanding Next-Auth role in my app.
Hi everyone, I'm working on my first project with the T3 stack, and apart from TypeScript , Next.js, Prisma, and Tailwind, the rest is pretty new to me. I have already created the signup and login flow with tRPC and Next-Auth, but I'm in serious doubt about whether my understanding of what Next-Auth is for is correct. I mean, I'm using MongoDB but a JWT strategy for the session. I'm using the credentials approach as it is a requirement from the project. I'm using Next-Auth for the login process and to pass required data to be used in the frontend through the session, but nothing else other than that. Should I be using any token somewhere? Or is just using a protected procedure with tRPC enough for security? I'm really used to the "old way" of doing backend where you send the access token as part of the header to validate permissions. Also, the refresh token as part of the cookies and a lot of strategies like token rotation and token reuse. I'm not using any of that, or at least as far as I know, so I'm really confused and insecure about my app's security.
3 replies
TTCTheo's Typesafe Cult
•Created by Maxi Calderón on 9/22/2023 in #questions
Auto sign-in after sign-up
Hello,
I have created a router with tRPC for the sign-up of an app. This function performs several processes, such as checking for an existing user, creating a new user in the database, and sending an OTP email.
I would like to implement an auto sign-in feature after the sign-up. To achieve this, I am currently returning the email and password of the user from the tRPC route to the client side when they complete the sign-up process. Once on the client side, I run the signIn function from Next-Auth.
Is this the correct and most secure approach to achieve this? Is it safe to return the email and password to the client in order to execute the signIn function?
Thank you very much!
2 replies