Hi there ๐
Follow me on Mastodon
Authentication & Authorization library for the Next.js framework
License: MIT License
Follow me on Mastodon
The old API relied on getInitialProps
and a HOC component. The new API works with API routes and getServerSideProps
so the documentation needs updates.
Is it possible to create an example using an external api instead of next api routes? With external API I mean a regular nodejs api running in another port but in the same domain, it can be using passport or anything simple, I just want to see how the communication would be like.
By the way, good job with the project โค๏ธ Keep it up the good work.
We can't access Router
directly from next/router
so we should use instead a callback function so the user can handle the redirection or whatever they want to do afterwards
The goal is to provide helpers that minimize the boilerplate to write on Next.js apps.
next-authentication
assumes that all cookies aren't httponly
and this might cause conflicts.
For example, I'm working on a lambda function that only does OAuth and 302
redirects back to the web app with cookies in the headers, so that the Next.js app can grab on the first load. So the library I'm using sets the cookie setting httponly
true by default and I think that's okay.
So instead of changing that security setting to false I'd like to figure out to handle this in the Frontend. It might not be possible, but I'll do some research first before adding any warning or so to the library.
To set up the implementation we use the csrf
library. The same that the csurf
middleware uses for Express.
csrf
workscsrf
helps to mitigate CSRF by first creating two tokens:
<secret>
<salt>;<token>
Then, csrf
validates the token by doing <secret>
+<salt>
=<token>
.
csrf
CSRF mitigation should happen when a Next.js application sends a state-changing request (POST, PUT, PATCH, and DELETE) to a protected API route.
The mitigation works by:
csrf
On every request to an API route, the server validates the token with the secret saved in memory. Every time the user lands on the Next.js app a secret and a token will be generated.
References:
The goal is to implement a middleware that will delete a cookie session and redirect the user in case of an invalid or missing token in the headers, e.g.,
export default auth((req, res) => {
res.end('ok');
});
Examples:
Probably an example using Objection.js and SQLite so people can run it locally.
Right now the documentation only explains the API. I'd like to expand on reasons why middlewares work like that and more examples.
Adding expiration date (exp
) in the JWT it would be useful if there's a way to check the validity of the token before each request. Same with a server check of token validation.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.