Signup & Next Auth
Hey all! I'm new to sign up and Next Auth and had a question about handling both. I'm using T3 Stack for my app and have a signup form setup and working. I'm wondering when it comes to signin, I query the DB with the user input, if successful should I be using Next Auth Email Provider or Credentials Provider? There are a ton of guides out there for Next Auth but pretty much all of them cover OAuth and not handling email/password signup/login.
I like the MFA provided by Next Auth Email Provider so it'd be nice to keep and and not have to build it from scratch
81 Replies
Because it sucks at email or username auth
What does? That doesn't answer my question
I'm here to learn so I'm open to being taught. I've never dealt with account creating and auth so it's a brand new thing to me. If I should ditch Next Auth that's cool, but why and what else?
next-auth sucks at anything not oauth
Ok I'll look into alternatives. I liked the idea of Next Auth since it would handle sessions and JWT's for me as well as the MFA but if there are better solutions then I'm all for it. Thanks for the feedback
I'm doing credentials with Next Auth right now
it just checks the credentials against a database and returns a JWT to the browser if its a match.
and you get to handle your own verification logic inside the authorize() function in auth/[...nextauth]/route.ts
can you explain in detail what makes it suck at credential based auth? I might jump ship if its bad enough
also what would you reccomend for implementing auth
jwt's, the fact you need to use a jwt because it's credentials is dumb
if you're doing credentials then https://lucia-auth.com/ or rolling auth yourself is what i would do
Lucia
Lucia
whats wrong with jwts for credentials?
what are the downsides to requests getting prefixed by a token unique to that user?
and what would a better alternative be
I kinda just follow OWASP's recommendations, to use sessions whenever you have stateful auth.
The major downside of JWT's is you can't kill a session, or change a role of a person.
Or, it won't be reflected until a new JWT is generated
So if someone is promoted to admin, they won't see until a new JWT is made
If a user is banned off of a service, they're not banned until the JWT runs out
If a user wants to kill a session it can't be
Hm. so if you ban a user, and they keep their old JWT, they can still act as if they weren't banned?
Yup
Since the JWT is either valid or not
Based on encryption
Not based on what the database says
That's the upside, you don't have to access the database to check
By adding a check in the database, but now you've neglected the upside of JWT's
And basically made sessions with JWT's
Doesn't make sense
Just use sessions lol
So with sessions, do you do a db lookup everytime the user does a request?
and verify it against the db?
Yup
damn LMAO
That's not slow though
It's pretty damn fast
is there a go-to standard library for managing session auth?
is lucia that library?
Nope
There's libraries for it for almost everything
js is the wildwest of libraries
if you can think of a problem that you dont want to solve, there is a library for you (probably) out there
Express has express-session
Fastify has fastify auth and fastify session
Gorillamux has gorilla/sessions
Fiber has their session middleware
There's always going to be a library for doing it tbh
It's been the standard way to do auth for decades
so why do you like lucia
Because it's in typescript land
I also like doing it myself
does next-auth really only support sessions for oauth?
thats weird
it does support password sessions
but the experience of using it is awful
next auth in general has a really weird experience of using it
its fine until you find a very very very weird problem that is very hard to
oauth is great
so i dont mind
but ive been playing around with passwords etc so its not viable for me
Do you have a repo I could look at?
@thatbarryguy That's quite informative, thanks again for the feedback. This is my first time diving into account creation and auth so I'm completely in the dark with goto's and howto's
https://github.com/machina20/prisma-learning-/ right now it just has username/password login/registration. Once you register an account, it sends an email using mailgun, and then once you nav to the link it sends you, your account is now verified and you can log in.
GitHub
GitHub - machina20/prisma-learning-
Contribute to machina20/prisma-learning- development by creating an account on GitHub.
it uses prisma
Thanks, I just want to checkout how you handle Next Auth with this but from what I read above it seems to make sense to use Lucia
seems that way haha
@thatbarryguy @nyxawaits do you guys have a reccommended way to send emails?
with a nextjs app
resend
Resend
Build, test, and send transactional emails at scale.
Thanks guys
how does this stack up to node mailer, mailchimp etc
looks cool
resend you can use "react to write mails"
node mailer, mailchimp and others only send the email
you write the content and such
I remember looking at this in my last job. Anyone that's written email templates before knows the pain of not using React
writing emails is painful overall
so a provider that you can easily use something like react is very very nice
not even react itself, writing emails is just annoying
each provider render differently, so its a shit show
It really is, and there isn't an industry standard for sizing or light mode vs dark mode targeting across the different platforms
damn this looks pretty cool. What would you say are the email services that dissenters would say are better than resend
most of them do the same
send emailswhat matter is what you want dx-wise resend feels the best
what do you recommend as far as auth libaries go? lucia as well?
next auth is okay
im a fan of lucia
most paid auth providrs are fine
are clerk and supabase paid
if they have a free tier is even ebtter
one thing though is breaking changes
clerk with free tier
same with supabase
would using a service like supabase or clerk be better just to avoid the breaking changes
most major auth providers have a free tier offer
what would you say is the most popular auth solution today
Sendgrid I guess
There isn’t really one
most of them have tradeoffs
Comes down to what the backend is made with
what if its a nextjs project with a postgress backend running on a docker container
Well hopefully that’s at least 2 containers
you mean like a container for the application too?
And a third for nginx or caddy or something
1 for next
1 for postgres
1 for nginx / caddy
Could have more like a tls service etc
is it better to deploy on vercel to use the regional edge functions for cheaper?
i heard thats a lot cheaper than lambda and faster
🤷
have you ever used vercel
Yes
i'm using it to host my portfolio so i'm assuming it does the nginx load balancing stuff automatically. I'm scared of hidden scaling costs though
vercel free tier is very generous
For some things
But image optimization and other features. Not so much
how do you guys feel about clerk.dev?
meh
^
People give good reviews for that on Reddit. Have you guys used clerk? Also what do you guys think is the best tech stack for a solo developer doing SaaS applications
I’m always afraid of spending lots of time diving into something that may not be the widely recommended tool for a certain job
unless you are experienced
dont roll your own auth
using clerk/auth0/whatever is fine as long its a recommended service
you can try clerk and see what happens
I personally don't like that take, it's not as complicated as it's made out to be
if you are using oauth stuff, sure
Email/Username & Passwords too
OAuth is more complicated
yes
next auth exists for that
Meh, it's more complicated but not necessary for an auth lib
when you guys say "roll your own auth" do you mean something like lucia? or even more low level than that??
literally just writing all the shit yourself
I write my auth directly in assembly
i prefer the control it gives me
do you do this with REST api's?
hm
what is the traditional route to do the things that Resend does? What would need to be done under the hood?
something like aws ses, sendgrid, or another basic mail sender
then something to create the email content
Is something like Resend worth it at the higher tiers? or would it be better to implement it yourself in the long run
GitHub
GitHub - resendlabs/react-email: 💌 Build and send emails using Reac...
💌 Build and send emails using React. Contribute to resendlabs/react-email development by creating an account on GitHub.
This was a fantastic read, thank you for your insights