search

blitz-js / blitz

⚡️ The Missing Fullstack Toolkit for Next.js
https://Blitzjs.com
MIT License
13.61k stars 795 forks source link

Support authentication without database sessions (i.e. JWT) #2506

Open fritzblue opened 3 years ago

fritzblue commented 3 years ago

What do you want and why?

Server-side sessions come with pros and cons. Some users prefer the tradeoffs/benefits provided by client-side sessions (e.g. JWT).

This also makes it easier to choose alternative data stores (such as those unsupported by Prisma) without having to modify the auth system.

Possible implementation(s)

Today database sessions are assumed. It would be nice to allow the user to select the session management style during project generation, then generate the project files accordingly.

Additional context

cherta commented 3 years ago

Not sure this comment helps, but I've been playing with a middleware to allow my backend (queries and mutations) to be consumed from a mobile application that cannot store cookie based sessions.

The main idea is to register a jwt middleware before the sessions middleware and create a session based on the JWT payload when requests comes from a mobile client.

When this middleware manages the request it creates a new session that complies with the Blitzjs session signature and calls next().

It's not by any means perfect, but so far is working, I need another week to polish the code and maybe I can post it here.

flybayer commented 3 years ago

Thanks @fritzblue! Good news. We already planned for this from the very start. See https://github.com/blitz-js/blitz/blob/canary/rfc-docs/03-session-management.md#advanced-short-lived-jwts-plus-refresh-tokens

It will just take some work to implement everything properly. I won't have time to work on this before 1.0, but anyone else is welcome to tackle it before I'm able to.

zwl1619 commented 3 years ago

Could raise the priority of this issue?

flybayer commented 3 years ago

@zwl1619 unfortunately I don't have the bandwidth to work on this before 1.0. But I'm more than happy to help guide anyone who has the time and motivation to take it on.

ditorodev commented 1 year ago

@flybayer Im willing to help in this, but im kinda lost as of the structure of the blitzjs project, I have also seen it is planned to pivot so maybe it is better to work on this for that release?