search

lucia-auth / lucia

Authentication, simple and clean
https://lucia-auth.com
BSD Zero Clause License
9.6k stars 495 forks source link

[Feature Request]: Support Edge Runtime #236

Closed FaeyUmbrea closed 1 year ago

FaeyUmbrea commented 1 year ago

Package

lucia-auth

Describe the problem

Currently, when using lucia, you are forced to export the server components to be run in a nodejs environment. This is due to relying heavily on nodejs libraries like crypto and util which are not available in the Edge Runtime.

Being able to use Lucia on serverless functions together with svelte-kits support for them would be very desirable.

Describe the proposed solution

Generally, it should be possible to replace all instances of native node libaries being used with versions that can be run entirely within the browser. Since Edge Runtimes are fully browser compatible this means supporting the browser will also support Edge Runtimes.

In the same juncture it may be worth it to see if helper functions for Buffer operations are available as Buffer can cause cost increase on edge plattforms due to the additional CPU time and memory they require.

Alternatives considered

I have tried using the bundler to dynamically replace the libraries for my usecase. Unfortunately, there is no library that is able to fully replace crypto. All I have tried either only implement scrypto or don't implement scrypto.

Additional information

Taking SvelteKit compaitibilities into account, making this work on cloudflare and vercel would be a good starting point.

pilcrowonpaper commented 1 year ago

So the thing with Lucia is that it doesn't prioritize edge functions. It requires a database so having the main server close to it usually is the better option. I'm aware of "edge" databases like Upstash but it's still pretty niche and early.

That said, I'm open to supporting edge as long as the we don't change the hashing algorithm used. All other node native modules can be replaced somewhat easily. I'm aware of scrypt-js which might be useful?

FaeyUmbrea commented 1 year ago

There is a few ways of varying maturity (and cost) that are available to have edge functions interact with databases. I do expect the amount of full serverless applications to increase again once cloudflare's D1 database is out of alpha. There is already an ORM and a Kysley adapter for it, which should make integration with Lucia quite easy aswell.

As for the key derivation function, yea replacing that will definitely be a hassle, it would be a full breaking change to change it, so it'd have to be a function that produces the same results. scrypt-js seems to be the most mature out of the bunch with multiple hundreds of thousands of weekly downloads. There is also scryptsy which was developed for use in cryptocurrencies apparently. And then there also is the rather new scrypt-pbkdf which apparrently uses either nodejs crypto or WebCrypto API depending on environment.

Oh there is also scrypt-async which since you throw scrypt into a promisify anyway, might work out well enough.

pilcrowonpaper commented 1 year ago

Haven't tested with edge workers but I was able to create a successful implementation using scrypt-js and buffer (Buffer polyfill)

pilcrowonpaper commented 1 year ago

Yay, got it to work https://scrypt-test.vercel.app

pilcrowonpaper commented 1 year ago

Done in lucia-auth@0.2.1!