SvelteKit Authentication with Lucia & Prisma 

Thank you for the kind words! You are very welcome!

Oh wow I didn't even think about that (I may have missed it in the docs), but that's even better!

sorry but what part of the video does this address so I know where to lookout for this suggestion? thanks!

@@zackadam2598 9:01

I just saw this comment! I was commenting the same to say I did just this. I am curious, however, @pilcrow, if there is any situation where this would be ill-advised? I'm still pretty new to web development so your insight on this would be really helpful. If, say, I had the password hashed on my User table (and model) Is there any situation where a Lucia auth function would return this information to the client?

@@ryan_roga Types are removed during compile step, so no issue there. There's no API within Lucia that exposes the password or hashed password, but there is an error indicating if the password was wrong, which should not be sent directly to the user. You want to make the error message on sign in attempt as vague as possible, and the error message on incorrect email and password should be the same.

Thank you!

Thank you!

I can't wait either, it's almost complete :)

This is a great idea! I'll put it on the list of possible future videos!

@@Huntabyte I am also highly interested in such a video. Thanks for the great work!

But, now that I tried it, adding and using OAuth is just a breeze with Lucia! Awesome!

Awesome to hear!

I'm glad to hear that!

Thanks for that suggestion! I actually had a segment in the beginning but I chopped it out because it felt I was rambling before getting into the content! I will probably make a video about deciding which one to use!

It's exactly what I've been looking for!

Yes that is actually in the works as we speak!

@@Huntabyte I expected nothing less from you ❤. Man you have no idea how much your tutorials help people. I need to save and cough up for your channel membership. Keep the grind up. I pray your content blows up and helps many people

Will do! Thanks for taking the time to comment, Oğulcan!

Great question! I didn’t do so in this video as typically there will be some form of verification such as email like you mentioned. I’ve also went down the rabbit hole and have decided for myself after using many many apps that don’t auto sign in on register that I just force a sign in afterwards. It’s nothing specific to Lucia, if you look at the example in their docs they actually automatically create a session on register. Just a personal preference 🙂

Thank you!

You're very welcome!

@@Huntabyte Can you do an extra thing to seeding prisma with Lucia-auth? I would like to seeding some account and basic data for my website. Thank you so much.

Pilcrow (the creator of Lucia), says your way is the recommended way of doing it! Good discovery!

@@Huntabyte Nice. :) Can you think of any situation where this would be ill advised? What if the User table has the hashed password, for example. Does this describe any data returned through Lucia auth functions? Your experience far outweighs mine so I'm happy to take your opinion on it over my own discovery. 😅

Why? Is there something we should know about Supabase?

@@BryanKlein I don't hate it but it's a bit expensive, similar to any BaaS

@@pilcrowonpaper I haven't paid for it yet, so I haven't had that experience. Their free tier covers my needs so far. But $25 a month seems reasonable for the Pro plan. I pay much more than that for other services that aren't a core requirement of my online business. For example, we are using a Legacy plan for CrowdIn that is $135 a month. If we were to sign up today for the same use it would be over $300 a month. This is only used currently to manage translations of our English UI. These are used by a smaller fraction of our customer base. I could see how $25 a month seems like a lot if you aren't making any money from your application, but I would imagine the free plan could cover it in most cases.

​@@BryanKlein The free tier is awesome but the pro tier seems a bit more expensive, especially if you just need a relational database.

@@pilcrowonpaper ah yeah, there are much cheaper services for relational DBs. But the whole package, with Auth, DB with RLS, Functions, Storage, etc. Isn't as common or cheap.

This wouldn't necessarily add complexity to the Auth shown in this video, but it would certainly add complexity to the database. Typically blogs aren't setup like this, I just used 'Articles' as a CRUD example that everyone is familiar with!

At 13:00 validateKeyPassword is useKey.

Thank you!

You already know !

Excalidraw!

Top, Thanks !

Yeah I did a video on this ‘Protect Routes with Handle Hook’. The one caveat is that you need to ensure you have +page.servers beside your +page.svelte files so the hook actually runs. But I demonstrate a full path protection in that video.

@@Huntabyte Fantastic! Thank you very much for your work and content, always a pleasure!

It’s just a matter of personal preference. If I was grouping an entire route directory ‘/admin’, for example, I’d probably handle it within hooks, for everything else I just cover it in the load function / action.

Just a habit I picked up before opening my eyes and realizing db push generates a new client :)

@@Huntabyte Oh, I see, it's okay

You could throw nodemailer into the mix using an SMTP service of your choosing. So once you create the user in the registration route, you would fire off a confirmation email. You'd have to generate a token that would be included in the "confirmation" link. Maybe I will make a video on this in the future.

Yeah! Your database has to be hosted somewhere though!

@@Huntabyte Ah I see, thanks for reply!

I've deployed the apps in my most recent videos to Vercel, Vercel makes it super easy!

I'll look into that, thanks! Anything one should know when moving the database to production, for example specifying file paths? Right know I have a dev.sqlite db within the prisma folder, but does this just move to prod?

I think the advantage is it provides more control over your auth flow and enables you to build your own auth on top of various different databases! Just an alternative way to do it!

@@Huntabyte @Brad Also IIRC, Supabase auth is JWT based whereas this is classic server session.

Good catch! I think I mixed them around quite a bit in this video, but certainly a good idea!

@@Huntabyte more videos like this please! Just discovered your channel and it's really good!! Thanks! 😁🙌

That's not quite correct. 401 Unauthorized: Although the HTTP standard specifies "unauthorized", semantically this response means "unauthenticated". That is, the client must authenticate itself to get the requested response. 403 Forbidden: The client does not have access rights to the content; that is, it is unauthorized, so the server is refusing to give the requested resource. Unlike 401 Unauthorized, the client's identity is known to the server. Using 404 seems wrong. You can do it, if you want to pretend that this resource does not exist. But I don't think it has any benefit.

@@W4nn3 that is correct. But if you get your app audited or pen tested, this is one of the common things they’ll ask for

Only works with a secure place. Thats it, i dont know if you can change the cookies parameter in lucia

I tried it a few weeks ago and a bunch of the types were broke/documentation was lacking. I will revisit once it's at a more stable release!

Well auth.js works but as huntabyte said the types are a mess rn and also all the adapters are still not ported from next auth and The docs have a long way to go.

@@TechBuddy_ I'm sure they will come along soon enough and I will certainly explore it a bit more then!

@@Huntabyte also auth js is a complete package for auth but Lucia is like a set of helpers to roll your own auth

You’re welcome!

You would need to check the db for the username they request first, and then return `fail` if one exists with the message of your choice!

I'd say if you're using Supabase then use Supabase's auth. Lucia is more for rolling your own auth as it gives you only the bare minimum, the flows are all up to you!

Yeah you can! I have a video dedicated to it on my channel! I prefer to do it on a per route basis as of recently, but hooks are great for a massive summary route

@@Huntabyte That would be great! Thanks for your excellent tuts!

Okay fixed. was not clear in the docs but you should use the beta release with @beta rather than the normal one.

@@Chomaas It's the library version. compare the libs. if you use v2 you need the beta libs.

I hate to be that guy, but "it depends". More specifically, it depends on what type of application you're building. If you want to work with websockets or complex custom backend authentication, or if you want to build a REST API to spec for consumption by multiple clients (mobile app, desktop app, web app, etc.), then I'd 100% go with Nest or Go. You could do these more complex things with just SvelteKit endpoints, but I think it's poorly suited for such (dedicated pages for each route, lack of MVC structure, etc.)

@@Huntabyte how about things like scaling ? Full stack with sveltekit can’t in any way or form scale as good as Go.

It’s Microsoft Edge with vertical tabs!

You could say the same thing about password managers, if the password manager is compromised, so is everything else. You could also say the same regarding a physical device, if your laptop is stolen while logged into your services, some damage could be done. I don't perceive this as a gaping security hole, if you have proper MFA setup for your email and GitHub and someone still cracks it, they deserve the access at that point.

​@@Huntabyte I see what you're saying but I think it's still slightly different than the examples you mentioned. I as a user am knowingly taking the risk (probably small one) of using a password manager and am aware of those risks for each password I put in there. If you as an app developer merge my email account with my github oauth account, then there's a risk to the user that the user is probably not aware of. Not all users may agree to the risk. But in the case of the password manager it was their own choices. In the case of the stolen laptop they're also aware of the risk. If they don't like the risks they can use stronger security settings on the laptop (password/biometrics to unlock, auto lock after short period, encrypted HD). But again the risk is transparent. If every app on the internet used this logic, then any time one of your accounts was compromised all of your accounts would be compromised. Not every 3rd party oauth provider will have MFA as an option, and even if they do offer it not every user will have it turned on. I don't think you can assume MFA as an app dev using oauth provider. Finally, here is a open source library literally for auth that says they don't do this because of the security risks: supertokens.com/docs/thirdpartyemailpassword/common-customizations/account-linking

Apparently supertokens (auth lib I linked) is adding this account merging feature so maybe you're right and it's not a big deal security-wise? I feel like there are other apps that already do it so I guess it's a grey area? Dunno... @Huntabyte

Thanks! I'll be doing an update with Lucia v3!

Its happen the same to me.

I'm actually using it in a project right now. Not to the full TRPC capabilities yet, but at least the API portion, yes.

@@Huntabyte Do you have a repo I can take a look at? You would add both the lucia and trpc hooks in a sequence and have access to locals in the TRPC context? Is it that simple?

@@jeno427 bump lol, good question Jeno