Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support authentication without database sessions (i.e. JWT) #2506

Open
fritzblue opened this issue Jun 18, 2021 · 5 comments
Open

Support authentication without database sessions (i.e. JWT) #2506

fritzblue opened this issue Jun 18, 2021 · 5 comments
Labels
kind/feature-change New feature or request status/ready-to-work-on This issue is up for grabs

Comments

@fritzblue
Copy link

What do you want and why?

Server-side sessions come with pros and cons. Some users prefer the tradeoffs/benefits provided by client-side sessions (e.g. JWT).

This also makes it easier to choose alternative data stores (such as those unsupported by Prisma) without having to modify the auth system.

Possible implementation(s)

Today database sessions are assumed. It would be nice to allow the user to select the session management style during project generation, then generate the project files accordingly.

Additional context
@cherta
Copy link

cherta commented Jun 20, 2021

Not sure this comment helps, but I've been playing with a middleware to allow my backend (queries and mutations) to be consumed from a mobile application that cannot store cookie based sessions.

The main idea is to register a jwt middleware before the sessions middleware and create a session based on the JWT payload when requests comes from a mobile client.

When this middleware manages the request it creates a new session that complies with the Blitzjs session signature and calls next().

It's not by any means perfect, but so far is working, I need another week to polish the code and maybe I can post it here.

@flybayer
Copy link
Member

Thanks @fritzblue! Good news. We already planned for this from the very start. See https://github.com/blitz-js/blitz/blob/canary/rfc-docs/03-session-management.md#advanced-short-lived-jwts-plus-refresh-tokens

It will just take some work to implement everything properly. I won't have time to work on this before 1.0, but anyone else is welcome to tackle it before I'm able to.

@flybayer flybayer added kind/feature-change New feature or request status/ready-to-work-on This issue is up for grabs labels Jun 23, 2021
@zwl1619
Copy link

zwl1619 commented Jul 31, 2021

Could raise the priority of this issue?

@flybayer
Copy link
Member

flybayer commented Aug 4, 2021

@zwl1619 unfortunately I don't have the bandwidth to work on this before 1.0. But I'm more than happy to help guide anyone who has the time and motivation to take it on.

@ditorodev
Copy link

@flybayer Im willing to help in this, but im kinda lost as of the structure of the blitzjs project, I have also seen it is planned to pivot so maybe it is better to work on this for that release?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/feature-change New feature or request status/ready-to-work-on This issue is up for grabs
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@cherta @fritzblue @flybayer @zwl1619 @ditorodev @blitzjs-bot