DEV Community: Berzan The latest articles on DEV Community by Berzan (@bmikaili). https://dev.to/bmikaili https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1063812%2F5790469e-a252-4b08-a702-f1518a861c5c.png DEV Community: Berzan https://dev.to/bmikaili en Building a SvelteKit Demo Page with Web Component and Passkey Login for passkeys.eu Berzan Wed, 12 Apr 2023 14:23:46 +0000 https://dev.to/corbado/building-a-sveltekit-demo-page-with-web-component-and-passkey-login-using-corbadocom-1ci4 https://dev.to/corbado/building-a-sveltekit-demo-page-with-web-component-and-passkey-login-using-corbadocom-1ci4 <h2> Overview </h2> <ul> <li>1. Introduction</li> <li>2. Setting up the SvelteKit project</li> <li>3. Setting up fonts and global styles using Tailwind</li> <li>4. Repository structure</li> <li> 5. Setting up the Corbado web component for passkey authentication <ul> <li>5.1 Setting up your Corbado account and project</li> <li>5.2 Including the web component in our frontend</li> <li>5.3 Setting up the redirect logic</li> <li>5.4 Using cookies to manage authentication state</li> </ul> </li> <li>6. Conclusion</li> </ul> <h2> 1. Introduction </h2> <p>In this blog post, we'll be walking through the process of building a demo page for <a href="https://passkeys.eu/">passkeys.eu</a> using SvelteKit. We'll cover how to create a reusable web component and implement passkey login functionality for a seamless user experience. This tutorial assumes basic familiarity with SvelteKit, HTML, CSS and JavaScript. Let's dive in!</p> <h2> 2. Setting up the SvelteKit project </h2> <p>We'll follow along by cloning our <a href="https://github.com/Corbado/passkeys-demo">demo repository</a> with the finished code, but in case you are interested in how you'd set up the skeleton of the project, check out the next 2 sections. Otherwise, you can skip them and continue from repository structure.</p> <p>We will be using <a href="https://flowbite-svelte.com/pages/getting-started">Flowbite</a>, which is a component library based on <a href="https://tailwindcss.com">TailwindCSS</a> to quickly build a responsive and aesthetic UI.<br> Let's start out by installing SvelteKit. We are going to use <a href="https://pnpm.io">pnpm</a> instead of <code>npm</code>, as <code>pnpm</code> is faster by using symlinks to reuse existing dependencies. To install <code>pnpm</code>, run:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install</span> <span class="nt">-g</span> pnpm </code></pre> </div> <p>Once we've done that, we can install SvelteKit and initialize our project:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pnpm create svelte@latest passkeys-demo <span class="nb">cd </span>passkeys-demo pnpm <span class="nb">install</span> </code></pre> </div> <p>Then, we'll have to install TailwindCSS:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pnpx svelte-add@latest tailwindcss pnpm i </code></pre> </div> <p>Lastly, we'll have to install Flowbite's svelte library<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pnpm i flowbite flowbite-svelte classnames @popperjs/core </code></pre> </div> <p>Finally, we'll update our <code>tailwind.config.cjs</code> to include Flowbite:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">config</span> <span class="o">=</span> <span class="p">{</span> <span class="na">content</span><span class="p">:</span> <span class="p">[</span> <span class="dl">'</span><span class="s1">./src/**/*.{html,js,svelte,ts}</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">./node_modules/flowbite-svelte/**/*.{html,js,svelte,ts}</span><span class="dl">'</span> <span class="p">],</span> <span class="na">theme</span><span class="p">:</span> <span class="p">{</span> <span class="na">extend</span><span class="p">:</span> <span class="p">{}</span> <span class="p">},</span> <span class="na">plugins</span><span class="p">:</span> <span class="p">[</span><span class="nx">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">flowbite/plugin</span><span class="dl">'</span><span class="p">)],</span> <span class="na">darkMode</span><span class="p">:</span> <span class="dl">'</span><span class="s1">class</span><span class="dl">'</span> <span class="p">};</span> <span class="nx">module</span><span class="p">.</span><span class="nx">exports</span> <span class="o">=</span> <span class="nx">config</span><span class="p">;</span> </code></pre> </div> <h2> 3. Setting up fonts and global styles using Tailwind </h2> <p>To set up some standard fonts and styles that should be global for our application, we can use Tailwind theming. First, we'll create a <code>&lt;svelte:head&gt;</code> section in our root <code>+page.svelte</code>. This behaves like a standard HTML <code>&lt;head&gt;</code> you'd find in the <code>index.html</code> file, it contains metadata and allows you to include third party scripts. We are going to use it to include some fonts from <a href="https://fonts.bunny.net/">Bunny Fonts</a> and add some metadata for SEO. Add this to your <code>+page.svelte</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;svelte:head&gt;</span> <span class="nt">&lt;link</span> <span class="na">rel=</span><span class="s">"preconnect"</span> <span class="na">href=</span><span class="s">"https://fonts.bunny.net"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;link</span> <span class="na">href=</span><span class="s">"https://fonts.bunny.net/css?family=inter:500|space-grotesk:500"</span> <span class="na">rel=</span><span class="s">"stylesheet"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;title&gt;</span>Passkeys demo<span class="nt">&lt;/title&gt;</span> <span class="nt">&lt;meta</span> <span class="na">name=</span><span class="s">"description"</span> <span class="na">content=</span><span class="s">"Corbado Passkey passwordless authentication demo"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;/svelte:head&gt;</span> </code></pre> </div> <h2> 4. Repository structure </h2> <p>Let's first discuss the structure of our <code>src</code> folder:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>├── lib │ ├── assets │ │ ├── apple.svg │ │ ├── auth-sample.svg │ │ ├── Corbado.png │ │ ├── devices.svg │ │ ├── europe.png │ │ ├── github.png │ │ ├── google.svg │ │ ├── microsoft.svg │ │ ├── slack.webp │ │ └── twitter.png │ ├── components │ │ ├── CheckItem.svelte │ │ └── InfoCard.svelte │ └── sections │ ├── Footer.svelte │ ├── PasskeyDemo.svelte │ ├── PasskeyExplainer.svelte │ ├── PasskeySaas.svelte │ ├── PasskeyStats.svelte │ └── PasskeyTimeline.svelte ├── routes │ ├── api │ │ ├── <span class="nb">logout</span> │ │ │ └── +server.ts │ │ └── register │ │ └── +server.ts │ ├── +layout.svelte │ ├── +page.server.ts │ └── +page.svelte ├── app.d.ts ├── app.html └── app.postcss static └── favicon.png </code></pre> </div> <ul> <li> <p><code>lib</code> contains auxiliary files, such as:</p> <ul> <li>image <code>assets</code> </li> <li>custom <code>components</code> we made</li> <li> <code>sections</code> that we use on our demo page</li> </ul> </li> <li> <p><code>routes</code> contains all the routes of our app, such as</p> <ul> <li> <code>api</code> routes, these are equivalent to API endpoints you would have in a classic server / backend. The path of the endpoints correspond to their folder path.</li> <li>The root path <code>/</code> svelte files:</li> <li> <code>+layout.svelte</code> defines the overall layout and applies our global <code>.postcss</code> </li> <li> <code>+page.server.ts</code> handles server-side logic for that particular route (<code>/</code> in this case), such as load functions or form actions.</li> <li> <code>+page.svelte</code> contains the actual client-side code to render our page</li> </ul> </li> </ul> <p>We have a root <code>.html</code> and <code>.css</code> file, which we can ignore for the purpose of our tutorial. And a <code>static</code> folder for assets like favicons.</p> <h2> 5. Setting up the Corbado web component for passkey authentication </h2> <p>Our demo page contains various sections as defined in our <code>+page.svelte</code> file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;script </span><span class="na">lang=</span><span class="s">"ts"</span><span class="nt">&gt;</span> <span class="k">import</span> <span class="nx">Footer</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">$lib/sections/Footer.svelte</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">PasskeyDemo</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">$lib/sections/PasskeyDemo.svelte</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">PasskeyExplainer</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">$lib/sections/PasskeyExplainer.svelte</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">PasskeySaas</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">$lib/sections/PasskeySaas.svelte</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">PasskeyStats</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">$lib/sections/PasskeyStats.svelte</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">PasskeyTimeline</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">$lib/sections/PasskeyTimeline.svelte</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="nx">type</span> <span class="p">{</span> <span class="nx">PageData</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./$types</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="kd">let</span> <span class="nx">data</span><span class="p">:</span> <span class="nx">PageData</span><span class="p">;</span> <span class="nt">&lt;/script&gt;</span> <span class="nt">&lt;svelte:head&gt;</span> <span class="nt">&lt;link</span> <span class="na">rel=</span><span class="s">"preconnect"</span> <span class="na">href=</span><span class="s">"https://fonts.bunny.net"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;link</span> <span class="na">href=</span><span class="s">"https://fonts.bunny.net/css?family=inter:500|space-grotesk:500"</span> <span class="na">rel=</span><span class="s">"stylesheet"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;title&gt;</span>Corbado Passkey demo<span class="nt">&lt;/title&gt;</span> <span class="nt">&lt;meta</span> <span class="na">name=</span><span class="s">"description"</span> <span class="na">content=</span><span class="s">"Corbado Passkey passwordless authentication demo"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;/svelte:head&gt;</span> <span class="nt">&lt;PasskeyDemo</span> <span class="err">{</span><span class="na">data</span><span class="err">}</span> <span class="nt">/&gt;</span> <span class="nt">&lt;PasskeyExplainer</span> <span class="nt">/&gt;</span> <span class="nt">&lt;PasskeyTimeline</span> <span class="nt">/&gt;</span> <span class="nt">&lt;PasskeyStats</span> <span class="nt">/&gt;</span> <span class="nt">&lt;PasskeySaas</span> <span class="nt">/&gt;</span> <span class="nt">&lt;footer</span> <span class="nt">/&gt;</span> </code></pre> </div> <p>For the purpose of this demo, we'll focus on integrating Corbado, so I am going to omit on how I styled and built those pages. If you're interested, checkout the <code>src/lib/sections</code> and <code>src/lib/components</code> folder in the project repository to see how they're styled.</p> <h3> 5.1 Setting up your Corbado account and project </h3> <p>Visit the <a href="https://app.corbado.com/signin#register">Corbado Developer Panel</a> to sign up and create your account (you'll see passkeys sign up in action!).<br> Once you are in the developer panel, go to Settings &gt; Credentials:</p> <ul> <li>Press on <code>Add New</code>.</li> </ul> <p>Here, add a new authorized origin so that your local Svelte app can send requests to the Corbado API using the web component:</p> <ul> <li>Enter a name description, e.g. "Passkey demo"</li> <li>Enter the origin URL, in our case the <code>http://localhost:5137</code> local url</li> </ul> <p>Once you are done, you will need to get your project ID and create an API secret to authenticate with the Corbado backend. Go to the <code>API secrets</code> tab.</p> <p>Copy the username by clicking on it, and press on add new to get a new API secret you can copy. We'll add these to an <code>.env</code> file in the root of our SvelteKit project:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">CORBADO_API_SECRET</span><span class="o">=</span><span class="k">****</span> <span class="nv">PUBLIC_CORBADO_PROJECT_ID</span><span class="o">=</span><span class="k">***</span> </code></pre> </div> <p>SvelteKit allows us to easily access these using the $env namespace to import them. Env variables with <code>PUBLIC_</code> prefix are accessible in both client and server routes, while ones without default to being secret and are only accessible in SvelteKit server routes.</p> <h3> 5.2 Including the web component in our frontend </h3> <p>The first section in our root <code>+page.svelte</code> is <code>PasskeysDemo</code>. This section contains our web component demo. To import the Corbado web component into our app, all we need to do is add a <code>svelte:head</code> to load the script in <code>src/lib/sections/PasskeyDemo.svelte</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;svelte:head&gt;</span> <span class="nt">&lt;script </span><span class="na">defer</span> <span class="na">src=</span><span class="s">"https://auth.Corbado.com/auth.js"</span><span class="nt">&gt;&lt;/script&gt;</span> <span class="nt">&lt;/svelte:head&gt;</span> </code></pre> </div> <p>Then we can include it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;Corbado-auth</span> <span class="na">style=</span><span class="s">"border: none"</span> <span class="na">project_id=</span><span class="s">"{PUBLIC_CORBADO_PROJECT_ID}"</span> <span class="na">conditional=</span><span class="s">"yes"</span> <span class="na">login_title=</span><span class="s">"Try passkey login"</span> <span class="na">login_btn=</span><span class="s">"Passkey login"</span> <span class="na">register_title=</span><span class="s">"Try passkey signup"</span> <span class="na">register_btn=</span><span class="s">"Passkey signup"</span> <span class="na">auto_detect_language=</span><span class="s">"no"</span> <span class="na">fallback_language=</span><span class="s">"en"</span> <span class="na">page=</span><span class="s">"register"</span> <span class="nt">&gt;</span> <span class="nt">&lt;input</span> <span class="na">name=</span><span class="s">"username"</span> <span class="na">id=</span><span class="s">"Corbado-username"</span> <span class="na">value=</span><span class="s">""</span> <span class="na">required</span> <span class="na">autocomplete=</span><span class="s">"webauthn"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;/Corbado-auth&gt;</span> </code></pre> </div> <p>The web component has various utility attributes to customize it, like <code>login_title</code>, or <code>login_btn</code>. What's important for you to get it to work is the <code>project_id</code> attribute, where we will pass in our <code>PUBLIC_CORBADO_PROJECT_ID</code> from the environment. If you use an Editor like VSCode with the Svelte extension, it will automatically add this import to your <code>.svelte</code> <code>&lt;script&gt;</code> tag:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">PUBLIC_CORBADO_PROJECT_ID</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">$env/static/public</span><span class="dl">'</span><span class="p">;</span> </code></pre> </div> <h3> 5.3 Setting up the redirect logic </h3> <p>The Corbado web component works by <em>redirecting</em> you to a page you specify once the user signs up or logs in. This redirect URL can be a server-side route, or a client route. In our case, it will be a SvelteKit server endpoint. To set up our Redirect URL, let's go into the <a href="https://app.Corbado.com">Corbado Developer Panel</a> and navigate to the URL tab in Settings &gt; General and enter the following:</p> <p><code>Redirect URL</code>: Enter the URL your app should redirect to once signing up with the web component. In our case, it is the SvelteKit API route <code>http://localhost:5137/api/register</code> .</p> <p><code>Application URL</code>: Enter the URL your application runs on, in our case it is <code>localhost:5137</code> locally.</p> <p><code>Relying Party ID</code>: Enter the Domain (no protocol, port or path) where passkeys should be bound to. In our case it is <code>localhost</code>.</p> <p>The Application URL is used for, among others, to correctly direct users to the web component again, when they have clicked on an email magic link.</p> <p>Let's now add our server route in SvelteKit. Under the <code>routes/</code> folder, we will create the folders <code>api/register</code> and create a file <code>api/register/+server.ts</code> in it. This will contain our API route:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">CORBADO_API_SECRET</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">$env/static/private</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">PUBLIC_CORBADO_PROJECT_ID</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">$env/static/public</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">error</span><span class="p">,</span> <span class="nx">redirect</span><span class="p">,</span> <span class="kd">type</span> <span class="nx">RequestHandler</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@sveltejs/kit</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">GET</span> <span class="o">=</span> <span class="p">(</span><span class="k">async</span> <span class="p">({</span> <span class="nx">url</span><span class="p">,</span> <span class="nx">request</span><span class="p">,</span> <span class="nx">getClientAddress</span><span class="p">,</span> <span class="nx">cookies</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">Corbado</span> <span class="o">=</span> <span class="p">{</span> <span class="na">sessionToken</span><span class="p">:</span> <span class="nx">url</span><span class="p">.</span><span class="nx">searchParams</span><span class="p">.</span><span class="kd">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">sessionToken</span><span class="dl">'</span><span class="p">)</span> <span class="o">||</span> <span class="dl">''</span><span class="p">,</span> <span class="na">userAgent</span><span class="p">:</span> <span class="nx">request</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="kd">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">user-agent</span><span class="dl">'</span><span class="p">),</span> <span class="na">remoteAddress</span><span class="p">:</span> <span class="nx">getClientAddress</span><span class="p">()</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://api.Corbado.com/v1/sessions/verify</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">POST</span><span class="dl">'</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span><span class="p">,</span> <span class="na">Authorization</span><span class="p">:</span> <span class="s2">`Basic </span><span class="p">${</span><span class="nx">btoa</span><span class="p">(</span><span class="s2">`</span><span class="p">${</span><span class="nx">PUBLIC_CORBADO_PROJECT_ID</span><span class="p">}</span><span class="s2">:</span><span class="p">${</span><span class="nx">CORBADO_API_SECRET</span><span class="p">}</span><span class="s2">`</span><span class="p">)}</span><span class="s2">`</span> <span class="p">},</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nx">stringify</span><span class="p">({</span> <span class="na">token</span><span class="p">:</span> <span class="nx">Corbado</span><span class="p">.</span><span class="nx">sessionToken</span><span class="p">,</span> <span class="na">clientInfo</span><span class="p">:</span> <span class="p">{</span> <span class="na">userAgent</span><span class="p">:</span> <span class="nx">Corbado</span><span class="p">.</span><span class="nx">userAgent</span><span class="p">,</span> <span class="na">remoteAddress</span><span class="p">:</span> <span class="nx">Corbado</span><span class="p">.</span><span class="nx">remoteAddress</span> <span class="p">}</span> <span class="p">})</span> <span class="p">});</span> <span class="k">if</span> <span class="p">(</span><span class="nx">response</span><span class="p">.</span><span class="nx">status</span> <span class="o">!==</span> <span class="mi">200</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="nx">error</span><span class="p">(</span><span class="mi">401</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Invalid session token</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="nx">cookies</span><span class="p">.</span><span class="kd">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">jwt</span><span class="dl">'</span><span class="p">,</span> <span class="nx">crypto</span><span class="p">.</span><span class="nx">randomUUID</span><span class="p">(),</span> <span class="p">{</span> <span class="na">httpOnly</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">path</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">,</span> <span class="na">sameSite</span><span class="p">:</span> <span class="dl">'</span><span class="s1">lax</span><span class="dl">'</span><span class="p">,</span> <span class="na">secure</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">maxAge</span><span class="p">:</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">24</span> <span class="c1">// 1 day</span> <span class="p">});</span> <span class="k">throw</span> <span class="nx">redirect</span><span class="p">(</span><span class="mi">303</span><span class="p">,</span> <span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">);</span> <span class="p">})</span> <span class="nx">satisfies</span> <span class="nx">RequestHandler</span><span class="p">;</span> </code></pre> </div> <p>Let's digest this one by one. This <code>GET</code> route will be automatically called by the Corbado API once a user clicks on register or login. We then need to verify that information with the Corbado API, and can then authenticate our user locally.</p> <p>In the <code>Corbado</code> constant, we save all the information that is relevant to verification, such as <code>sessionToken</code>, and <code>clientinfo</code> such as the <code>userAgent</code> and the <code>remoteAddress</code>. SvelteKit provides useful helpers we can pass to the route to get all this information.</p> <p>Once we have that information, we want to call the Corbado API's <code>sessionVerify</code> endpoint. We use our project ID and our secret that we saved in our <code>.env</code> before to authenticate with Basic authentication, and in the body, we pass the sessionToken, and the <code>clientinfo</code> we have gathered.</p> <p>If our response fails, we will let our endpoint throw an error. If we successfully verified, we can now set a cookie using a new <code>jwt</code> token, and redirect our client back to the root. Note that in production, you would probably use the user information returned to you by the response of the <code>sessionVerify</code> call to create a user in your database, but for our purpose, we'll just create a cookie locally.</p> <h3> 5.4 Using cookies to manage authentication state </h3> <p>Now that we can press sign up on our web component and get a cookie back, we need to load that cookie into our client and use it to show sign in status. To do this, we can use SvelteKit's <code>load</code> functions. In our <code>routes</code> folder root, we can create a <code>+page.server.ts</code> next to the existing <code>+page.server.ts</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="kd">type</span> <span class="p">{</span> <span class="nx">PageServerLoad</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./$types</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">load</span> <span class="o">=</span> <span class="p">(</span><span class="k">async</span> <span class="p">({</span> <span class="nx">cookies</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">jwt</span> <span class="o">=</span> <span class="nx">cookies</span><span class="p">.</span><span class="kd">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">jwt</span><span class="dl">'</span><span class="p">);</span> <span class="k">return</span> <span class="p">{</span> <span class="nx">jwt</span> <span class="p">};</span> <span class="p">})</span> <span class="nx">satisfies</span> <span class="nx">PageServerLoad</span><span class="p">;</span> </code></pre> </div> <p>What this does is get the jwt cookie that we set in the redirect, and pass it down to all pages in the same level of <code>routes</code> or below.</p> <p>Earlier, in our root <code>+page.svelte</code>, you might have noticed that there was an additional variable in our script:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="kd">let</span> <span class="nx">data</span><span class="p">:</span> <span class="nx">PageData</span><span class="p">;</span> </code></pre> </div> <p>This data is populated with whatever the <code>load</code> function of our page returns, in this case the content of our jwt cookie. We want to pass this cookie down into our <code>PasskeyDemo</code> section:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;PasskeyDemo</span> <span class="err">{</span><span class="na">data</span><span class="err">}</span> <span class="nt">/&gt;</span> </code></pre> </div> <p>In that section, we also need to declare the <code>data</code> prop to receive it from the parent page. This should be in our script section:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="kd">let</span> <span class="nx">data</span><span class="p">:</span> <span class="nx">PageData</span><span class="p">;</span> </code></pre> </div> <p>Now we can use that to conditionally render our UI:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!--- other code ---&gt;</span> {#if data <span class="err">&amp;&amp;</span> data.jwt} <span class="nt">&lt;Card</span> <span class="na">class=</span><span class="s">"w-full"</span><span class="nt">&gt;</span> <span class="nt">&lt;Heading</span> <span class="na">tag=</span><span class="s">"h4"</span><span class="nt">&gt;</span>That’s it. You’re logged in.​<span class="nt">&lt;/Heading&gt;</span> <span class="nt">&lt;button</span> <span class="na">href=</span><span class="s">"/api/logout"</span> <span class="na">pill</span> <span class="na">class=</span><span class="s">"bg-primary text-white mt-32 mb-8"</span><span class="nt">&gt;</span>Log out<span class="nt">&lt;/button&gt;</span> <span class="nt">&lt;/Card&gt;</span> {:else} <span class="nt">&lt;Card</span> <span class="na">class=</span><span class="s">"w-full"</span><span class="nt">&gt;</span> <span class="nt">&lt;Corbado-auth</span> <span class="na">style=</span><span class="s">"border: none"</span> <span class="na">project_id=</span><span class="s">"{PUBLIC_CORBADO_PROJECT_ID}"</span> <span class="na">conditional=</span><span class="s">"yes"</span> <span class="na">login_title=</span><span class="s">"Try passkey login"</span> <span class="na">login_btn=</span><span class="s">"Passkey login"</span> <span class="na">register_title=</span><span class="s">"Try passkey signup"</span> <span class="na">register_btn=</span><span class="s">"Passkey signup"</span> <span class="na">page=</span><span class="s">"register"</span> <span class="nt">&gt;</span> <span class="nt">&lt;input</span> <span class="na">name=</span><span class="s">"username"</span> <span class="na">id=</span><span class="s">"Corbado-username"</span> <span class="na">value=</span><span class="s">""</span> <span class="na">required</span> <span class="na">autocomplete=</span><span class="s">"webauthn"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;/Corbado-auth&gt;</span> <span class="nt">&lt;/Card&gt;</span> {/if} <span class="c">&lt;!--- other code ---&gt;</span> </code></pre> </div> <p>This will render either our web component if we are not logged in, or a log out button if we are already logged in. The Logout button uses another action. We can create that action by simply creating a file <code>api/logout/+server.ts</code> with the following content:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">redirect</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@sveltejs/kit</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="kd">type</span> <span class="p">{</span> <span class="nx">RequestHandler</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./$types</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">GET</span> <span class="o">=</span> <span class="p">(({</span> <span class="nx">cookies</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">cookies</span><span class="p">.</span><span class="kd">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">jwt</span><span class="dl">'</span><span class="p">,</span> <span class="dl">''</span><span class="p">,</span> <span class="p">{</span> <span class="na">path</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">,</span> <span class="na">expires</span><span class="p">:</span> <span class="k">new</span> <span class="nb">Date</span><span class="p">(</span><span class="mi">0</span><span class="p">)</span> <span class="p">});</span> <span class="k">throw</span> <span class="nx">redirect</span><span class="p">(</span><span class="mi">303</span><span class="p">,</span> <span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">);</span> <span class="p">})</span> <span class="nx">satisfies</span> <span class="nx">RequestHandler</span><span class="p">;</span> </code></pre> </div> <p>This action will get invoked when the button is pressed, and it will delete the jwt token from the browser and redirect back to the page root.</p> <h2> 6. Conclusion </h2> <p>I hope this demo showed how easy it is to quickly add passwordless authentication using passkeys to your SvelteKit app by using Corbado, and utilizing all of SvelteKit's features to make our lives easier in the process.</p> passkeys svelte webdev security