DEV Community: pilcrowOnPaper The latest articles on DEV Community by pilcrowOnPaper (@pilcrowonpaper). https://dev.to/pilcrowonpaper https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F817313%2Fe02766cd-969a-4430-9fac-1a810553521c.jpeg DEV Community: pilcrowOnPaper https://dev.to/pilcrowonpaper en Your "GDPR compliant" analytics is probably violating GDPR pilcrowOnPaper Wed, 10 May 2023 11:10:01 +0000 https://dev.to/pilcrowonpaper/your-gdpr-compliant-analytics-is-probably-violating-gdpr-4bo8 https://dev.to/pilcrowonpaper/your-gdpr-compliant-analytics-is-probably-violating-gdpr-4bo8 <p>This article is a cross-post of <a href="https://pilcrow.vercel.app/blog/gdpr-analytics">my blog post</a>.</p> <p>For the past few days, I've been working on my next open source project: a dead-simple, self-host analytics library (don't worry, this blog post isn't for promoting it). I just want something simple and lightweight for my blogs and library docs that doesn't require those annoying banners. Daily views, countries, OS/device - that's pretty much all I need. The one metric I considered adding but hadn't was unique visitors; I wasn't really sure how to make it GDPR compliant. No worries, let me just ask Google... and that led me down a rabbit hole of EU law.</p> <p>Here's a short summary of what I found after reading tons of legal documents. This is more a "what <em>not</em> to do" article than a "what you should do" one. Specifically, it won't explain how you should write your privacy policy and get consent - that's for another time.</p> <p>I also looked through how other analytics provider were counting visitors - a lot of them, at best, are misunderstanding the law, and at worst, violating GDPR. This was especially the case for those that claim that they were GDPR complaint and don't use cookies. And yes, that includes Plausible, Vercel Web Analytics, Umami, Matomo, PostHog, and Fathom. I also assume many people don't really understand GDPR either. Did you know that GDPR isn't about cookies, and in fact, by itself, you're allowed to set cookies without user consent?</p> <p>It should be obvious but <strong>I'm not a lawyer, and this is not legal advice</strong>. However, you may want to reconsider if you're using such services.</p> <h2> Related laws </h2> <h3> GDPR </h3> <p><a href="https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679">Full text</a>. The General Data Protection Regulation (GDPR - Regulation 2016/679), is an EU law on data protection and privacy enacted in 2016, effective since 2018. It protects consumers from unwanted data collection from services, and gives them control over how it's handled.</p> <p>This regulation does not directly mention or prohibit cookies, and is only intended to protect user privacy.</p> <h3> The ePrivacy Directive </h3> <p><a href="https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32002L0058">Full text</a>. Directive 2002/58/EC, more commonly known as the ePrivacy Directive, regulates how data traffic is handled and aims to protect user privacy. It also includes provision to limit spam and tracking, including the use of cookies.</p> <p>While "directives" are not laws and rather more of a goal for each member state to reach by enacting laws individually, every member state has adopted this directive.</p> <h3> Scope </h3> <p>Both of these apply to all 27 member states of the EU, as well as counties in the European Economic Area (Norway, Liechtenstein, Iceland). You must comply if you are either an entity operating in the Union, or providing a service to its population. Since GDPR is an EU law, it applies to non-citizens living its territory, but not to citizens living abroad.</p> <p>The UK has its own version of GDPR, and the ePrivacy Directive is called the Privacy and Electronic Communications Regulations (PECR). They're nearly identical to their European counterparts.</p> <p>If a user from Europe visits your site, you must comply.</p> <h2> Personal data </h2> <p>'Personal data' in the context of GDPR is defined in Article 4(1):</p> <blockquote> <p>(...) any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;</p> </blockquote> <p>Any data that is linked to a single, or just a handful of users, is considered personal data. Names and home addresses are obvious examples, but it also includes online identifiers such as IP addresses, emails, usernames, and session ids. This is mentioned in recital 30:</p> <blockquote> <p>Natural persons may be associated with online identifiers (...) such as internet protocol addresses, cookie identifiers (...)</p> </blockquote> <p>It does not matter whether you can extract meaningful personal info or not. If you can (re)identify the user, it's considered personal data. I think this is obvious with "cookie identifiers" being mentioned. This means user ids and id used for pixel tags are included as well.</p> <p>Unique identifiers, regardless of the method used to generate it (including fingerprinting), are personal data. Encrypting or hashing the data, a process referred to as 'pseudonymization,' may affect the fines when there's a data breach, but the resulting output is still considered personal data.</p> <p>The user should be informed what personal data are processed and for what purpose.</p> <h4> IP address </h4> <p>Sending requests to third party APIs may be a violation of GDPR as the user's IP address was unknowingly shared with a third party, especially if you had the option to self-host or proxy the request. This includes using Google Fonts and embedding social media posts.</p> <ul> <li>EUCJ: <a href="https://curia.europa.eu/juris/document/document.jsf?text=&amp;docid=216555&amp;pageIndex=0&amp;doclang=EN&amp;mode=lst&amp;dir=&amp;occ=first&amp;part=1&amp;cid=6340488">Fashon ID case</a> </li> <li>German regional court: <a href="https://rewis.io/urteile/urteil/lhm-20-01-2022-3-o-1749320/">Google Fonts case</a> </li> </ul> <h3> Handling personal data </h3> <p><strong>Personal data may not be processed, including its storage and transmission, without a legal basis</strong> (Article 6). These legal bases are not applicable to cookies.</p> <ol> <li>Consent: The user has given clear consent for a specific purpose with an affirmative action.</li> <li>Contractual obligation: 'Contract' in this case may include terms of service.</li> <li>Legal obligation</li> <li>Vital interests: Saving one's life.</li> <li>Public task</li> <li>Legitimate interests</li> </ol> <h4> Consent </h4> <p>Consent must be opt-in. A pre-ticked checkbox or any other default consent are not allowed. The choice must be presented in a way clearly distinguishable from other matters, and must be written in a clear and concise language. Finally, the user must be given a choice to withdraw.</p> <h4> Legitimate interests </h4> <p>While (6) is purposefully broad and is the most flexible out of the six, there must be a specific interest, be it commercial or security, for it to apply. Users' personal rights override your own interests as well, and it cannot be used if you have more unintrusive way to achieve your "interests". Security related interests, such as DDOS protection, are explicitly stated to be considered proper legitimate interest in recital 49:</p> <blockquote> <p>This [a legitimate interest of the data controller concerned] could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping ‘denial of service’ attacks and damage to computer and electronic communication systems.</p> </blockquote> <p>Your users have a right to object to their personal data being processed, as stated in Article 21(1):</p> <blockquote> <p>The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) [legitimate interests] of Article 6(1), (...)</p> </blockquote> <p>While you don't need to comply if you have "compelling legitimate grounds" that override your users' objection, it is generally recommended that there an option to opt-out of the processing is present. You must list your "interests" in clear manner as well (e.g. privacy policy).</p> <p><strong>Analytics for the sake of analytics will likely not be considered "legitimate interests."</strong> "I was just curious" is, at best, a weak argument.</p> <h3> Anonymous data </h3> <p>Anonymous data, data that cannot be used to identify the user directly or indirectly, are not considered personal data and can be processed without the user's consent (recital 26):</p> <blockquote> <p>The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable.</p> </blockquote> <p>This may include initials, gender, country, and device. Masked IP addresses are <a href="">considered anonymous under French regulators</a>, though a clear EU wide decision has not been made.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>type</th> <th>requirement</th> <th>before</th> <th>masked</th> </tr> </thead> <tbody> <tr> <td>IPv4</td> <td>Remove last octet</td> <td><code>128.128.128.128</code></td> <td><code>128.128.128.0</code></td> </tr> <tr> <td>IPv6</td> <td>Remove last 80 bit</td> <td><code>0123:4567:89ab:cdef:0123:4567:89ab:cdef</code></td> <td><code>0123:4567:89ab:0:0:0:0:0</code></td> </tr> </tbody> </table></div> <p>However, the combination of such anonymous data may be considered personal data, such as a masked IP address and device type.</p> <h3> Statistical purpose </h3> <p>Processing personal data for statistical purposes fall within the initial purpose/legal basis of processing, and you may do so without an additional legal basis (Article 5(1)):</p> <blockquote> <p>(...) further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);</p> </blockquote> <p>However, processing data for the sole reason of producing statistics is not a legitimate legal basis of collecting personal data.</p> <h2> The ePrivacy Directive </h2> <p>While the directive is relevant to many aspects of privacy, the one we're interested in is Article 5(3):</p> <blockquote> <p>(...) the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information (...), and is offered the right to refuse such processing by the data controller.</p> </blockquote> <p>In other words, <strong>you are not allowed to store any data onto the user's device (cookies, local storage, cache) without their consent</strong>, unless it is strictly required to provide the content/service the user has requested. Said exception is stated in the next part:</p> <blockquote> <p>This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.</p> </blockquote> <p>GDPR's 6 legal bases for processing personal data (including legitimate interests), do not apply in regards to cookies. Auth cookies (session id or JWT) can be considered "strictly required."</p> <h3> Personal data </h3> <p>Does the Article mentioned above (Article 5) applies to cookies that don't store personal data? Article 3 states on "Services concerned":</p> <blockquote> <p>This directive shall apply to the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks in the Community.</p> </blockquote> <p>This seems as if the directive only applies to processing personal data. However, recital 24 states:</p> <blockquote> <p>Terminal equipment of users of electronic communications networks and any information stored on such equipment are part of the private sphere of the users requiring protection under the European Convention for the Protection of Human Rights and Fundamental Freedoms.</p> </blockquote> <p>Using the device (= storing data) without the user's consent violates their private sphere and, as such, their fundamental freedom. So to answer the question, yes, it applies to non-personal data. The highest court in Germany agrees in the <a href="https://curia.europa.eu/juris/document/document.jsf?text=&amp;docid=218462&amp;pageIndex=0&amp;doclang=EN&amp;mode=lst&amp;dir=&amp;occ=first&amp;part=1&amp;cid=5731980">case of Planet49</a>, where it attempted to answer the same question (referred to as "Question 1(b)"):</p> <blockquote> <p>(...) the answer to Question 1(b) is that Article 2(f) and Article 5(3) of Directive 2002/58, read in conjunction with Article 2(h) of Directive 95/46 and Article 4(11) and Article 6(1)(a) of Regulation 2016/679, are not to be interpreted differently according to whether or not the information stored or accessed on a website user’s terminal equipment is personal data within the meaning of Directive 95/46 and Regulation 2016/679.</p> </blockquote> <h2> Counting unique visitors </h2> <p>The issue with counting unique visitors is that you have to distinguish new users from returning users. There's only 2 ways to do that:</p> <ol> <li>Assign every user an id and store it on initial request.</li> <li>Store some flag to users who visit your site.</li> </ol> <p>The first option violates GDPR as it requires you to process personal data (a unique identifier), and the second option violates the ePrivacy Directive as you're storing data onto the user's device if you don't show a cookie banner.</p> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>service</th> <th>possible violation</th> <th>relevant legislation</th> </tr> </thead> <tbody> <tr> <td>Phantom</td> <td>assigns unique id: hash from ip, user agent</td> <td>GDPR</td> </tr> <tr> <td>Plausible</td> <td>assigns unique id: hash from ip, user agent</td> <td>GDPR</td> </tr> <tr> <td>PostHog</td> <td>assigns unique id + storage before consent</td> <td>GDPR, ePrivacy</td> </tr> <tr> <td>Umami</td> <td>assigns unique id: hash from ip, user agent</td> <td>GDPR</td> </tr> <tr> <td>Vercel</td> <td>assigns unique id: hash from ip, user agent</td> <td>GDPR</td> </tr> </tbody> </table></div> <p>It's also possible sending requests to third party APIs, so just using third party analytics, may be a violation of GDPR as you're exposing the user's IP address without their consent.</p> <p>The only leeway here is legitimate interests, as mentioned before. Do you have legitimate interests in tracking unique visitors, and solely that? It's likely you <em>just</em> want to see the number of visitors to your site, and since you can already track interests and traffic via page views, I do not think it applies here.</p> <h4> Matomo </h4> <p>Matomo claims its no-consent cookie based configuration is approved by CNIL, France's data privacy regulatory body. While this is true, as <a href="https://www.cnil.fr/en/sheet-ndeg16-use-analytics-your-websites-and-applications">CNIL considers some analytics cookies exempt from requiring consent</a> under certain conditions, this is only applicable to France.</p> <h4> Fathom </h4> <p><a href="https://usefathom.com/blog/anonymization">Fanthom claims</a> its customers use legitimate interests as their basis for handling IP addresses (personal data):</p> <blockquote> <p>Processing personal data (IP address &amp; User-Agent as per the GDPR) is not an issue, and the GDPR offers six lawful bases for doing so. Our customers rely on legitimate interest, and there is no risk to the data subject, and we ensure their data is anonymized.</p> </blockquote> <p>However, as stated above, I do not think legitimate interests apply here, and Fanthom does not elaborate further. It also wrongly claims that hashing counts as anonymization and that GDPR may not apply, when it should be considered pseudonymization and the resulting data is still considered personal data.</p> <h2> Now what? </h2> <p>So, what options are left? Well, not a lot to be honest. For me, I intend to only "track" users from non-EU users and guesstimate total unique visitors by comparing it with total views. You can use "legitimate interests" if you want, but is it really worth thinking about and writing legal stuff?</p> <p>There is hope though. The European Commission is <a href="https://digital-strategy.ec.europa.eu/en/policies/eprivacy-regulation">considering replacing the old ePrivacy Directive</a>, the directive prohibiting all non-essential cookies. Among the many planned changes, it'll allow some cookies for analytics purposes. Unfortunately, it might a take while...</p> <h2> Other things to consider </h2> <p>Here are some important things from GDPR that isn't related to analytics.</p> <h3> Responsibility </h3> <p>The responsibility to ensure the user's personal data is protected is placed on the controller, not the processor. The controller is the one who controls what data is processed by itself and processors, who process the data on behalf of the controller. If you're using Google Analytics, for example, you are the controller while Google is the processor.</p> <h3> Data transfer </h3> <p>Personal data must not be transferred to third countries unless certain conditions are met. Data can be transferred to countries that the EU has deemed to have adequate level of protection, including the United Kingdom and Canada (Article 45). Notably, the United States is not included. Alternatively, individual corporation are required to implement Standard Contractual Clauses (SCC) and/or an adequate safe guard as an alternative (Article 47). Those should be already covered if you host on Cloudflare and Vercel.</p> <p>You may be allowed in the absence of the requirement above if they meet certain conditions, including consent, contractual obligation, and legitimate interest (Article 49).</p> <p>Users should be informed of any international data transfer.</p> webdev tutorial analytics todayilearned Announcing Lucia 1.0 - A simple and flexible auth library with support for multiple databases and frameworks pilcrowOnPaper Sun, 09 Apr 2023 14:38:44 +0000 https://dev.to/pilcrowonpaper/announcing-lucia-10-a-simple-and-flexible-auth-library-with-support-for-multiple-databases-and-frameworks-4pi1 https://dev.to/pilcrowonpaper/announcing-lucia-10-a-simple-and-flexible-auth-library-with-support-for-multiple-databases-and-frameworks-4pi1 <p>I'm super excited to announce Lucia 1.0! This has been a long time coming and I still can't believe how much support the project had over the development. It now has over 800 Github stars and nearly 3,000 NPM weekly downloads!</p> <p>Lucia is a server-side authentication library for TypeScript that aims to be unintrusive, straightforward, and flexible. At its core, it’s a library for managing users and sessions, providing the building blocks for setting up auth just how you want. Database adapters allow Lucia to be used with any modern ORMs/databases and integration packages make it easy to implement things like OAuth. Unlike Auth.js, it's much more low-level and simple, giving you full control of auth.</p> <p>Key features:</p> <ul> <li>Session based auth</li> <li>Support for popular databases/ORMs</li> <li>OAuth support</li> <li>Multiple auth methods with keys</li> <li>Email verification links and OTPs with tokens</li> </ul> <p>Docs (I've worked super hard on this!): <a href="https://lucia-auth.com/?framework=sveltekit">https://lucia-auth.com/?framework=sveltekit</a><br> Repo: <a href="https://github.com/pilcrowOnPaper/lucia">https://github.com/pilcrowOnPaper/lucia</a></p> <h2> Working with Lucia </h2> <p>A simple example for email/password auth:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">auth</span><span class="p">.</span><span class="nx">createUser</span><span class="p">({</span> <span class="c1">// how to identify user for authentication?</span> <span class="na">primaryKey</span><span class="p">:</span> <span class="p">{</span> <span class="na">providerId</span><span class="p">:</span> <span class="dl">"</span><span class="s2">email</span><span class="dl">"</span><span class="p">,</span> <span class="c1">// using email</span> <span class="na">providerUserId</span><span class="p">:</span> <span class="dl">"</span><span class="s2">user@example.com</span><span class="dl">"</span><span class="p">,</span> <span class="c1">// email to use</span> <span class="na">password</span><span class="p">:</span> <span class="dl">"</span><span class="s2">123456</span><span class="dl">"</span> <span class="p">},</span> <span class="c1">// custom attributes</span> <span class="na">attributes</span><span class="p">:</span> <span class="p">{</span> <span class="na">email</span><span class="p">:</span> <span class="dl">"</span><span class="s2">user@example.com</span><span class="dl">"</span> <span class="p">}</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">session</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">auth</span><span class="p">.</span><span class="nx">createSession</span><span class="p">(</span><span class="nx">user</span><span class="p">.</span><span class="nx">userId</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">sessionCookie</span> <span class="o">=</span> <span class="nx">auth</span><span class="p">.</span><span class="nx">createSessionCookie</span><span class="p">(</span><span class="nx">session</span><span class="p">);</span> </code></pre> </div> <p>You can see that Lucia provides basic primitives that you can use however you want to implement your own auth.</p> <h2> Concepts of Lucia </h2> <p>Aside from users (which should be obvious), there's 2 other key concepts: Sessions and keys. One you understand the 3 concepts of Lucia, it should be pretty easy to use it.</p> <h3> Sessions </h3> <p>Sessions are how you validate and keep track of users. You create new sessions for a user and store the id of the session to the user’s browser or device. To validate a session, you can compare the session id stored in the client and the database.</p> <h3> Keys </h3> <p>When authenticating users (log in), you get the user data from an external provider, such as the email from the user’s input or the Github user id for social login. Keys allow you to link such external data from a provider with Lucia users stored in your database. This type of key can hold a password, which will be hashed and can be validated with Lucia’s API. This is mainly for implementing password logins.</p> <p>For example, for email/password, “email” can be the provider id, the user’s email can be the provider user id, and the user’s password can be stored as the key’s password. For Github OAuth, “github” can be the provider id and the user’s GitHub user id can be the provider user id.</p> javascript webdev security database Preloading Google Fonts pilcrowOnPaper Wed, 22 Mar 2023 08:22:35 +0000 https://dev.to/pilcrowonpaper/preloading-google-fonts-37h1 https://dev.to/pilcrowonpaper/preloading-google-fonts-37h1 <p>Google Fonts is one of the easiest way to customize your website. Pick your fonts, add few lines of html, and boom, you're done:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;head&gt;</span> <span class="nt">&lt;link</span> <span class="na">rel=</span><span class="s">"preconnect"</span> <span class="na">href=</span><span class="s">"https://fonts.googleapis.com"</span> <span class="na">crossorigin</span> <span class="nt">/&gt;</span> <span class="nt">&lt;link</span> <span class="na">rel=</span><span class="s">"preconnect"</span> <span class="na">href=</span><span class="s">"https://fonts.gstatic.com"</span> <span class="na">crossorigin</span> <span class="nt">/&gt;</span> <span class="nt">&lt;link</span> <span class="na">href=</span><span class="s">"https://fonts.googleapis.com/css2?family=Roboto&amp;display=swap"</span> <span class="na">rel=</span><span class="s">"stylesheet"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;/head&gt;</span> </code></pre> </div> <p>Well, until you realize that your fonts aren't getting applied immediately, only happening after the whole page has been loaded. That improves page speed but isn't the best design wise (and to some extent, UX wise).</p> <p>We can tell the browser to load assets before load with <code>rel="preload"</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;head&gt;</span> <span class="nt">&lt;link</span> <span class="na">rel=</span><span class="s">"preconnect"</span> <span class="na">href=</span><span class="s">"https://fonts.googleapis.com"</span> <span class="na">crossorigin</span> <span class="nt">/&gt;</span> <span class="nt">&lt;link</span> <span class="na">rel=</span><span class="s">"preconnect"</span> <span class="na">href=</span><span class="s">"https://fonts.gstatic.com"</span> <span class="na">crossorigin</span> <span class="nt">/&gt;</span> <span class="nt">&lt;link</span> <span class="na">href=</span><span class="s">"https://fonts.googleapis.com/css2?family=Roboto&amp;display=swap"</span> <span class="na">rel=</span><span class="s">"preload"</span> <span class="na">as=</span><span class="s">"style"</span> <span class="na">crossorigin</span> <span class="nt">/&gt;</span> <span class="nt">&lt;link</span> <span class="na">href=</span><span class="s">"https://fonts.googleapis.com/css2?family=Roboto&amp;display=swap"</span> <span class="na">rel=</span><span class="s">"stylesheet"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;/head&gt;</span> </code></pre> </div> <p>Make sure to add both of the <code>&lt;link/&gt;</code> tag.</p> <p>But this doesn't solve our problem just yet. We're preloading a stylesheet, but that stylesheet also imports fonts. We have to preload those as well.</p> <p>If you visit <code>https://fonts.googleapis.com/css2?family=Roboto&amp;display=swap</code> (the stylesheet location), you'll see a list of font-face declaration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight css"><code><span class="c">/* latin */</span> <span class="k">@font-face</span> <span class="p">{</span> <span class="nl">font-family</span><span class="p">:</span> <span class="s2">'Roboto'</span><span class="p">;</span> <span class="nl">font-style</span><span class="p">:</span> <span class="nb">normal</span><span class="p">;</span> <span class="nl">font-weight</span><span class="p">:</span> <span class="m">400</span><span class="p">;</span> <span class="py">font-display</span><span class="p">:</span> <span class="n">swap</span><span class="p">;</span> <span class="nl">src</span><span class="p">:</span> <span class="sx">url(https://fonts.gstatic.com/s/roboto/v30/KFOmCnqEu92Fr1Mu4mxKKTU1Kg.woff2)</span> <span class="n">format</span><span class="p">(</span><span class="s2">'woff2'</span><span class="p">);</span> <span class="py">unicode-range</span><span class="p">:</span> <span class="n">U</span><span class="err">+</span><span class="m">0000-00</span><span class="n">FF</span><span class="p">,</span> <span class="n">U</span><span class="err">+</span><span class="m">0131</span><span class="p">,</span> <span class="n">U</span><span class="err">+</span><span class="m">0152-0153</span><span class="p">,</span> <span class="n">U</span><span class="err">+</span><span class="m">02</span><span class="n">BB-02BC</span><span class="p">,</span> <span class="n">U</span><span class="err">+</span><span class="m">02</span><span class="n">C6</span><span class="p">,</span> <span class="n">U</span><span class="err">+</span><span class="m">02</span><span class="n">DA</span><span class="p">,</span> <span class="n">U</span><span class="err">+</span><span class="m">02</span><span class="n">DC</span><span class="p">,</span> <span class="n">U</span><span class="err">+</span><span class="m">2000-206</span><span class="n">F</span><span class="p">,</span> <span class="n">U</span><span class="err">+</span><span class="m">2074</span><span class="p">,</span> <span class="n">U</span><span class="err">+</span><span class="m">20</span><span class="n">AC</span><span class="p">,</span> <span class="n">U</span><span class="err">+</span><span class="m">2122</span><span class="p">,</span> <span class="n">U</span><span class="err">+</span><span class="m">2191</span><span class="p">,</span> <span class="n">U</span><span class="err">+</span><span class="m">2193</span><span class="p">,</span> <span class="n">U</span><span class="err">+</span><span class="m">2212</span><span class="p">,</span> <span class="n">U</span><span class="err">+</span><span class="m">2215</span><span class="p">,</span> <span class="n">U</span><span class="err">+</span><span class="n">FEFF</span><span class="p">,</span> <span class="n">U</span><span class="err">+</span><span class="n">FFFD</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>That url inside <code>url(https://fonts.gstatic.com/s/roboto/v30/KFOmCnqEu92Fr1Mu4mxKKTU1Kg.woff2)</code> is the actual font and we can preload those as well:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;head&gt;</span> <span class="c">&lt;!-- previous stuff --&gt;</span> <span class="nt">&lt;link</span> <span class="na">rel=</span><span class="s">"preload"</span> <span class="na">href=</span><span class="s">"https://fonts.gstatic.com/s/roboto/v30/KFOmCnqEu92Fr1Mu4mxKKTU1Kg.woff2"</span> <span class="na">crossorigin</span> <span class="na">as=</span><span class="s">"font"</span> <span class="na">type=</span><span class="s">"font/woff2"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;/head&gt;</span> </code></pre> </div> <p>You only have to do this for <code>@font-face</code> with a <code>/* latin */</code> or <code>/* latin-ext */</code> comment since those are the font files for the English alphabet.</p> <p>This won't be perfect but it should work 95% of the time.</p> <p>Cheers!</p> webdev css Introducing Lucia: A simple, flexible, and type-safe authentication library for Next.js, SvelteKit, and beyond pilcrowOnPaper Mon, 07 Nov 2022 11:50:30 +0000 https://dev.to/pilcrowonpaper/introducing-lucia-a-simple-flexible-and-type-safe-authentication-library-for-nextjs-sveltekit-and-beyond-4jeg https://dev.to/pilcrowonpaper/introducing-lucia-a-simple-flexible-and-type-safe-authentication-library-for-nextjs-sveltekit-and-beyond-4jeg <p>Hi!</p> <p>Over the past few months, I've been working on a library called <a href="https://github.com/pilcrowOnPaper/lucia-auth">Lucia</a>. At its core, it's a user and session management library that provides an abstraction layer between your app and your database. Using it, you can create users, creates sessions for those users, and validate those sessions. But, it doesn't try to do more than that; you have to create your own sign-in forms and APIs, and handle things like email verification by yourself. But, because of that, how you use Lucia is totally up to you. </p> <p>That said though, we do provide integration packages to make it easier to use with your favorite frameworks. Right now, we directly support <a href="https://lucia-auth.vercel.app/nextjs/start-here/getting-started">Next.js</a>, <a href="https://lucia-auth.vercel.app/sveltekit/start-here/getting-started">SvelteKit</a>, and <a href="https://lucia-auth.vercel.app/astro/start-here/getting-started">Astro SSR</a>. We also have a package for handling <a href="https://lucia-auth.vercel.app/oauth/start-here/getting-started">OAuth</a>. I think it's important to keep the core package simple and focused, and give you the option to trade some flexibility for an easier experience. It shouldn't be the other way around.</p> <p>And this is what makes it different from existing solutions like Supabase auth, SuperTokens, or NextAuth. It isn't a complete solution, and it never tries to be so. It allows you to make something that fits your app's need and build on top of it. There's no hidden configurations or callbacks that forces you to use jank solutions.</p> <p>Repo: <a href="https://github.com/pilcrowOnPaper/lucia-auth">https://github.com/pilcrowOnPaper/lucia-auth</a></p> <p>Docs: <a href="https://lucia-auth.vercel.app">https://lucia-auth.vercel.app</a></p> <h2> Features! </h2> <p>Aside from the obvious (own your data, secure, MIT license, etc):</p> <h3> Supports any databases </h3> <p>We take a similar approach to NextAuth, where we provide database adapters. We currently provide adapters for Prisma, Supabase, MongoDB, and Redis. We also have an extensive documentation on creating your own adapters and provide a package for testing them.</p> <h3> Custom user attributes </h3> <p>Similar to Firebase custom claims, you can set any user attributes to the user. By default, only the user id is required to be stored in your database, and you can add additional columns to it (like <code>username</code>, <code>is_verified</code>, etc). </p> <h3> Low-level control </h3> <p>Since Lucia is the layer between your database and app, it provides everything you need to interact with user and session data. Just a single method to update user data and password, invalidate sessions, create session cookies, etc.</p> <h3> Session ids </h3> <p>This is less a feature but more of the inner-workings. To not over-complicate the APIs, we only support session ids (and not JWTs). While JWT + access/refresh tokens may be a better fit in some use cases, we think you can't go <em>wrong</em> using session ids.</p> <h2> Code samples </h2> <h3> Create user and session </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// create a user using "email" auth method</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">auth</span><span class="p">.</span><span class="nx">createUser</span><span class="p">(</span><span class="dl">"</span><span class="s2">email</span><span class="dl">"</span><span class="p">,</span> <span class="nx">userEmail</span><span class="p">,</span> <span class="p">{</span> <span class="na">password</span><span class="p">:</span> <span class="nx">userPassword</span><span class="p">,</span> <span class="c1">// will hash it for you</span> <span class="na">attributes</span><span class="p">:</span> <span class="p">{</span> <span class="na">username</span><span class="p">:</span> <span class="nx">userUsername</span> <span class="p">}</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">session</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">auth</span><span class="p">.</span><span class="nx">createSession</span><span class="p">(</span><span class="nx">user</span><span class="p">.</span><span class="nx">userId</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">sessionCookies</span> <span class="o">=</span> <span class="nx">auth</span><span class="p">.</span><span class="nx">createSessionCookies</span><span class="p">(</span><span class="nx">session</span><span class="p">);</span> </code></pre> </div> <h3> Validate requests </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// will also renew sessions if expired</span> <span class="kd">const</span> <span class="nx">session</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">auth</span><span class="p">.</span><span class="nx">validateRequest</span><span class="p">(</span><span class="nx">request</span><span class="p">,</span> <span class="nx">setSession</span><span class="p">);</span> </code></pre> </div> <p>Or using Next.js integration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">authRequest</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">AuthRequest</span><span class="p">(</span><span class="nx">auth</span><span class="p">,</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">req</span><span class="p">,</span> <span class="nx">ctx</span><span class="p">.</span><span class="nx">res</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">session</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">authRequest</span><span class="p">.</span><span class="nx">getSession</span><span class="p">();</span> </code></pre> </div> <h3> OAuth </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">callbackCode</span> <span class="o">=</span> <span class="nx">url</span><span class="p">.</span><span class="nx">searchParams</span><span class="p">.</span><span class="kd">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">code</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">existingUser</span><span class="p">,</span> <span class="nx">providerUser</span><span class="p">,</span> <span class="nx">createUser</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">githubAuth</span><span class="p">.</span><span class="nx">validateCallback</span><span class="p">(</span><span class="nx">callbackCode</span><span class="p">);</span> <span class="c1">// create a new user for first-time users</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="nx">existingUser</span> <span class="o">||</span> <span class="p">(</span><span class="k">await</span> <span class="nx">createUser</span><span class="p">({</span> <span class="na">username</span><span class="p">:</span> <span class="nx">providerUser</span><span class="p">.</span><span class="nx">login</span><span class="p">;</span> <span class="p">});</span> </code></pre> </div> <p>If you have any questions while using Lucia, feel free to ask us on GitHub or Discord. Cheers!</p> nextjs javascript svelte security SvelteKit + Lucia: Email and password authentication pilcrowOnPaper Fri, 22 Jul 2022 14:09:00 +0000 https://dev.to/pilcrowonpaper/sveltekit-lucia-authentication-guide-email-and-password-6f2 https://dev.to/pilcrowonpaper/sveltekit-lucia-authentication-guide-email-and-password-6f2 <p>I recently released <a href="https://lucia-sveltekit.vercel.app">Lucia</a>, an authentication library for SvelteKit. It handles the bulk of the authentication process and makes it easier to implement authentication to your SvelteKit project. Unlike other libraries, it isn't an out-of-the-box authentication library and requires a bit more time to start, but can be fully customized once you know the basics. It doesn't <em>just</em> create tokens, it uses short-lived access tokens with refresh tokens, auto-refreshes them, implements rotating refresh token, and detects refresh token theft. </p> <p>This guide will cover how to implement email and password authentication, at least the sign in part of it. I'm going to gloss over some parts that are better explained in <a href="https://lucia-sveltekit.vercel.app">the documentation</a>.</p> <h2> Setup </h2> <p>The basic set up is explained <a href="https://lucia-sveltekit.vercel.app/getting-started">here</a>.</p> <h3> Database </h3> <p>Refer to <a href="https://lucia-sveltekit.vercel.app/adapters">adapters</a> for database-specific explanation. Add a new column called <code>email</code> (text/varchar) where the values are unique.</p> <h3> Frontend </h3> <p>Send a POST request to the signup or login endpoint with a JSON body.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">const</span> <span class="nx">signup</span> <span class="o">=</span> <span class="k">async</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">fetch</span><span class="p">(</span><span class="dl">"</span><span class="s2">/api/signup</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">"</span><span class="s2">POST</span><span class="dl">"</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nx">stringify</span><span class="p">({</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">password</span><span class="p">,</span> <span class="p">}),</span> <span class="p">});</span> <span class="p">};</span> </code></pre> </div> <h2> Sign up </h2> <p>Create <code>routes/api/signup.ts</code> and accept a POST request. Get the email and password from the body data.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="kd">type</span> <span class="p">{</span> <span class="nx">RequestHandler</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@sveltejs/kit</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">auth</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">$lib/lucia</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">POST</span><span class="p">:</span> <span class="nx">RequestHandler</span> <span class="o">=</span> <span class="k">async</span> <span class="p">({</span> <span class="nx">request</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">password</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">request</span><span class="p">.</span><span class="nx">json</span><span class="p">();</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nx">email</span> <span class="o">||</span> <span class="o">!</span><span class="nx">password</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">400</span><span class="p">,</span> <span class="p">};</span> <span class="p">}</span> <span class="p">};</span> </code></pre> </div> <h3> Create a new user </h3> <p>Create a new user using <a href="https://lucia-sveltekit.vercel.app/server-apis#createuser"><code>createUser</code></a> using the auth id of <code>email</code> and an identifier of <code>email</code>. Auth ids represent the authentication method used (for Github OAuth, "github"), and identifier represents the user within that method (usernames or email for GitHub). It's used to identify users and not to store user data (if you need to store the user's email, create a email column in your db).<br> Refer to the <a href="https://lucia-sveltekit.vercel.app/overview">overview</a> page for an explanation on auth ids and identifiers. </p> <p>Save the user's password using the password options and the user's email using <code>user_data</code>. Set the cookies (refresh, access, and fingerprint token) and redirect the user in the response. The <code>AUTH_DUPLICATE_IDENTIFER_TOKEN</code> error is thrown when a user tries to create a new account using the same auth id and identifer (in this case, email).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">createUser</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">auth</span><span class="p">.</span><span class="nx">createUser</span><span class="p">(</span><span class="dl">"</span><span class="s2">email</span><span class="dl">"</span><span class="p">,</span> <span class="nx">email</span><span class="p">,</span> <span class="p">{</span> <span class="nx">password</span><span class="p">,</span> <span class="na">user_data</span><span class="p">:</span> <span class="p">{</span> <span class="nx">email</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> <span class="k">return</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">302</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">set-cookie</span><span class="dl">"</span><span class="p">:</span> <span class="nx">createUser</span><span class="p">.</span><span class="nx">cookies</span><span class="p">,</span> <span class="na">location</span><span class="p">:</span> <span class="dl">"</span><span class="s2">/</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="p">};</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">error</span> <span class="o">=</span> <span class="nx">e</span> <span class="k">as</span> <span class="nb">Error</span><span class="p">;</span> <span class="k">if</span> <span class="p">(</span> <span class="nx">error</span><span class="p">.</span><span class="nx">message</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">AUTH_DUPLICATE_IDENTIFER_TOKEN</span><span class="dl">"</span> <span class="o">||</span> <span class="nx">error</span><span class="p">.</span><span class="nx">message</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">AUTH_DUPLICATE_USER_DATA</span><span class="dl">"</span> <span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">400</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nx">stringify</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Email already in use.</span><span class="dl">"</span><span class="p">,</span> <span class="p">}),</span> <span class="p">};</span> <span class="p">}</span> <span class="k">return</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">500</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nx">stringify</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Unknown error.</span><span class="dl">"</span><span class="p">,</span> <span class="p">}),</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <h2> Sign in </h2> <p>Create <code>routes/api/login.ts</code> and accept a POST request. Get the user's email and password from the body.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="kd">type</span> <span class="p">{</span> <span class="nx">RequestHandler</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@sveltejs/kit</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">auth</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">$lib/lucia</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">POST</span><span class="p">:</span> <span class="nx">RequestHandler</span> <span class="o">=</span> <span class="k">async</span> <span class="p">({</span> <span class="nx">request</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">form</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">request</span><span class="p">.</span><span class="nx">formData</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">email</span> <span class="o">=</span> <span class="nx">form</span><span class="p">.</span><span class="kd">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">email</span><span class="dl">"</span><span class="p">)?.</span><span class="nx">toString</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">password</span> <span class="o">=</span> <span class="nx">form</span><span class="p">.</span><span class="kd">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">password</span><span class="dl">"</span><span class="p">)?.</span><span class="nx">toString</span><span class="p">();</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nx">email</span> <span class="o">||</span> <span class="o">!</span><span class="nx">password</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">400</span><span class="p">,</span> <span class="p">};</span> <span class="p">}</span> <span class="p">};</span> </code></pre> </div> <h3> Authenticate a user </h3> <p>Authenticate the user using <a href="https://lucia-sveltekit.vercel.app/server-apis#authenticateuser"><code>authenticateUser</code></a>, which will require a password in the third parameter. The auth id should be the same as the one used when creating the user. It's important to NOT tell the user if the email was incorrect or if the password was incorrect.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">authenticateUser</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">auth</span><span class="p">.</span><span class="nx">authenticateUser</span><span class="p">(</span> <span class="dl">"</span><span class="s2">email</span><span class="dl">"</span><span class="p">,</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">password</span> <span class="p">);</span> <span class="k">return</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">302</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">set-cookie</span><span class="dl">"</span><span class="p">:</span> <span class="nx">createUser</span><span class="p">.</span><span class="nx">cookies</span><span class="p">,</span> <span class="na">location</span><span class="p">:</span> <span class="dl">"</span><span class="s2">/</span><span class="dl">"</span><span class="p">,</span> <span class="p">},</span> <span class="p">};</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">error</span> <span class="o">=</span> <span class="nx">e</span> <span class="k">as</span> <span class="nb">Error</span><span class="p">;</span> <span class="k">if</span> <span class="p">(</span> <span class="nx">error</span><span class="p">.</span><span class="nx">message</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">AUTH_INVALID_IDENTIFIER_TOKEN</span><span class="dl">"</span> <span class="o">||</span> <span class="nx">error</span><span class="p">.</span><span class="nx">message</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">AUTH_INVALID_PASSWORD</span><span class="dl">"</span> <span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">400</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nx">stringify</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Incorrect email or password.</span><span class="dl">"</span><span class="p">,</span> <span class="p">}),</span> <span class="p">};</span> <span class="p">}</span> <span class="c1">// database connection error</span> <span class="k">return</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">500</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nx">stringify</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Unknown error.</span><span class="dl">"</span><span class="p">,</span> <span class="p">}),</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <p>That's it. Other parts of Lucia and authentication (like token refresh and protected routes) are explained in <a href="https://lucia-sveltekit.vercel.app/getting-started">getting started</a>.</p> Reddit API is such a mess pilcrowOnPaper Sat, 14 May 2022 16:19:59 +0000 https://dev.to/pilcrowonpaper/reddit-api-is-such-a-mess-me2 https://dev.to/pilcrowonpaper/reddit-api-is-such-a-mess-me2 <p>I really hate both reddit.com and its mobile app, and was looking for an alternative. I just wanted something minimalistic and lightweight. Apollo, Slide, Narwhal, Comment, BaconReader, photon-reddit... I tried everything I could find and none of them felt <em>nice</em> to use. So, I thought I could make own, how hard can that be? Fetch some data from the API and display it.</p> <p>Oh, how wrong I was.</p> <p>First of all, the documentation, uh, leaves a lot to be desired. There's no response body example so I had to call each of them before using them. Some parameters are just left unacknowledged.</p> <p>My biggest complaint is that there's no easy way to tell if the post is a text, image, GIF, video, embedded video, or embedded image.</p> <p><code>is_self</code> means it's a text. <code>is_video</code> means it's a video, but not, since you also have to check <code>post_hint === 'rich:video'</code> and <code>domain === 'v.redd.it'</code>. But even if you know what kind of media it is, getting the media URL is in its self is a hurdle. Sometimes you have check <code>media_embed</code>, maybe <code>media_metadata</code>, or <code>preview.images[0]</code>. Oh, and <code>media.reddit_video</code>.</p> <p>And the inconsistency.</p> <p>Sometimes nsfw items are marked as <code>over_18</code> and other times as <code>over18</code>. Some key-values are missing depending on which endpoint you call, like <code>description</code> from users missing when you search users by a query. Icon URLs are included in either <code>community_icon</code> or <code>icon_img</code>.</p> <p>And finally, getting the next batch of items.</p> <p>Reddit API only gives you a max 100 or so items for each API call. If you want to get the next batch of posts, you have you use the <code>after</code> id provided by the previous call. Fine, it works. But, how do you get the next batch of comments in a comment section? Well, the API returns you all the comment ID of comments that weren't included in the first batch. You can get the content of each comment using their ids, but replies to those comments are missing. There's an endpoint that gives you the comment with the replies, but it's missing crucial information like who made them. And don't forget that the object that includes that list of comment ids are inside an array of totally different comment-objects. </p> <p>There are API wrappers like Snoowrap but I am not willing to see any more response body from reddit.com.</p> <p>So, my solution?</p> <p>Create an API wrapper that does all the work for you and returns a clean response body without the fat. Still very much in progress though: <a href="https://github.com/pilcrowOnPaper/corsica">https://github.com/pilcrowOnPaper/corsica</a>.</p> api javascript webdev SvelteKit JWT authentication tutorial pilcrowOnPaper Thu, 31 Mar 2022 06:58:00 +0000 https://dev.to/pilcrowonpaper/sveltekit-jwt-authentication-tutorial-2m34 https://dev.to/pilcrowonpaper/sveltekit-jwt-authentication-tutorial-2m34 <blockquote> <p>Update! I created an authentication library called <a href="https://lucia-sveltekit.vercel.app">Lucia</a> to solve this problem. It's much more secure than the method use here (but still very flexible) so check it out!</p> </blockquote> <p>Hello, this article will cover how to implement authentication into your SvelteKit project. This will be a JWT authentication with refresh tokens for added security. We will use Supabase as the database (PostgreSQL) but the basics should be the same.</p> <p><a href="https://github.com/pilcrowOnPaper/sveltekit-auth-demo">Github repository</a></p> <h2> Before we start... </h2> <h3> Why? </h3> <p>In my previous post and video, I showed how to implement Firebase authentication. But, at that point, there’s no real advantages of using those services, especially if you don’t need Firestore’s realtime updates. With Supabase offering a generous free tier and a pretty good database, it likely is simpler to create your own. </p> <h3> How will it work? </h3> <p>When a user signs up, we will save the user’s info and password into our database. We will also generate a refresh token and save it both locally and in the database. We will create a JWT token with user info and save it as a cookie. This JWT token will expire in 15 minutes. When it expires, we will check if a refresh token exists, and compare it with the one saved inside our database. If it matches, we can create a new JWT token. With this system, you can revoke a user’s access to your website by changing the refresh token saved in the database (though it may take up to 15 minutes). </p> <p>Finally, why Supabase and not Firebase? Personally, I felt the unlimited read/writes were much more important than storage size when working with a free tier. But, any database should work.</p> <h2> I. Set up </h2> <p>This project will have 3 pages: </p> <ul> <li> <code>index.svelte</code> : Protected page</li> <li> <code>signin.svelte</code> : Sign in page</li> <li> <code>signup.svelte</code> : Sign up page</li> </ul> <p>And here’s the packages we’ll be using:</p> <ul> <li><code>supabase</code></li> <li> <code>bcrypt</code> : For hashing passwords</li> <li> <code>crypto</code> : For generating user ids (UUID)</li> <li> <code>jsonwebtoken</code> : For creating JWT</li> <li> <code>cookie</code> : For parsing cookies in the server</li> </ul> <h2> II. Supabase </h2> <p>Create a new project. Now, create a new table called <code>users</code> (All non-null) :</p> <ul> <li> <code>id</code> : int8, unique, isIdentity</li> <li> <code>email</code> : varchar, unique</li> <li> <code>password</code> : text</li> <li> <code>username</code> : varchar, unique</li> <li> <code>user_id</code> : uuid, unique</li> <li> <code>refresh_token</code> : text</li> </ul> <p>Go to settings &gt; api. Copy your <code>service_role</code> and <code>URL</code>. Create <code>supabase-admin.ts</code> :<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">createClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@supabase/supabase-js</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">admin</span> <span class="o">=</span> <span class="nx">createClient</span><span class="p">(</span> <span class="dl">'</span><span class="s1">URL</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">service_role</span><span class="dl">'</span> <span class="p">);</span> </code></pre> </div> <p>If you’re using Supabase in your front end, DO NOT use this client (<code>admin</code>) for it. Create a new client using your <code>anon</code> key. </p> <h2> III. Creating an account </h2> <p>Create a new endpoint (<code>/api/create-user.ts</code>). This will be for a POST request and will require <code>email</code>, <code>password</code>, and <code>username</code> as its body.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="k">export</span> <span class="kd">const</span> <span class="nx">post</span><span class="p">:</span> <span class="nx">RequestHandler</span> <span class="o">=</span> <span class="k">async</span> <span class="p">(</span><span class="nx">event</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">body</span> <span class="o">=</span> <span class="p">(</span><span class="k">await</span> <span class="nx">event</span><span class="p">.</span><span class="nx">request</span><span class="p">.</span><span class="nx">json</span><span class="p">())</span> <span class="k">as</span> <span class="nx">Body</span><span class="p">;</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nx">body</span><span class="p">.</span><span class="nx">email</span> <span class="o">||</span> <span class="o">!</span><span class="nx">body</span><span class="p">.</span><span class="nx">password</span> <span class="o">||</span> <span class="o">!</span><span class="nx">body</span><span class="p">.</span><span class="nx">username</span><span class="p">)</span> <span class="k">return</span> <span class="nx">returnError</span><span class="p">(</span><span class="mi">400</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Invalid request</span><span class="dl">'</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nx">validateEmail</span><span class="p">(</span><span class="nx">body</span><span class="p">.</span><span class="nx">email</span><span class="p">)</span> <span class="o">||</span> <span class="nx">body</span><span class="p">.</span><span class="nx">username</span><span class="p">.</span><span class="nx">length</span> <span class="o">&lt;</span> <span class="mi">4</span> <span class="o">||</span> <span class="nx">body</span><span class="p">.</span><span class="nx">password</span><span class="p">.</span><span class="nx">length</span> <span class="o">&lt;</span> <span class="mi">6</span><span class="p">)</span> <span class="k">return</span> <span class="nx">returnError</span><span class="p">(</span><span class="mi">400</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Bad request</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>By the way, <code>returnError()</code> is just to make the code cleaner. And <code>validateEmail()</code> just checks if the input string has <code>@</code> inside it, since (to my limited knowledge) we can’t 100% check if an email is valid using regex.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="k">export</span> <span class="kd">const</span> <span class="nx">returnError</span> <span class="o">=</span> <span class="p">(</span><span class="nx">status</span><span class="p">:</span> <span class="kr">number</span><span class="p">,</span> <span class="nx">message</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="nx">RequestHandlerOutput</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="nx">status</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="p">{</span> <span class="nx">message</span> <span class="p">}</span> <span class="p">};</span> <span class="p">};</span> </code></pre> </div> <p>Anyway, let’s make sure the <code>email</code> or <code>username</code> isn’t already in use.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="kd">const</span> <span class="nx">check_user</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">admin</span> <span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">users</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nx">select</span><span class="p">()</span> <span class="p">.</span><span class="nx">or</span><span class="p">(</span><span class="s2">`email.eq.</span><span class="p">${</span><span class="nx">body</span><span class="p">.</span><span class="nx">email</span><span class="p">}</span><span class="s2">,username.eq.</span><span class="p">${</span><span class="nx">body</span><span class="p">.</span><span class="nx">username</span><span class="p">}</span><span class="s2">`</span><span class="p">)</span> <span class="p">.</span><span class="nx">maybeSingle</span><span class="p">()</span> <span class="k">if</span> <span class="p">(</span><span class="nx">check_user</span><span class="p">.</span><span class="nx">data</span><span class="p">)</span> <span class="k">return</span> <span class="nx">returnError</span><span class="p">(</span><span class="mi">405</span><span class="p">,</span> <span class="dl">'</span><span class="s1">User already exists</span><span class="dl">'</span><span class="p">);</span> </code></pre> </div> <p>Next, hash the user’s password and create a new user id and refresh token, which will be saved in our database.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="kd">const</span> <span class="nx">salt</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">bcrypt</span><span class="p">.</span><span class="nx">genSalt</span><span class="p">(</span><span class="mi">10</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">hash</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">bcrypt</span><span class="p">.</span><span class="nx">hash</span><span class="p">(</span><span class="nx">body</span><span class="p">.</span><span class="nx">password</span><span class="p">,</span> <span class="nx">salt</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">user_id</span> <span class="o">=</span> <span class="nx">randomUUID</span><span class="p">();</span> <span class="c1">// import { randomUUID } from 'crypto';</span> <span class="kd">const</span> <span class="nx">refresh_token</span> <span class="o">=</span> <span class="nx">randomUUID</span><span class="p">();</span> <span class="kd">const</span> <span class="nx">create_user</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">admin</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">users</span><span class="dl">'</span><span class="p">).</span><span class="nx">insert</span><span class="p">([</span> <span class="p">{</span> <span class="na">email</span><span class="p">:</span> <span class="nx">body</span><span class="p">.</span><span class="nx">email</span><span class="p">,</span> <span class="na">username</span><span class="p">:</span> <span class="nx">body</span><span class="p">.</span><span class="nx">username</span><span class="p">,</span> <span class="na">password</span><span class="p">:</span> <span class="nx">hash</span><span class="p">,</span> <span class="nx">user_id</span><span class="p">,</span> <span class="nx">refresh_token</span> <span class="p">}</span> <span class="p">]);</span> <span class="k">if</span> <span class="p">(</span><span class="nx">create_user</span><span class="p">.</span><span class="nx">error</span><span class="p">)</span> <span class="k">return</span> <span class="nx">returnError</span><span class="p">(</span><span class="mi">500</span><span class="p">,</span> <span class="nx">create_user</span><span class="p">.</span><span class="nx">statusText</span><span class="p">);</span> </code></pre> </div> <p>Finally, generate a new JWT token. Make sure to pick something random for <code>key</code>. Make sure to only set <code>secure</code> if you’re only in production (localhost is http, not https).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="p">{</span> <span class="na">username</span><span class="p">:</span> <span class="nx">body</span><span class="p">.</span><span class="nx">username</span><span class="p">,</span> <span class="nx">user_id</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="nx">body</span><span class="p">.</span><span class="nx">email</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">secure</span> <span class="o">=</span> <span class="nx">dev</span> <span class="p">?</span> <span class="dl">''</span> <span class="p">:</span> <span class="dl">'</span><span class="s1"> Secure;</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// import * as jwt from 'jsonwebtoken';</span> <span class="c1">// expires in 15 minutes</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nx">sign</span><span class="p">(</span><span class="nx">user</span><span class="p">,</span> <span class="nx">key</span><span class="p">,</span> <span class="p">{</span> <span class="na">expiresIn</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="mi">15</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">}</span><span class="s2">`</span> <span class="p">});</span> <span class="k">return</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">200</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="c1">// import { dev } from '$app/env';</span> <span class="c1">// const secure = dev ? '' : ' Secure;';</span> <span class="dl">'</span><span class="s1">set-cookie</span><span class="dl">'</span><span class="p">:</span> <span class="p">[</span> <span class="c1">// expires in 90 days</span> <span class="s2">`refresh_token=</span><span class="p">${</span><span class="nx">refresh_token</span><span class="p">}</span><span class="s2">; Max-Age=</span><span class="p">${</span><span class="mi">30</span> <span class="o">*</span> <span class="mi">24</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">60</span><span class="p">}</span><span class="s2">; Path=/; </span><span class="p">${</span><span class="nx">secure</span><span class="p">}</span><span class="s2"> HttpOnly`</span><span class="p">,</span> <span class="s2">`token=</span><span class="p">${</span><span class="nx">token</span><span class="p">}</span><span class="s2">; Max-Age=</span><span class="p">${</span><span class="mi">15</span> <span class="o">*</span> <span class="mi">60</span><span class="p">}</span><span class="s2">; Path=/;</span><span class="p">${</span><span class="nx">secure</span><span class="p">}</span><span class="s2"> HttpOnly`</span> <span class="p">]</span> <span class="p">}</span> <span class="p">};</span> </code></pre> </div> <p>In our signup page, we can call a POST request and redirect our user if it succeeds. Make sure to use <code>window.location.href</code> instead of <code>goto()</code> or else the change (setting the cookie) won’t be implemented.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="kd">const</span> <span class="nx">signUp</span> <span class="o">=</span> <span class="k">async</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/create-user</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">POST</span><span class="dl">'</span><span class="p">,</span> <span class="na">credentials</span><span class="p">:</span> <span class="dl">'</span><span class="s1">same-origin</span><span class="dl">'</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nx">stringify</span><span class="p">({</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">username</span><span class="p">,</span> <span class="nx">password</span> <span class="p">})</span> <span class="p">});</span> <span class="k">if</span> <span class="p">(</span><span class="nx">response</span><span class="p">.</span><span class="nx">ok</span><span class="p">)</span> <span class="p">{</span> <span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">href</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">;</span> <span class="p">}</span> <span class="p">};</span> </code></pre> </div> <h2> IV. Signing in </h2> <p>We will handle the sign in in <code>/api/signin.ts</code>. This time, we will allow the user to user either their username or email. To do that, we can check if it is a valid username or email, and check if the same username or email exists.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="k">export</span> <span class="kd">const</span> <span class="nx">post</span><span class="p">:</span> <span class="nx">RequestHandler</span> <span class="o">=</span> <span class="k">async</span> <span class="p">(</span><span class="nx">event</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">body</span> <span class="o">=</span> <span class="p">(</span><span class="k">await</span> <span class="nx">event</span><span class="p">.</span><span class="nx">request</span><span class="p">.</span><span class="nx">json</span><span class="p">())</span> <span class="k">as</span> <span class="nx">Body</span><span class="p">;</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nx">body</span><span class="p">.</span><span class="nx">email_username</span> <span class="o">||</span> <span class="o">!</span><span class="nx">body</span><span class="p">.</span><span class="nx">password</span><span class="p">)</span> <span class="k">return</span> <span class="nx">returnError</span><span class="p">(</span><span class="mi">400</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Invalid request</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">valid_email</span> <span class="o">=</span> <span class="nx">body</span><span class="p">.</span><span class="nx">email_username</span><span class="p">.</span><span class="nx">includes</span><span class="p">(</span><span class="dl">'</span><span class="s1">@</span><span class="dl">'</span><span class="p">)</span> <span class="o">&amp;&amp;</span> <span class="nx">validateEmail</span><span class="p">(</span><span class="nx">body</span><span class="p">.</span><span class="nx">email_username</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">valid_username</span> <span class="o">=</span> <span class="o">!</span><span class="nx">body</span><span class="p">.</span><span class="nx">email_username</span><span class="p">.</span><span class="nx">includes</span><span class="p">(</span><span class="dl">'</span><span class="s1">@</span><span class="dl">'</span><span class="p">)</span> <span class="o">&amp;&amp;</span> <span class="nx">body</span><span class="p">.</span><span class="nx">email_username</span><span class="p">.</span><span class="nx">length</span> <span class="o">&gt;</span> <span class="mi">3</span><span class="p">;</span> <span class="k">if</span> <span class="p">((</span><span class="o">!</span><span class="nx">valid_email</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="nx">valid_username</span><span class="p">)</span> <span class="o">||</span> <span class="nx">body</span><span class="p">.</span><span class="nx">password</span><span class="p">.</span><span class="nx">length</span> <span class="o">&lt;</span> <span class="mi">6</span><span class="p">)</span> <span class="k">return</span> <span class="nx">returnError</span><span class="p">(</span><span class="mi">400</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Bad request</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">getUser</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">admin</span> <span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">users</span><span class="dl">'</span><span class="p">)</span> <span class="p">.</span><span class="nx">select</span><span class="p">()</span> <span class="p">.</span><span class="nx">or</span><span class="p">(</span><span class="s2">`username.eq.</span><span class="p">${</span><span class="nx">body</span><span class="p">.</span><span class="nx">email_username</span><span class="p">}</span><span class="s2">,email.eq.</span><span class="p">${</span><span class="nx">body</span><span class="p">.</span><span class="nx">email_username</span><span class="p">}</span><span class="s2">`</span><span class="p">)</span> <span class="p">.</span><span class="nx">maybeSingle</span><span class="p">()</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nx">getUser</span><span class="p">.</span><span class="nx">data</span><span class="p">)</span> <span class="k">return</span> <span class="nx">returnError</span><span class="p">(</span><span class="mi">405</span><span class="p">,</span> <span class="dl">'</span><span class="s1">User does not exist</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>Next, we will compare the input and the saved password.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="kd">const</span> <span class="nx">user_data</span> <span class="o">=</span> <span class="nx">getUser</span><span class="p">.</span><span class="nx">data</span> <span class="k">as</span> <span class="nx">Users_Table</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">authenticated</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">bcrypt</span><span class="p">.</span><span class="nx">compare</span><span class="p">(</span><span class="nx">body</span><span class="p">.</span><span class="nx">password</span><span class="p">,</span> <span class="nx">user_data</span><span class="p">.</span><span class="nx">password</span><span class="p">);</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nx">authenticated</span><span class="p">)</span> <span class="k">return</span> <span class="nx">returnError</span><span class="p">(</span><span class="mi">401</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Incorrect password</span><span class="dl">'</span><span class="p">);</span> </code></pre> </div> <p>And finally, do the same thing as creating a new account.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="kd">const</span> <span class="nx">refresh_token</span> <span class="o">=</span> <span class="nx">user_data</span><span class="p">.</span><span class="nx">refresh_token</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="p">{</span> <span class="na">username</span><span class="p">:</span> <span class="nx">user_data</span><span class="p">.</span><span class="nx">username</span><span class="p">,</span> <span class="na">user_id</span><span class="p">:</span> <span class="nx">user_data</span><span class="p">.</span><span class="nx">user_id</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="nx">user_data</span><span class="p">.</span><span class="nx">email</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nx">sign</span><span class="p">(</span><span class="nx">user</span><span class="p">,</span> <span class="nx">key</span><span class="p">,</span> <span class="p">{</span> <span class="na">expiresIn</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">expiresIn</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">}</span><span class="s2">`</span> <span class="p">});</span> <span class="k">return</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">200</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">set-cookie</span><span class="dl">'</span><span class="p">:</span> <span class="p">[</span> <span class="s2">`refresh_token=</span><span class="p">${</span><span class="nx">refresh_token</span><span class="p">}</span><span class="s2">; Max-Age=</span><span class="p">${</span><span class="nx">refresh_token_expiresIn</span> <span class="o">*</span> <span class="mi">24</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">60</span><span class="p">}</span><span class="s2">; Path=/; </span><span class="p">${</span><span class="nx">secure</span><span class="p">}</span><span class="s2"> HttpOnly`</span><span class="p">,</span> <span class="s2">`token=</span><span class="p">${</span><span class="nx">token</span><span class="p">}</span><span class="s2">; Max-Age=</span><span class="p">${</span><span class="mi">15</span> <span class="o">*</span> <span class="mi">60</span><span class="p">}</span><span class="s2">; Path=/;</span><span class="p">${</span><span class="nx">secure</span><span class="p">}</span><span class="s2"> HttpOnly`</span> <span class="p">]</span> <span class="p">}</span> <span class="p">};</span> </code></pre> </div> <h2> V. Authenticating users </h2> <p>While we can use hooks to read the JWT token (like in this <a href="https://dev.to/pilcrowonpaper/saving-users-preferences-in-sveltekit-3b37">article</a> I wrote), we can’t generate (and set) a new JWT token with it. So, we will call an endpoint, which will read the cookie and validate it, and return the user’s data if they exist. This endpoint will also handle refreshing sessions. This endpoint will be called <code>/api/auth.ts</code>.</p> <p>We can get the cookie, if valid, return the user’s data. If it isn’t valid, <code>verify()</code> will throw an error.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="k">export</span> <span class="kd">const</span> <span class="kd">get</span><span class="p">:</span> <span class="nx">RequestHandler</span> <span class="o">=</span> <span class="k">async</span> <span class="p">(</span><span class="nx">event</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">token</span><span class="p">,</span> <span class="nx">refresh_token</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">cookie</span><span class="p">.</span><span class="nx">parse</span><span class="p">(</span><span class="nx">event</span><span class="p">.</span><span class="nx">request</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="kd">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">cookie</span><span class="dl">'</span><span class="p">)</span> <span class="o">||</span> <span class="dl">''</span><span class="p">);</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nx">verify</span><span class="p">(</span><span class="nx">token</span><span class="p">,</span> <span class="nx">key</span><span class="p">)</span> <span class="k">as</span> <span class="nb">Record</span><span class="o">&lt;</span><span class="kr">any</span><span class="p">,</span> <span class="kr">any</span><span class="o">&gt;</span><span class="p">;</span> <span class="k">return</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">200</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="nx">user</span> <span class="p">};</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">{</span> <span class="c1">// invalid or expired token</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>If the JWT token has expired, we can validate the refresh token with the one in our database. If it is the same, we can create a new JWT token.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nx">refresh_token</span><span class="p">)</span> <span class="k">return</span> <span class="nx">returnError</span><span class="p">(</span><span class="mi">401</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Unauthorized user</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">getUser</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">admin</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">users</span><span class="dl">'</span><span class="p">).</span><span class="nx">select</span><span class="p">().</span><span class="nx">eq</span><span class="p">(</span><span class="dl">"</span><span class="s2">refresh_token</span><span class="dl">"</span><span class="p">,</span> <span class="nx">refresh_token</span><span class="p">).</span><span class="nx">maybeSingle</span><span class="p">()</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nx">getUser</span><span class="p">.</span><span class="nx">data</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// remove invalid refresh token</span> <span class="k">return</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">401</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">set-cookie</span><span class="dl">'</span><span class="p">:</span> <span class="p">[</span> <span class="s2">`refresh_token=; Max-Age=0; Path=/;</span><span class="p">${</span><span class="nx">secure</span><span class="p">}</span><span class="s2"> HttpOnly`</span> <span class="p">]</span> <span class="p">},</span> <span class="p">}</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">user_data</span> <span class="o">=</span> <span class="nx">getUser</span><span class="p">.</span><span class="nx">data</span> <span class="k">as</span> <span class="nx">Users_Table</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">new_user</span> <span class="o">=</span> <span class="p">{</span> <span class="na">username</span><span class="p">:</span> <span class="nx">user_data</span><span class="p">.</span><span class="nx">username</span><span class="p">,</span> <span class="na">user_id</span><span class="p">:</span> <span class="nx">user_data</span><span class="p">.</span><span class="nx">user_id</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="nx">user_data</span><span class="p">.</span><span class="nx">email</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nx">sign</span><span class="p">(</span><span class="nx">new_user</span><span class="p">,</span> <span class="nx">key</span><span class="p">,</span> <span class="p">{</span> <span class="na">expiresIn</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="mi">15</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">}</span><span class="s2">`</span> <span class="p">});</span> <span class="k">return</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">200</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">set-cookie</span><span class="dl">'</span><span class="p">:</span> <span class="p">[</span> <span class="s2">`token=</span><span class="p">${</span><span class="nx">token</span><span class="p">}</span><span class="s2">; Max-Age=</span><span class="p">${</span><span class="mi">15</span> <span class="o">*</span> <span class="mi">60</span><span class="p">}</span><span class="s2">; Path=/;</span><span class="p">${</span><span class="nx">secure</span><span class="p">}</span><span class="s2"> HttpOnly`</span> <span class="p">]</span> <span class="p">},</span> <span class="p">};</span> </code></pre> </div> <h2> VI. Authorizing users </h2> <p>To authorize a user, we can check send a request to <code>/api/auth</code> in the load function.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="c1">// index.sve;te</span> <span class="c1">// inside &lt;script context="module" lang="ts"/&gt;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">load</span><span class="p">:</span> <span class="nx">Load</span> <span class="o">=</span> <span class="k">async</span> <span class="p">(</span><span class="nx">input</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">input</span><span class="p">.</span><span class="nx">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/auth</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">user</span> <span class="o">=</span> <span class="p">(</span><span class="k">await</span> <span class="nx">response</span><span class="p">.</span><span class="nx">json</span><span class="p">())</span> <span class="k">as</span> <span class="nx">Session</span><span class="p">;</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nx">user</span><span class="p">.</span><span class="nx">user_id</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// user doesn't exist</span> <span class="k">return</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">302</span><span class="p">,</span> <span class="na">redirect</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/signin</span><span class="dl">'</span> <span class="p">};</span> <span class="p">}</span> <span class="k">return</span> <span class="p">{</span> <span class="na">props</span><span class="p">:</span> <span class="p">{</span> <span class="nx">user</span> <span class="p">}</span> <span class="p">};</span> <span class="p">};</span> </code></pre> </div> <h2> VII. Signing out </h2> <p>To sign out, just delete the user’s JWT and refresh token.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="c1">// /api/signout.ts</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">post</span> <span class="p">:</span> <span class="nx">RequestHandler</span> <span class="o">=</span> <span class="k">async</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">200</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">set-cookie</span><span class="dl">'</span><span class="p">:</span> <span class="p">[</span> <span class="s2">`refresh_token=; Max-Age=0; Path=/; </span><span class="p">${</span><span class="nx">secure</span><span class="p">}</span><span class="s2"> HttpOnly`</span><span class="p">,</span> <span class="s2">`token=; Max-Age=0; Path=/;</span><span class="p">${</span><span class="nx">secure</span><span class="p">}</span><span class="s2"> HttpOnly`</span> <span class="p">]</span> <span class="p">}</span> <span class="p">};</span> <span class="p">};</span> </code></pre> </div> <h2> VIII. Revoking user access </h2> <p>To revoke a user’s access, simply change the user’s refresh token in the database. Keep in mind that the user will stay logged in for up to 15 minutes (until the JWT expires).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight tsx"><code><span class="kd">const</span> <span class="nx">new_refresh_token</span> <span class="o">=</span> <span class="nx">randomUUID</span><span class="p">();</span> <span class="k">await</span> <span class="nx">admin</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">'</span><span class="s1">users</span><span class="dl">'</span><span class="p">).</span><span class="nx">update</span><span class="p">({</span> <span class="na">refresh_token</span><span class="p">:</span> <span class="nx">new_refresh_token</span> <span class="p">}).</span><span class="nx">eq</span><span class="p">(</span><span class="dl">"</span><span class="s2">refresh_token</span><span class="dl">"</span><span class="p">,</span> <span class="nx">refresh_token</span><span class="p">);</span> </code></pre> </div> <p>This is the basics, but if you understood this, implementing profile updates and other features should be pretty straight forward. Maybe an article about email verification could be interesting...</p> svelte javascript tutorial Saving users’ preferences in SvelteKit pilcrowOnPaper Wed, 30 Mar 2022 12:19:00 +0000 https://dev.to/pilcrowonpaper/saving-users-preferences-in-sveltekit-3b37 https://dev.to/pilcrowonpaper/saving-users-preferences-in-sveltekit-3b37 <p>This is a quick tutorial on saving users preferences in SvelteKit. </p> <p>There are 2 ways one might approach this. First is implementing an auth system. But, that might be overkill so another way is to save it locally. Let’s go with that.</p> <p>So something like this... (I’ll be using <a href="https://github.com/js-cookie/js-cookie">this</a> package to simplify the code)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">let</span> <span class="nx">name</span> <span class="p">:</span> <span class="kr">string</span> <span class="kd">const</span> <span class="nx">saveName</span> <span class="o">=</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">Cookie</span><span class="p">.</span><span class="kd">set</span><span class="p">(</span><span class="dl">"</span><span class="s2">name</span><span class="dl">"</span><span class="p">,</span> <span class="nx">name</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;input</span> <span class="na">bind:value=</span><span class="s">{name}/</span><span class="nt">&gt;</span> <span class="nt">&lt;button</span> <span class="na">on:click=</span><span class="s">{saveName}</span><span class="nt">&gt;</span>save<span class="nt">&lt;/button&gt;</span> </code></pre> </div> <p>Well, that was easy. </p> <p>But a small problem arises when we want to display it.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">onMount</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">name</span> <span class="o">=</span> <span class="nx">Cookie</span><span class="p">.</span><span class="kd">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">name</span><span class="dl">"</span><span class="p">)</span> <span class="p">})</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;p&gt;</span>{name}<span class="nt">&lt;/p&gt;</span> </code></pre> </div> <p>This works, but since we have to wait for <code>document</code> to load, we need to use <code>onMount()</code>. That means, there will be a split second after the page loads where <code>name = undefined</code>. This won’t be a big problem in this case, but if it were saving user’s light/dark theme preference, it’ll lead to a quite negative UX. This will also happen if we rely on something like Firebase auth, since it also has a dependency on <code>window</code>/<code>document</code>.</p> <p>To solve this, we can read the cookie in the server before the page fully loads. </p> <p>First, let’s read the cookie with <a href="https://kit.svelte.dev/docs/hooks">hooks</a>. This <code>handle()</code> function runs every time SvelteKit receives a request. We’ll use the <a href="https://github.com/jshttp/cookie">cookie</a> package to make cookie-parsing easier.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">cookie</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">cookie</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">handle</span> <span class="p">:</span> <span class="nx">Handle</span> <span class="o">=</span> <span class="k">async</span> <span class="p">({</span> <span class="nx">event</span><span class="p">,</span> <span class="nx">resolve</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">cookie</span><span class="p">.</span><span class="nx">parse</span><span class="p">(</span><span class="nx">event</span><span class="p">.</span><span class="nx">request</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="kd">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">cookie</span><span class="dl">'</span><span class="p">)</span> <span class="o">||</span> <span class="dl">''</span><span class="p">)</span> <span class="k">as</span> <span class="nb">Partial</span><span class="o">&lt;</span><span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="kr">string</span> <span class="p">}</span><span class="o">&gt;</span><span class="p">;</span> <span class="k">if</span> <span class="p">(</span><span class="nx">name</span><span class="p">)</span> <span class="p">{</span> <span class="nx">event</span><span class="p">.</span><span class="nx">locals</span> <span class="o">=</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">};</span> <span class="p">}</span> <span class="k">return</span> <span class="k">await</span> <span class="nx">resolve</span><span class="p">(</span><span class="nx">event</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>Next, we have to send this to the frontend. One way of doing it, is to use the <a href="https://kit.svelte.dev/docs/hooks#getsession">session</a> object, which can be read in the <a href="https://kit.svelte.dev/docs/loading">load</a> function. We can set the session object using <a href="https://kit.svelte.dev/docs/loading">getSession()</a>. Since <code>event</code> first passed the handle function, it includes <code>name</code> in <code>locals</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="kd">const</span> <span class="nx">getSession</span> <span class="p">:</span> <span class="nx">GetSession</span> <span class="o">=</span> <span class="k">async</span> <span class="p">(</span><span class="nx">event</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">event</span><span class="p">.</span><span class="nx">locals</span> <span class="k">as</span> <span class="nb">Partial</span><span class="o">&lt;</span><span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="kr">string</span> <span class="p">}</span><span class="o">&gt;</span><span class="p">;</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nx">name</span><span class="p">)</span> <span class="k">return</span> <span class="p">{};</span> <span class="k">return</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">};</span> <span class="p">}</span> </code></pre> </div> <p>Finally, we can get the <code>session</code> object in the load function like below.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="kd">const</span> <span class="nx">load</span> <span class="p">:</span> <span class="nx">Load</span> <span class="o">=</span> <span class="k">async</span> <span class="p">({</span> <span class="nx">session</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">session</span> <span class="k">as</span> <span class="nb">Partial</span><span class="o">&lt;</span><span class="p">{</span> <span class="na">name</span><span class="p">:</span> <span class="kr">string</span> <span class="p">}</span><span class="o">&gt;</span> <span class="k">return</span> <span class="p">{</span> <span class="na">props</span><span class="p">:</span> <span class="p">{</span> <span class="nx">name</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Here’s a simple project of mine that implements this:</p> <p>URL: <a href="https://niagara.vercel.app/">https://niagara.vercel.app</a></p> <p>Github: <a href="https://github.com/pilcrowOnPaper/niagara">https://github.com/pilcrowOnPaper/niagara</a></p> javascript svelte tutorial ux SvelteKit + Firebase: Authentication, protected routes, and persistent login pilcrowOnPaper Sat, 19 Feb 2022 11:06:47 +0000 https://dev.to/pilcrowonpaper/sveltekit-firebase-authentication-protected-routes-and-persistent-login-dk3 https://dev.to/pilcrowonpaper/sveltekit-firebase-authentication-protected-routes-and-persistent-login-dk3 <p>Hi! I'm new to SvelteKit (and programming in general) but there seems to be a lack of tutorials/guides for SvelteKit so here's my contribution. We will create a server-rendered website with authentication and protected routes using firebase. At the end, we'll deploy to Vercel since many tutorials miss that part. (+Tailwind CSS so it'll look decent)</p> <h2> Before we start... </h2> <h3> Why? </h3> <p>Of course there aren’t many resources on SvelteKit but more importantly, there’s even less resource on using Firebase with SSR. More specifically, Firebase’s auth tokens expire after an hour. And while Firebase does refresh them automatically, it only does it in the frontend. Say you have a website with 2 pages:</p> <ul> <li>A login page where authenticated users are redirected to the member-only page</li> <li>A member-only page where unauthenticated users are redirected to the login page</li> </ul> <p>that has a system that saves the user’s firebase token as a cookie (JWT). If a user comes back after a while, the user will be sent back to the login page, wait a few seconds for the token to be refreshed by Firebase, and sent back to the member-only page. We want to avoid that.</p> <h3> How will it work? </h3> <p>So there will be 3 pages: a login, signup, and member-only page. When a user creates a new account, 2 cookies will be created. The first is an auth token, which will expire in an hour. The second is a refresh token that can be used to create new auth tokens. When a user tries to access a page, we will check the validity of the auth token, and if it’s expired, create a new one with the refresh token.</p> <p>If you have, for example, set up Firestore security rules, you’ll still need to login the user using client-side Firebase. Fortunately, we can login using the auth token acquired from the backend. </p> <h3> Quick side-note(s) </h3> <p>If you wondered why we can’t just use <code>onAuthStateChanged()</code> , Firebase has a dependency on <code>window</code>. That means it only runs after the page is rendered. We want to check the user and get their data when SvelteKit is rendering the page in the server. </p> <h2> I. Set up </h2> <p><a href="https://kit.svelte.dev/docs/introduction" rel="noopener noreferrer">Create a skeleton SvelteKit project</a> and <a href="https://tailwindcss.com/docs/guides/sveltekit" rel="noopener noreferrer">add Tailwind CSS</a>. Run <code>npm run dev</code> to make sure it's working. Add <code>src/lib</code> folder and we will out out js/ts files inside it.</p> <p>We'll create 3 pages:</p> <ul> <li> <code>src/routes/index.svelte</code>: member-only page</li> <li> <code>src/routes/login.svelte</code>: login page</li> <li> <code>src/routes/signup.svelte</code>: for new users</li> </ul> <p>and your <code>src</code> folder should look something like this:</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code> src |-lib |-routes |-__layout.svelte |-index.svelte |-login.svelte |-signup.svelte |-app.css |-app.dts |-app.html </code></pre> </div> <p>The login page will take 2 user inputs (<code>email</code>, <code>passwors</code>) and the signup page with take 3 inputs (<code>username</code>, <code>email</code>, <code>password</code>). You can add additional user data if you want. Here’s some screenshots for reference:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqwwek39qoecd8d953jdi.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqwwek39qoecd8d953jdi.png" alt="/login"></a></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fa609kt6wxa9ctcz857gf.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fa609kt6wxa9ctcz857gf.png" alt="/signup"></a></p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8fw4xa5uix5a31g9qlgg.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F8fw4xa5uix5a31g9qlgg.png" alt="/"></a></p> <p>After that we will create 3 endpoints:</p> <ul> <li> <code>src/routes/api/auth.json.js</code>: Authenticating the user</li> <li> <code>src/routes/api/new-user.json.js</code>: Creating a new account</li> <li> <code>src/routes/api/signout.json.js</code>: Signing out the user</li> </ul> <h2> II. Adding Firebase </h2> <p>Install <code>firebase</code>:</p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code> <span class="nx">npm</span> <span class="nx">install</span> <span class="nx">firebase</span> </code></pre> </div> <p>If you haven’t done it yet, create a Firebase account and a new project. Enable Firebase authentication and email/password authentication in ‘Sign-in providers’. Go to (Settings) &gt; ‘Project settings’ and copy your <code>firebaseConfig</code>. In a new folder called <code>src/lib/firebase.js</code> paste it like this:</p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code> <span class="k">import</span> <span class="p">{</span> <span class="nx">initializeApp</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">firebase/app</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">getAuth</span><span class="p">,</span> <span class="nx">setPersistence</span><span class="p">,</span> <span class="nx">browserSessionPersistence</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">firebase/auth</span><span class="dl">"</span> <span class="kd">const</span> <span class="nx">firebaseConfig</span> <span class="o">=</span> <span class="p">{</span> <span class="na">apiKey</span><span class="p">:</span> <span class="p">[</span><span class="nx">API_KEY</span><span class="p">],</span> <span class="na">authDomain</span><span class="p">:</span> <span class="p">[</span><span class="nx">AUTH_DOMAIN</span><span class="p">],</span> <span class="na">projectId</span><span class="p">:</span> <span class="p">[</span><span class="nx">PROJECT_ID</span><span class="p">],</span> <span class="na">storageBucket</span><span class="p">:</span> <span class="p">[</span><span class="nx">STORAGE_BUCKET</span><span class="p">],</span> <span class="na">messagingSenderId</span><span class="p">:</span> <span class="p">[</span><span class="nx">MESSAGING_SENDER_ID</span><span class="p">],</span> <span class="na">appId</span><span class="p">:</span> <span class="p">[</span><span class="nx">APP_ID</span><span class="p">]</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="nf">initializeApp</span><span class="p">(</span><span class="nx">firebaseConfig</span><span class="p">,</span> <span class="dl">"</span><span class="s2">CLIENT</span><span class="dl">"</span><span class="p">);</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">auth</span> <span class="o">=</span> <span class="nf">getAuth</span><span class="p">(</span><span class="nx">app</span><span class="p">)</span> <span class="nf">setPersistence</span><span class="p">(</span><span class="nx">auth</span><span class="p">,</span> <span class="nx">browserSessionPersistence</span><span class="p">)</span> </code></pre> </div> <p>You don’t have to hide it but if you’re worried use env variables. Make sure to name your <code>app</code> <code>CLIENT</code> since we will initialize another app. I also set persistence to <code>browserSessionPersistence</code> just in case to prevent unintended behavior. It makes your client side auth session (the one mentioned in ‘How does it work?’ and not the entire auth session) only last until the user closes their browser. </p> <p>Next we’ll set up Firebase Admin. (Settings) &gt; ‘Project settings’ &gt; ‘Service accounts’ and click ‘Generate new private key’ to download JSON with you config. Add that JSON file in your project file and initialize it in <code>src/lib/firebase-admin.json</code>.</p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code> <span class="k">import</span> <span class="nx">admin</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">firebase-admin</span><span class="dl">"</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">credential</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">[PATH_TO_JSON_FILE.json]</span><span class="dl">"</span> <span class="nx">admin</span><span class="p">.</span><span class="nf">initializeApp</span><span class="p">({</span> <span class="na">credential</span><span class="p">:</span> <span class="nx">admin</span><span class="p">.</span><span class="nx">credential</span><span class="p">.</span><span class="nf">cert</span><span class="p">(</span><span class="nx">credential</span><span class="p">)</span> <span class="p">});</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">auth</span> <span class="o">=</span> <span class="nx">admin</span><span class="p">.</span><span class="nx">auth</span> </code></pre> </div> <h2> III. Creating a new account </h2> <p>When a user creates a new account, send their username, email, and password in a POST request to ‘/api/new-user.json’. The endpoint will:</p> <ol> <li>Create a new account</li> <li>Set custom claims of the user (custom claims are user data that you can add)</li> <li>Sign in as the user</li> <li>Create a custom token</li> <li>Set custom token and refresh token as cookie</li> </ol> <p>You’ll need to get an API key from ‘Web API key’ in (Setting) &gt; ‘Project settings’. </p> <p><code>src/routes/api/new-user/json.js</code>:</p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code> <span class="k">import</span> <span class="p">{</span> <span class="nx">dev</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">$app/env</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">auth</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">$lib/firebase-admin</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">key</span> <span class="o">=</span> <span class="p">[</span><span class="nx">WEB_API_KEY</span><span class="p">]</span> <span class="kd">const</span> <span class="nx">secure</span> <span class="o">=</span> <span class="nx">dev</span> <span class="p">?</span> <span class="dl">''</span> <span class="p">:</span> <span class="dl">'</span><span class="s1"> Secure;</span><span class="dl">'</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">post</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">event</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">password</span><span class="p">,</span> <span class="nx">username</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">event</span><span class="p">.</span><span class="nx">request</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> <span class="kd">const</span> <span class="nx">userRecord</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">auth</span><span class="p">().</span><span class="nf">createUser</span><span class="p">({</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">password</span><span class="p">,</span> <span class="na">displayName</span><span class="p">:</span> <span class="nx">username</span> <span class="p">})</span> <span class="kd">const</span> <span class="nx">uid</span> <span class="o">=</span> <span class="nx">userRecord</span><span class="p">.</span><span class="nx">uid</span> <span class="k">await</span> <span class="nf">auth</span><span class="p">().</span><span class="nf">setCustomUserClaims</span><span class="p">(</span><span class="nx">uid</span><span class="p">,</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">early_access</span><span class="dl">'</span><span class="p">:</span> <span class="kc">true</span> <span class="p">})</span> <span class="kd">const</span> <span class="nx">signIn_res</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="s2">`https://identitytoolkit.googleapis.com/v1/accounts:signInWithPassword?key=</span><span class="p">${</span><span class="nx">key</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">POST</span><span class="dl">'</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">content-type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span> <span class="p">},</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">password</span><span class="p">,</span> <span class="dl">'</span><span class="s1">returnSecureToken</span><span class="dl">'</span><span class="p">:</span> <span class="kc">true</span> <span class="p">})</span> <span class="p">})</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">signIn_res</span><span class="p">.</span><span class="nx">ok</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="nx">signIn_res</span><span class="p">.</span><span class="nx">status</span><span class="p">}</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">refreshToken</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">signIn_res</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> <span class="kd">const</span> <span class="nx">customToken</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">auth</span><span class="p">().</span><span class="nf">createCustomToken</span><span class="p">(</span><span class="nx">uid</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">200</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">set-cookie</span><span class="dl">'</span><span class="p">:</span> <span class="p">[</span> <span class="s2">`customToken=</span><span class="p">${</span><span class="nx">customToken</span><span class="p">}</span><span class="s2">; Max-Age=</span><span class="p">${</span><span class="mi">60</span> <span class="o">*</span> <span class="mi">55</span><span class="p">}</span><span class="s2">; Path=/;</span><span class="p">${</span><span class="nx">secure</span><span class="p">}</span><span class="s2"> HttpOnly`</span><span class="p">,</span> <span class="s2">`refreshToken=</span><span class="p">${</span><span class="nx">refreshToken</span><span class="p">}</span><span class="s2">; Max-Age=</span><span class="p">${</span><span class="mi">60</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">24</span> <span class="o">*</span> <span class="mi">30</span><span class="p">}</span><span class="s2">; Path=/;</span><span class="p">${</span><span class="nx">secure</span><span class="p">}</span><span class="s2"> HttpOnly`</span><span class="p">,</span> <span class="p">],</span> <span class="dl">'</span><span class="s1">cache-control</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">no-store</span><span class="dl">'</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>‘identitytoolkit.googleapis.com’ is Firebase/Google’s authentication REST API. There’s 3 token types of tokens:</p> <ul> <li>Custom token (<code>customToken</code>): This is an auth token that can be verified by Firebase to authenticate a user, and can be used to login the user in the client. Can be created from the user’s UID. Expires in an hour.</li> <li>Id Token (<code>idToken</code>): This is a token that is used to interact with the REST api. This is usually hidden when using Firebase Admin. Can also be used the authenticate the user. This can be acquired from requesting the user’s data using the REST api (eg. <code>signIn_res</code>). Expires in an hour.</li> <li>Refresh token: This is an auth token that can be exchanged to create a new Id Token (which allows us to create a new custom token). Expires in about a year.</li> </ul> <p>Cookies must be a ‘http-only’ cookie and ‘Secure’ (only in production) for security. This makes sure your servers are the only thing that can read and write your cookie. </p> <p>In <code>src/routes/signup.svelte</code> :</p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code> <span class="k">import</span> <span class="p">{</span> <span class="nx">goto</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">$app/navigation</span><span class="dl">'</span><span class="p">;</span> <span class="kd">let</span> <span class="nx">username</span> <span class="o">=</span> <span class="dl">''</span><span class="p">;</span> <span class="kd">let</span> <span class="nx">email</span> <span class="o">=</span> <span class="dl">''</span><span class="p">;</span> <span class="kd">let</span> <span class="nx">password</span> <span class="o">=</span> <span class="dl">''</span><span class="p">;</span> <span class="kd">let</span> <span class="nx">error</span> <span class="o">=</span> <span class="dl">''</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">signup</span> <span class="o">=</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">username</span><span class="p">.</span><span class="nx">length</span> <span class="o">&lt;</span> <span class="mi">4</span><span class="p">)</span> <span class="k">return </span><span class="p">(</span><span class="nx">error</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">username must be at least 4 characters long</span><span class="dl">'</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">email</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">'</span><span class="s1">@</span><span class="dl">'</span><span class="p">)</span> <span class="o">||</span> <span class="o">!</span><span class="nx">email</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">'</span><span class="s1">.</span><span class="dl">'</span><span class="p">))</span> <span class="k">return </span><span class="p">(</span><span class="nx">error</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">invalid email</span><span class="dl">'</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">password</span><span class="p">.</span><span class="nx">length</span> <span class="o">&lt;</span> <span class="mi">6</span><span class="p">)</span> <span class="k">return </span><span class="p">(</span><span class="nx">error</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">password must be at least 6 characters long</span><span class="dl">'</span><span class="p">);</span> <span class="nx">error</span> <span class="o">=</span> <span class="dl">''</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">signUp_res</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="s2">`/api/new-user.json`</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">POST</span><span class="dl">'</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Headers</span><span class="p">({</span> <span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span> <span class="p">}),</span> <span class="na">credentials</span><span class="p">:</span> <span class="dl">'</span><span class="s1">same-origin</span><span class="dl">'</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">password</span><span class="p">,</span> <span class="nx">username</span> <span class="p">})</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">signUp_res</span><span class="p">.</span><span class="nx">ok</span><span class="p">)</span> <span class="k">return </span><span class="p">(</span><span class="nx">error</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">An error occured; please try again.</span><span class="dl">'</span><span class="p">);</span> <span class="nf">goto</span><span class="p">(</span><span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">);</span> <span class="p">};</span> </code></pre> </div> <h2> III. Login </h2> <p>To login, send a POST request with the user’s email and password to ‘/api/auth.json’ . </p> <ol> <li>Login</li> <li>Create a new custom token</li> <li>Set the custom token and the refresh token as cookies</li> </ol> <p>In the code below, the refresh token is set to expire in 30 days (=</p> <p><code>src/routes/api/auth.json.js</code>:</p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code> <span class="k">import</span> <span class="p">{</span> <span class="nx">dev</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">$app/env</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">auth</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">$lib/firebase-admin</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">cookie</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">cookie</span><span class="dl">'</span> <span class="kd">const</span> <span class="nx">key</span> <span class="o">=</span> <span class="p">[</span><span class="nx">WEB_API_KEY</span><span class="p">]</span> <span class="kd">const</span> <span class="nx">secure</span> <span class="o">=</span> <span class="nx">dev</span> <span class="p">?</span> <span class="dl">''</span> <span class="p">:</span> <span class="dl">'</span><span class="s1"> Secure;</span><span class="dl">'</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">post</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">event</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">password</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">event</span><span class="p">.</span><span class="nx">request</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> <span class="kd">const</span> <span class="nx">signIn_res</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="s2">`https://identitytoolkit.googleapis.com/v1/accounts:signInWithPassword?key=</span><span class="p">${</span><span class="nx">key</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">POST</span><span class="dl">'</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">content-type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span> <span class="p">},</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">password</span><span class="p">,</span> <span class="na">returnSecureToken</span><span class="p">:</span> <span class="kc">true</span> <span class="p">})</span> <span class="p">})</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">signIn_res</span><span class="p">.</span><span class="nx">ok</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="nx">signIn_res</span><span class="p">.</span><span class="nx">status</span> <span class="p">}</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">refreshToken</span><span class="p">,</span> <span class="nx">localId</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">signIn_res</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> <span class="kd">const</span> <span class="nx">customToken</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">auth</span><span class="p">().</span><span class="nf">createCustomToken</span><span class="p">(</span><span class="nx">localId</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">200</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="c1">// Max-age : seconds</span> <span class="dl">'</span><span class="s1">set-cookie</span><span class="dl">'</span><span class="p">:</span> <span class="p">[</span> <span class="s2">`refreshToken=</span><span class="p">${</span><span class="nx">refreshToken</span><span class="p">}</span><span class="s2">; Max-Age=</span><span class="p">${</span><span class="mi">60</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">24</span> <span class="o">*</span> <span class="mi">30</span><span class="p">}</span><span class="s2">; Path=/;</span><span class="p">${</span><span class="nx">secure</span><span class="p">}</span><span class="s2"> HttpOnly`</span><span class="p">,</span> <span class="s2">`customToken=</span><span class="p">${</span><span class="nx">customToken</span><span class="p">}</span><span class="s2">; Max-Age=</span><span class="p">${</span><span class="mi">60</span> <span class="o">*</span> <span class="mi">55</span><span class="p">}</span><span class="s2">; Path=/;</span><span class="p">${</span><span class="nx">secure</span><span class="p">}</span><span class="s2"> HttpOnly`</span><span class="p">,</span> <span class="p">],</span> <span class="dl">'</span><span class="s1">cache-control</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">no-store</span><span class="dl">'</span> <span class="p">},</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><code>src/routes/api/login.svelte</code>:</p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code> <span class="k">import</span> <span class="p">{</span> <span class="nx">goto</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">$app/navigation</span><span class="dl">'</span><span class="p">;</span> <span class="kd">let</span> <span class="nx">email</span> <span class="o">=</span> <span class="dl">''</span><span class="p">;</span> <span class="kd">let</span> <span class="nx">password</span> <span class="o">=</span> <span class="dl">''</span><span class="p">;</span> <span class="kd">let</span> <span class="nx">error</span> <span class="o">=</span> <span class="dl">''</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">login</span> <span class="o">=</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">email</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">'</span><span class="s1">@</span><span class="dl">'</span><span class="p">)</span> <span class="o">||</span> <span class="o">!</span><span class="nx">email</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="dl">'</span><span class="s1">.</span><span class="dl">'</span><span class="p">))</span> <span class="k">return </span><span class="p">(</span><span class="nx">error</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">invalid email</span><span class="dl">'</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">password</span><span class="p">.</span><span class="nx">length</span> <span class="o">&lt;</span> <span class="mi">6</span><span class="p">)</span> <span class="k">return </span><span class="p">(</span><span class="nx">error</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">password must be at least 6 characters long</span><span class="dl">'</span><span class="p">);</span> <span class="nx">error</span> <span class="o">=</span> <span class="dl">''</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">signIn_res</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="s2">`/api/auth.json`</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">POST</span><span class="dl">'</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Headers</span><span class="p">({</span> <span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span> <span class="p">}),</span> <span class="na">credentials</span><span class="p">:</span> <span class="dl">'</span><span class="s1">same-origin</span><span class="dl">'</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">password</span> <span class="p">})</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">signIn_res</span><span class="p">.</span><span class="nx">ok</span><span class="p">)</span> <span class="k">return </span><span class="p">(</span><span class="nx">error</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">User does not exist or incorrect password</span><span class="dl">'</span><span class="p">);</span> <span class="nf">goto</span><span class="p">(</span><span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">);</span> <span class="p">};</span> </code></pre> </div> <p>I also added a few lines of code to check for obvious mistakes.</p> <h2> IV. Authenticating users </h2> <p>To authenticate a user, we will send a GET request to ‘/api/auth.json’. </p> <ol> <li>Verify the user’s custom token</li> <li>If verified, send the user’s data in the body</li> <li>If not, delete the the user’s refresh token</li> </ol> <p><code>src/routes/api/auth.json.js</code>:</p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code> <span class="k">export</span> <span class="kd">const</span> <span class="kd">get</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">event</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">let</span> <span class="p">{</span> <span class="nx">refreshToken</span><span class="p">,</span> <span class="nx">customToken</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">cookie</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">event</span><span class="p">.</span><span class="nx">request</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">cookie</span><span class="dl">'</span><span class="p">)</span> <span class="o">||</span> <span class="dl">''</span><span class="p">)</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">refreshToken</span><span class="p">)</span> <span class="k">return</span> <span class="nf">return401</span><span class="p">()</span> <span class="kd">let</span> <span class="nx">headers</span> <span class="o">=</span> <span class="p">{}</span> <span class="kd">let</span> <span class="nx">user</span> <span class="o">=</span> <span class="p">{}</span> <span class="k">try</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">customToken</span><span class="p">)</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">()</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">auth</span><span class="p">().</span><span class="nf">verifyIdToken</span><span class="p">(</span><span class="nx">customToken</span><span class="p">)</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{</span> <span class="nf">return401</span><span class="p">()</span> <span class="p">}</span> <span class="k">return</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">200</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="p">{</span> <span class="nx">user</span> <span class="p">},</span> <span class="nx">headers</span> <span class="p">}</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">return401</span> <span class="o">=</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">401</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">set-cookie</span><span class="dl">'</span><span class="p">:</span> <span class="s2">`refreshToken=; Max-Age=0; Path=/;</span><span class="p">${</span><span class="nx">secure</span><span class="p">}</span><span class="s2"> HttpOnly`</span><span class="p">,</span> <span class="dl">'</span><span class="s1">cache-control</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">no-store</span><span class="dl">'</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>But, this is inadequate as this won’t work when the custom token has expired. When the token has expired, <code>auth().verifyIdToken()</code> will throw an error.</p> <ol> <li>Get a new id token from the refresh token using the REST api</li> <li>Verify the newly acquired id token to get the user’s data</li> <li>Using the UID acquired from 2, create a new custom token</li> <li>Override the existing cookie and return the user’s data in the body</li> </ol> <p>We also get a new custom token from step 1, but it will be the same unless it has expired. We send an error (=logout) if it is different because, at the moment, SvelteKit can only set 1 cookie in the load function.</p> <p><code>src/routes/api/auth.json.js</code></p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code> <span class="k">export</span> <span class="kd">const</span> <span class="kd">get</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">event</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">let</span> <span class="p">{</span> <span class="nx">refreshToken</span><span class="p">,</span> <span class="nx">customToken</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">cookie</span><span class="p">.</span><span class="nf">parse</span><span class="p">(</span><span class="nx">event</span><span class="p">.</span><span class="nx">request</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">cookie</span><span class="dl">'</span><span class="p">)</span> <span class="o">||</span> <span class="dl">''</span><span class="p">)</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">refreshToken</span><span class="p">)</span> <span class="k">return</span> <span class="nf">return401</span><span class="p">()</span> <span class="kd">let</span> <span class="nx">headers</span> <span class="o">=</span> <span class="p">{}</span> <span class="kd">let</span> <span class="nx">user</span> <span class="o">=</span> <span class="p">{}</span> <span class="k">try</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">customToken</span><span class="p">)</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">()</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">auth</span><span class="p">().</span><span class="nf">verifyIdToken</span><span class="p">(</span><span class="nx">customToken</span><span class="p">)</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// if token is expired, exchange refresh token for new token</span> <span class="kd">const</span> <span class="nx">refresh_res</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="s2">`https://identitytoolkit.googleapis.com/v1/token?key=</span><span class="p">${</span><span class="nx">key</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">POST</span><span class="dl">'</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">content-type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span> <span class="p">},</span> <span class="na">body</span><span class="p">:</span> <span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">({</span> <span class="na">grant_type</span><span class="p">:</span> <span class="dl">'</span><span class="s1">refresh_token</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">refresh_token</span><span class="dl">'</span><span class="p">:</span> <span class="nx">refreshToken</span> <span class="p">})</span> <span class="p">})</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">refresh_res</span><span class="p">.</span><span class="nx">ok</span><span class="p">)</span> <span class="k">return</span> <span class="nf">return401</span><span class="p">()</span> <span class="kd">const</span> <span class="nx">tokens</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">refresh_res</span><span class="p">.</span><span class="nf">json</span><span class="p">()</span> <span class="kd">const</span> <span class="nx">idToken</span> <span class="o">=</span> <span class="nx">tokens</span><span class="p">[</span><span class="dl">'</span><span class="s1">id_token</span><span class="dl">'</span><span class="p">]</span> <span class="k">if </span><span class="p">(</span><span class="nx">tokens</span><span class="p">[</span><span class="dl">'</span><span class="s1">refresh_token</span><span class="dl">'</span><span class="p">]</span> <span class="o">!==</span> <span class="nx">refreshToken</span><span class="p">)</span> <span class="k">return</span> <span class="nf">return401</span><span class="p">()</span> <span class="k">try</span> <span class="p">{</span> <span class="nx">user</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">auth</span><span class="p">().</span><span class="nf">verifyIdToken</span><span class="p">(</span><span class="nx">idToken</span><span class="p">)</span> <span class="nx">customToken</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">auth</span><span class="p">().</span><span class="nf">createCustomToken</span><span class="p">(</span><span class="nx">user</span><span class="p">.</span><span class="nx">uid</span><span class="p">)</span> <span class="nx">headers</span> <span class="o">=</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">set-cookie</span><span class="dl">'</span><span class="p">:</span> <span class="p">[</span> <span class="s2">`customToken=</span><span class="p">${</span><span class="nx">customToken</span><span class="p">}</span><span class="s2">; Max-Age=</span><span class="p">${</span><span class="mi">60</span> <span class="o">*</span> <span class="mi">55</span><span class="p">}</span><span class="s2">; Path=/;</span><span class="p">${</span><span class="nx">secure</span><span class="p">}</span><span class="s2"> HttpOnly;`</span><span class="p">,</span> <span class="p">],</span> <span class="dl">'</span><span class="s1">cache-control</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">no-store</span><span class="dl">'</span> <span class="p">}</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{</span> <span class="nf">return401</span><span class="p">()</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">200</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="p">{</span> <span class="nx">user</span><span class="p">,</span> <span class="nx">customToken</span> <span class="p">},</span> <span class="nx">headers</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> V. Authorizing users </h2> <p>To redirect unauthenticated users in ‘/’, we can create a load function that sends a GET request to ‘/api/auth.json’. The load function is a function inside <code>context="module"</code> script and runs before the page renders. We also need to import and use SvelteKit’s <code>fetch()</code> since the usual <code>fetch()</code> doesn’t work as the load function runs before the page loads. </p> <ol> <li>Get the user’s data from ‘/api/auth.json’</li> <li>If unauthenticated, it will return a 401 status and redirect to ‘/login’ (make sure to add a 300 status!)</li> <li>Check for custom claims if necessary</li> <li>return the user’s data as props</li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code> <span class="p">&lt;</span><span class="nt">script</span> <span class="na">context</span><span class="p">=</span><span class="s">"module"</span><span class="p">&gt;</span> export const load = async (<span class="si">{</span> <span class="nx">fetch</span> <span class="si">}</span>) =&gt; <span class="si">{</span> <span class="kd">const</span> <span class="nx">auth_res</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/auth.json</span><span class="dl">'</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">auth_res</span><span class="p">.</span><span class="nx">ok</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">302</span><span class="p">,</span> <span class="na">redirect</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">auth</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">auth_res</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="k">return</span> <span class="p">{</span> <span class="na">props</span><span class="p">:</span> <span class="p">{</span> <span class="na">user</span><span class="p">:</span> <span class="nx">auth</span><span class="p">.</span><span class="nx">user</span> <span class="na">customToken</span><span class="p">:</span> <span class="nx">auth</span><span class="p">.</span><span class="nx">customToken</span> <span class="p">}</span> <span class="p">};</span> <span class="si">}</span>; <span class="p">&lt;/</span><span class="nt">script</span><span class="p">&gt;</span> </code></pre> </div> <p>For the login/signup page where you only want unauthenticated users, replace <code>if (!auth_res.ok) {}</code> to <code>(auth_res.ok) {}</code>.</p> <h2> V. Signing out </h2> <p>To sign the user out, we just need to delete the cookies, which is possible setting the <code>Max-Age</code> to <code>0</code>. </p> <p><code>src/routes/api/signout.json.js</code>:</p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code> <span class="k">import</span> <span class="p">{</span> <span class="nx">dev</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">$app/env</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">post</span> <span class="o">=</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">secure</span> <span class="o">=</span> <span class="nx">dev</span> <span class="p">?</span> <span class="dl">''</span> <span class="p">:</span> <span class="dl">'</span><span class="s1"> Secure;</span><span class="dl">'</span> <span class="k">return</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">200</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">set-cookie</span><span class="dl">'</span><span class="p">:</span> <span class="p">[</span> <span class="s2">`customToken=_; Max-Age=0; Path=/;</span><span class="p">${</span><span class="nx">secure</span><span class="p">}</span><span class="s2"> HttpOnly`</span><span class="p">,</span> <span class="s2">`refreshToken=_; Max-Age=0; Path=/;</span><span class="p">${</span><span class="nx">secure</span><span class="p">}</span><span class="s2"> HttpOnly`</span><span class="p">,</span> <span class="p">],</span> <span class="dl">'</span><span class="s1">cache-control</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">no-store</span><span class="dl">'</span> <span class="p">},</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>And you can sign out by calling this function:</p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code> <span class="kd">const</span> <span class="nx">logout</span> <span class="o">=</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">auth</span><span class="p">.</span><span class="nf">signOut</span><span class="p">();</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="s2">`/api/signout.json`</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">POST</span><span class="dl">'</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="k">new</span> <span class="nc">Headers</span><span class="p">({</span> <span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span> <span class="p">}),</span> <span class="na">credentials</span><span class="p">:</span> <span class="dl">'</span><span class="s1">same-origin</span><span class="dl">'</span> <span class="p">});</span> <span class="nf">goto</span><span class="p">(</span><span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span><span class="p">);</span> <span class="p">};</span> </code></pre> </div> <h2> Using Firestore </h2> <p>If you’re going to use Firestore with security rules, you’ll need to login using the custom token (<code>customToken</code> prop).</p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code> <span class="k">export</span> <span class="kd">let</span> <span class="nx">customToken</span> <span class="o">=</span> <span class="dl">""</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">signInWithCustomToken</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">firebase/auth</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">initialize</span> <span class="o">=</span> <span class="k">async </span><span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">userCredential</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">signInWithCustomToken</span><span class="p">(</span><span class="nx">auth</span><span class="p">,</span> <span class="nx">customToken</span><span class="p">)</span> <span class="c1">// firestore stuff here</span> <span class="p">};</span> </code></pre> </div> <p>If a user stays for more than an hour and the token expires, firebase will automatically renew the user’s session. This won’t be an issue as the refresh token won’t change.</p> <h2> Deploying to Vercel </h2> <p>It’s very simple to deploy to Vercel, and while other services like Netlify exists, Vercel is faster (at least where I live). Anyway, they’re both easy to use and SvelteKit supports many other platforms. </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> npm i @sveltejs/adapter-vercel </code></pre> </div> <p>Edit your <code>svelte.config.js</code> :</p> <div class="highlight js-code-highlight"> <pre class="highlight jsx"><code> <span class="k">import</span> <span class="nx">vercel</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@sveltejs/adapter-vercel</span><span class="dl">'</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">config</span> <span class="o">=</span> <span class="p">{</span> <span class="c1">//...</span> <span class="na">kit</span><span class="p">:</span> <span class="p">{</span> <span class="na">adapter</span><span class="p">:</span> <span class="nf">vercel</span><span class="p">()</span> <span class="p">}</span> <span class="p">};</span> </code></pre> </div> <p>Upload to Github and connect Vercel to your repository. Remember to add you domain to Firebase Auth (Authentication &gt; Sign in method &gt; Authorized domain). That should work!</p> <p>Thanks for reading!</p> svelte firebase javascript tutorial