The latest articles on DEV Community by Ryan Bethel (@ryanbethel). https://dev.to/ryanbethel https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F150450%2Fc9beb6ce-35aa-441d-a6fc-1007b2ad5fcb.jpeg https://dev.to/ryanbethel en Ryan Bethel Fri, 16 Jun 2023 19:42:01 +0000 https://dev.to/ryanbethel/oauth-authentication-53a2 https://dev.to/ryanbethel/oauth-authentication-53a2 <p>More and more of our lives take place online. With more services come more passwords and usernames to keep track of. OAuth lets users authenticate to a new service using a previously established identity on another service. This final post in our Authentication series shows how to use OAuth with Enhance apps to authenticate new users.</p> <p>Authentication can be intimidating. Not necessarily because it is hard to understand, but more because it feels like the consequences of making a mistake are high. This is one of the reasons that people choose OAuth. It allows you to rely on another service (i.e., GitHub, Google, etc.) to establish a user's identity and store the relevant information for their account. While that is true and beneficial, it is important to understand how this process works so that your interface with the 3rd party provider, and the portion of user details transferred to your app, remain secure.</p> <h2> TL;DR </h2> <p>OAuth is a specification that allows a user to establish their identity for one site by logging in on a third-party site. That third-party provider is trusted to vouch for the user while only providing the account details that the user approves to be shared. The rest of this post and sample code uses GitHub as the example third-party provider. If a user visits the site example.com to create a new account. They are saying “You don’t know me, but GitHub does and they will vouch for me.” Example.com then redirects the user to GitHub where they are asked to log in to prove their identity. After that GitHub sends the user back to example.com with a code that can be used to verify successful login to GitHub. The example.com server can then send this code/token to GitHub and receive verification that that is a legitimate GitHub account. Example.com will then use the GitHub username to identify the new account.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--Fhwo3-Ql--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/t4crlsq1msre9tlb8tx5.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--Fhwo3-Ql--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/t4crlsq1msre9tlb8tx5.png" alt="OAuth Sequence Diagram" width="561" height="483"></a></p> <h2> GitHub OAuth Keys </h2> <p>Using OAuth requires setting up the 3rd party provider to work with your app. For GitHub, you need to do the following:</p> <ol> <li><strong>Sign in to GitHub</strong></li> <li> <strong>Navigate to Settings</strong>: Click on your profile photo in the top right corner and select 'Settings' from the dropdown menu.</li> <li> <strong>Go to Developer Settings</strong>: Scroll down the user settings sidebar and click on 'Developer settings'.</li> <li> <strong>Create a New OAuth App</strong>: Click on 'OAuth Apps' in the left sidebar and then click on the 'New OAuth App' button.</li> <li> <strong>Fill in the App Details</strong>: <ul> <li>'Authorization callback URL': The URL where users are sent after they authorize with GitHub. It can be the main URL for the whole application.</li> </ul> </li> <li><strong>Register the App</strong></li> <li> <strong>Copy the Client ID and Client Secret into environment variables</strong> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">OAUTH_CLIENT_ID</span><span class="o">=</span>key <span class="nv">OAUTH_CLIENT_SECRET</span><span class="o">=</span>secret <span class="nv">OAUTH_AUTHORIZE_URL</span><span class="o">=</span>https://github.com/login/oauth/authorize <span class="nv">OAUTH_TOKEN_URL</span><span class="o">=</span>https://github.com/login/oauth/access_token <span class="nv">OAUTH_USERINFO_URL</span><span class="o">=</span>https://api.github.com/user </code></pre> </div> <p>Make sure to keep the Client Secret a secret. If it is compromised anyone can impersonate your app. In addition to the API keys, create environment variables for the OAuth endpoints. The example above includes the endpoints and corresponding environment variables for GitHub.</p> <p>If there are several environments for your app (i.e., staging and production) they will each need to have a separate OAuth app setup. These cannot share keys because the app configuration tells GitHub the URL it is allowed to redirect users back to. If your staging environment is located at <code>https://staging.example.com</code> and your production app is at <code>https://example.com</code> each will need separate API keys.</p> <h2> Local development without GitHub API keys </h2> <p>Local development is an important part of developing apps rapidly. Waiting for the deployment process can take minutes. This will drastically slow you down if you deploy your app to test every minor change. It is possible and often desirable to set up full OAuth even for your testing environment to reduce the difference between these environments. But to start with, it is nice to skip the GitHub dashboard clicking and get right to building. If no environment variables and Keys for OAuth are provided, the authentication code uses a mock endpoint to simulate the 3rd party provider. This mock endpoint uses <code>/_mock-oauth</code>. This code is not critical to the authentication. It can be removed. It is important to note that this mock behavior provides no real security and should not be substituted for a trusted 3rd party provider.</p> <h2> GitHub Login Button </h2> <p>The first step to logging in with OAuth is to set up a link to serve to the user that will initiate the authentication.<br> The function below will generate the necessary login URL.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">isLocal</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">ARC_ENV</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">testing</span><span class="dl">'</span> <span class="kd">const</span> <span class="nx">useMock</span> <span class="o">=</span> <span class="o">!</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">OAUTH_CLIENT_ID</span> <span class="o">||</span> <span class="o">!</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">OAUTH_CLIENT_SECRET</span> <span class="kd">const</span> <span class="nx">domain</span> <span class="o">=</span> <span class="nx">isLocal</span> <span class="p">?</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">DOMAIN_NAME</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">http://localhost:3333</span><span class="dl">'</span> <span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">DOMAIN_NAME</span> <span class="kd">let</span> <span class="nx">urls</span> <span class="k">if</span> <span class="p">(</span><span class="nx">isLocal</span> <span class="o">&amp;&amp;</span> <span class="nx">useMock</span><span class="p">)</span> <span class="p">{</span> <span class="nx">urls</span> <span class="o">=</span> <span class="p">{</span> <span class="na">authorizeUrl</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">domain</span><span class="p">}</span><span class="s2">/_mock-oauth/login`</span><span class="p">,</span> <span class="na">redirectUrl</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">domain</span><span class="p">}</span><span class="s2">/oauth`</span><span class="p">,</span> <span class="p">}</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">urls</span> <span class="o">=</span> <span class="p">{</span> <span class="na">authorizeUrl</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">OAUTH_AUTHORIZE_URL</span><span class="p">,</span> <span class="na">redirectUrl</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">domain</span><span class="p">}</span><span class="s2">/oauth`</span><span class="p">,</span> <span class="p">}</span> <span class="p">}</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nx">loginHref</span><span class="p">({</span> <span class="nx">redirectAfterAuth</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">,</span> <span class="nx">newRegistration</span> <span class="o">=</span> <span class="dl">''</span> <span class="p">})</span> <span class="p">{</span> <span class="kd">let</span> <span class="nx">oauthState</span> <span class="o">=</span> <span class="p">{</span> <span class="nx">redirectAfterAuth</span> <span class="p">}</span> <span class="k">if</span> <span class="p">(</span><span class="nx">newRegistration</span><span class="p">)</span> <span class="nx">oauthState</span> <span class="o">=</span> <span class="p">{</span> <span class="nx">redirectAfterAuth</span><span class="p">,</span> <span class="nx">newRegistration</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">redirectUrlPart</span> <span class="o">=</span> <span class="nx">urls</span><span class="p">.</span><span class="nx">redirectUrl</span> <span class="p">?</span> <span class="s2">`&amp;redirect_uri=</span><span class="p">${</span><span class="nb">encodeURIComponent</span><span class="p">(</span><span class="nx">urls</span><span class="p">.</span><span class="nx">redirectUrl</span><span class="p">)}</span><span class="s2">`</span> <span class="p">:</span> <span class="dl">''</span> <span class="k">return</span> <span class="s2">`</span><span class="p">${</span><span class="nx">urls</span><span class="p">.</span><span class="nx">authorizeUrl</span><span class="p">}</span><span class="s2">?client_id=</span><span class="p">${</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">OAUTH_CLIENT_ID</span> <span class="p">}${</span><span class="nx">redirectUrlPart</span><span class="p">}${</span><span class="nx">redirectAfterAuth</span> <span class="p">?</span> <span class="s2">`&amp;state=</span><span class="p">${</span><span class="nb">encodeURIComponent</span><span class="p">(</span> <span class="nx">JSON</span><span class="p">.</span><span class="nx">stringify</span><span class="p">(</span><span class="nx">oauthState</span><span class="p">)</span> <span class="p">)}</span><span class="s2">`</span> <span class="p">:</span> <span class="dl">''</span> <span class="p">}</span><span class="s2">`</span> <span class="p">}</span> </code></pre> </div> <p>It uses the <code>DOMAIN_NAME</code> and <code>OAUTH</code> environment variables to create the required URL. It also points authentication to the mock routes if the app is local and not configured with a provider. The function can be imported in any API handler route, as shown below, to create this “Log in with GitHub” URL.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="nx">loginHref</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../../auth-shared/login-href.mjs</span><span class="dl">'</span> </code></pre> </div> <h2> OAuth log in </h2> <p>When login is initiated using the link to GitHub, the flow falls under the control of GitHub. If that GitHub login is successful, GitHub returns a <code>code</code> token to the user and redirects them to the server. The code below shows the handler for that endpoint. If that <code>code</code> is in the request as a query parameter, the server will attempt to verify it with GitHub.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">getAccounts</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../../../models/accounts.mjs</span><span class="dl">'</span> <span class="k">import</span> <span class="nx">verifyOauth</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../../../auth-shared/oauth-verify-code.mjs</span><span class="dl">'</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="kd">get</span><span class="p">(</span><span class="nx">req</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="na">redirectAfterAuth</span><span class="p">:</span><span class="nx">sessionRedirectAfterAuth</span> <span class="o">=</span> <span class="dl">''</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">session</span> <span class="kd">const</span> <span class="p">{</span> <span class="na">query</span><span class="p">:</span> <span class="p">{</span> <span class="nx">code</span><span class="p">,</span> <span class="nx">state</span> <span class="p">}</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nx">code</span><span class="p">){</span> <span class="k">return</span> <span class="p">{</span> <span class="na">location</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span> <span class="p">}</span> <span class="p">}</span> <span class="k">if</span> <span class="p">(</span><span class="nx">code</span><span class="p">)</span> <span class="p">{</span> <span class="kd">let</span> <span class="nx">redirectAfterAuth</span> <span class="k">try</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="nx">state</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">parseState</span> <span class="o">=</span> <span class="nx">JSON</span><span class="p">.</span><span class="nx">parse</span><span class="p">(</span><span class="nx">state</span><span class="p">)</span> <span class="nx">redirectAfterAuth</span> <span class="o">=</span> <span class="nx">parseState</span><span class="p">.</span><span class="nx">redirectAfterAuth</span> <span class="p">}</span> <span class="c1">// eslint-disable-next-line no-empty</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">redirect</span> <span class="o">=</span> <span class="nx">redirectAfterAuth</span> <span class="o">||</span> <span class="nx">sessionRedirectAfterAuth</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">/</span><span class="dl">'</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">oauthAccount</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">verifyOauth</span><span class="p">(</span><span class="nx">code</span><span class="p">)</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nx">oauthAccount</span><span class="p">.</span><span class="nx">oauth</span><span class="p">.</span><span class="nx">github</span><span class="p">)</span> <span class="k">throw</span> <span class="nb">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">user not found</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">accounts</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">getAccounts</span><span class="p">()</span> <span class="kd">const</span> <span class="nx">appUser</span> <span class="o">=</span> <span class="nx">accounts</span><span class="p">.</span><span class="nx">find</span><span class="p">(</span><span class="nx">a</span> <span class="o">=&gt;</span> <span class="nx">a</span><span class="p">.</span><span class="nx">provider</span><span class="p">?.</span><span class="nx">github</span><span class="p">?.</span><span class="nx">login</span> <span class="o">===</span> <span class="nx">oauthAccount</span><span class="p">?.</span><span class="nx">oauth</span><span class="p">?.</span><span class="nx">github</span><span class="p">?.</span><span class="nx">login</span> <span class="o">&amp;&amp;</span> <span class="nx">a</span><span class="p">.</span><span class="nx">authConfig</span><span class="p">?.</span><span class="nx">loginWith</span><span class="p">?.</span><span class="nx">github</span> <span class="p">)</span> <span class="kd">const</span> <span class="p">{</span> <span class="na">password</span><span class="p">:</span> <span class="nx">removePassword</span><span class="p">,</span> <span class="p">...</span><span class="nx">sanitizedAccount</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">appUser</span> <span class="o">||</span> <span class="p">{}</span> <span class="kd">const</span> <span class="nx">accountVerified</span> <span class="o">=</span> <span class="nx">appUser</span><span class="p">?.</span><span class="nx">verified</span><span class="p">?.</span><span class="nx">phone</span> <span class="o">||</span> <span class="nx">appUser</span><span class="p">?.</span><span class="nx">verified</span><span class="p">?.</span><span class="nx">email</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nx">appUser</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">location</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span> <span class="p">}</span> <span class="p">}</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nx">accountVerified</span><span class="p">){</span> <span class="k">return</span> <span class="p">{</span> <span class="na">session</span><span class="p">:</span> <span class="p">{</span> <span class="na">redirectAfterAuth</span><span class="p">:</span> <span class="nx">redirect</span><span class="p">,</span> <span class="na">unverified</span><span class="p">:</span><span class="nx">sanitizedAccount</span> <span class="p">},</span> <span class="na">location</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/verify</span><span class="dl">'</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="p">{</span> <span class="na">session</span><span class="p">:{</span><span class="na">authorized</span><span class="p">:</span><span class="nx">sanitizedAccount</span><span class="p">},</span> <span class="na">location</span><span class="p">:</span> <span class="nx">redirect</span> <span class="p">}</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">statusCode</span><span class="p">:</span> <span class="nx">err</span><span class="p">.</span><span class="nx">code</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="nx">err</span><span class="p">.</span><span class="nx">message</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The function to verify the <code>code</code> token on GitHub is shown below. It first makes a POST request to exchange that <code>code</code> for a longer lived token. The server then uses that token to make a GET request for the profile information that the user has approved. In this example, only the <code>login</code> property is kept from the profile to identify the user account on your website.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="nx">tiny</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">tiny-json-http</span><span class="dl">'</span> <span class="kd">const</span> <span class="nx">isLocal</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">ARC_ENV</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">testing</span><span class="dl">'</span> <span class="kd">const</span> <span class="nx">useMock</span> <span class="o">=</span> <span class="o">!</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">OAUTH_CLIENT_ID</span> <span class="o">||</span> <span class="o">!</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">OAUTH_CLIENT_SECRET</span> <span class="kd">const</span> <span class="nx">domain</span> <span class="o">=</span> <span class="nx">isLocal</span> <span class="p">?</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">DOMAIN_NAME</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">http://localhost:3333</span><span class="dl">'</span> <span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">DOMAIN_NAME</span> <span class="kd">let</span> <span class="nx">urls</span> <span class="k">if</span> <span class="p">(</span><span class="nx">isLocal</span> <span class="o">&amp;&amp;</span> <span class="nx">useMock</span><span class="p">)</span> <span class="p">{</span> <span class="nx">urls</span> <span class="o">=</span> <span class="p">{</span> <span class="na">authorizeUrl</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">domain</span><span class="p">}</span><span class="s2">/_mock-oauth/login`</span><span class="p">,</span> <span class="na">redirectUrl</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">domain</span><span class="p">}</span><span class="s2">/oauth`</span><span class="p">,</span> <span class="na">tokenUrl</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">domain</span><span class="p">}</span><span class="s2">/_mock-oauth/token`</span><span class="p">,</span> <span class="na">userInfoUrl</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">domain</span><span class="p">}</span><span class="s2">/_mock-oauth/user`</span><span class="p">,</span> <span class="p">}</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">urls</span> <span class="o">=</span> <span class="p">{</span> <span class="na">authorizeUrl</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">OAUTH_AUTHORIZE_URL</span><span class="p">,</span> <span class="na">redirectUrl</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">domain</span><span class="p">}</span><span class="s2">/oauth`</span><span class="p">,</span> <span class="na">tokenUrl</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">OAUTH_TOKEN_URL</span><span class="p">,</span> <span class="na">userInfoUrl</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">OAUTH_USERINFO_URL</span><span class="p">,</span> <span class="p">}</span> <span class="p">}</span> <span class="k">export</span> <span class="k">default</span> <span class="k">async</span> <span class="kd">function</span> <span class="nx">oauth</span><span class="p">(</span><span class="nx">code</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="p">{</span> <span class="nx">code</span><span class="p">,</span> <span class="na">client_id</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">OAUTH_CLIENT_ID</span> <span class="o">||</span> <span class="dl">''</span><span class="p">,</span> <span class="na">client_secret</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">OAUTH_CLIENT_SECRET</span> <span class="o">||</span> <span class="dl">''</span><span class="p">,</span> <span class="na">redirect_uri</span><span class="p">:</span> <span class="nx">urls</span><span class="p">.</span><span class="nx">redirectUrl</span><span class="p">,</span> <span class="p">}</span> <span class="kd">let</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">tiny</span><span class="p">.</span><span class="nx">post</span><span class="p">({</span> <span class="na">url</span><span class="p">:</span> <span class="nx">urls</span><span class="p">.</span><span class="nx">tokenUrl</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="na">Accept</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span> <span class="p">},</span> <span class="nx">data</span> <span class="p">})</span> <span class="kd">let</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">result</span><span class="p">.</span><span class="nx">body</span><span class="p">.</span><span class="nx">access_token</span> <span class="kd">let</span> <span class="nx">userResult</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">tiny</span><span class="p">.</span><span class="kd">get</span><span class="p">({</span> <span class="na">url</span><span class="p">:</span> <span class="nx">urls</span><span class="p">.</span><span class="nx">userInfoUrl</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="na">Authorization</span><span class="p">:</span> <span class="s2">`token </span><span class="p">${</span><span class="nx">token</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="na">Accept</span><span class="p">:</span> <span class="dl">'</span><span class="s1">application/json</span><span class="dl">'</span> <span class="p">}</span> <span class="p">})</span> <span class="kd">const</span> <span class="p">{</span><span class="nx">login</span><span class="p">,</span> <span class="p">...</span><span class="nx">rest</span><span class="p">}</span> <span class="o">=</span> <span class="nx">userResult</span><span class="p">.</span><span class="nx">body</span> <span class="k">return</span> <span class="p">{</span> <span class="na">oauth</span><span class="p">:</span> <span class="p">{</span> <span class="na">github</span><span class="p">:</span> <span class="p">{</span><span class="nx">login</span><span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Registration </h2> <p>New users registering with OAuth do not need to provide a username and password. In the example app they provide a display name and an email address or phone number as a means of resetting their account.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--PoJpIFH---/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/g97qjfvylzi18vmypgen.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--PoJpIFH---/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/g97qjfvylzi18vmypgen.png" alt="OAuth Registration" width="800" height="852"></a></p> <h2> Other OAuth providers </h2> <p>OAuth is an industry-standard <a href="https://oauth.net/2/">specification</a>. Most of this example code will work for any provider. There are however slight variations in the token exchange where the <code>code</code> is verified in exchange for a token to access user profiles. Tests are especially important when reimplementing this code with other providers.</p> <h2> Try it out </h2> <p>The code for the full example can be found at <a href="https://github.com/enhance-dev/enhance-auth">github.com/enhance-dev/enhance-auth</a>. Try out the deployed <a href="https://enhanceauth.com">example using GitHub OAuth</a>.</p> <h2> Next Step </h2> <p>This is the final post in the authentication series. The full example shows a complete solution that can be modified for most websites. Looking ahead there are a few features that would be nice to add. <a href="https://passkeys.dev/">Passkeys</a> are a popular topic with browser vendors promoting them as the password killer of the future. We will add support for Passkeys when they become widely supported. In the meantime, Pull Requests are welcome at <a href="https://github.com/enhance-dev/enhance-auth">github.com/enhance-dev/enhance-auth</a>.</p> enhance authentication Ryan Bethel Wed, 14 Jun 2023 13:26:29 +0000 https://dev.to/begin/authentication-with-magic-links-3hdk https://dev.to/begin/authentication-with-magic-links-3hdk <p>Websites should be secure. They should also be easy to use. These requirements seem at odds with many development decisions. Magic links are a popular authentication method that uses email (or phone) links to log in directly to a site. They are a good compromise between security and ease of use for most applications. This fourth installment of the series shows how to use magic links with Enhance and discusses some of the tradeoffs.</p> <h2> TL;DR </h2> <p>All of the pieces are already in place to log in with magic links. The previous posts covered registering a new user and verifying email address or phone number by sending links or codes. All that remains is to:</p> <ol> <li>Add a login form that asks for just the email or phone number to log in.</li> <li>Send a unique link to that email or a code to that phone number using the same process as verification.</li> <li>Once the link is clicked or the code is entered, the session is updated and the user is logged in.</li> </ol> <h2> Magic Link Login </h2> <p>One of the best features of this login is that it requires only a single input field.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--Vkj09F2a--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/s5levbmumrf7dbuiint8.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--Vkj09F2a--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/s5levbmumrf7dbuiint8.png" alt="log in with magic link" width="800" height="391"></a></p> <p>After clicking on the link received by email, the server verifies the link. If it is valid, the session is updated to log the user in. They will then immediately see the following screen confirming they are authenticated.<br> That is it.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--lV8FKZIb--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/jsrhxzsdna0645aw1qij.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--lV8FKZIb--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/jsrhxzsdna0645aw1qij.png" alt="Log in success" width="800" height="268"></a></p> <p>The code for this login handler is below. This endpoint serves the form for entering an email address with an ordinary GET request. A POST request with that email will trigger a link to be sent by email. That link will return here with a token as a query parameter which can be verified. If that token is valid, the associated account is added to the session, and the user is logged in.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// /app/api/login/magic-link.mjs</span> <span class="k">import</span> <span class="nx">sendLink</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../../auth-shared/send-email-link.mjs</span><span class="dl">'</span> <span class="k">import</span> <span class="nx">db</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@begin/data</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">getAccounts</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../../models/accounts.mjs</span><span class="dl">'</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="kd">get</span><span class="p">(</span><span class="nx">req</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">query</span><span class="p">?.</span><span class="nx">token</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">problems</span><span class="p">,</span> <span class="nx">login</span><span class="p">,</span> <span class="p">...</span><span class="nx">newSession</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">session</span> <span class="k">if</span> <span class="p">(</span><span class="nx">problems</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">session</span><span class="p">:</span> <span class="nx">newSession</span><span class="p">,</span> <span class="na">json</span><span class="p">:</span> <span class="p">{</span> <span class="nx">problems</span><span class="p">,</span> <span class="nx">login</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nx">token</span><span class="p">)</span> <span class="k">return</span> <span class="k">if</span> <span class="p">(</span><span class="nx">token</span><span class="p">){</span> <span class="kd">const</span> <span class="nx">verifySession</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="kd">get</span><span class="p">({</span> <span class="na">table</span><span class="p">:</span> <span class="dl">'</span><span class="s1">session</span><span class="dl">'</span><span class="p">,</span> <span class="na">key</span><span class="p">:</span> <span class="nx">token</span> <span class="p">})</span> <span class="kd">const</span> <span class="p">{</span><span class="nx">linkUsed</span><span class="p">}</span><span class="o">=</span><span class="nx">verifySession</span> <span class="kd">const</span> <span class="nx">linkExpired</span> <span class="o">=</span> <span class="nx">verifySession</span><span class="p">?.</span><span class="nx">ttl</span> <span class="o">&lt;</span> <span class="nb">Date</span><span class="p">.</span><span class="nx">now</span><span class="p">()</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nx">verifySession</span> <span class="o">||</span> <span class="nx">linkUsed</span> <span class="o">||</span> <span class="nx">linkExpired</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">location</span><span class="p">:</span><span class="dl">'</span><span class="s1">/login/link-expired</span><span class="dl">'</span> <span class="p">}</span> <span class="p">}</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="kd">set</span><span class="p">({</span> <span class="p">...</span><span class="nx">verifySession</span><span class="p">,</span> <span class="na">table</span><span class="p">:</span> <span class="dl">'</span><span class="s1">session</span><span class="dl">'</span><span class="p">,</span> <span class="na">key</span><span class="p">:</span> <span class="nx">token</span><span class="p">,</span> <span class="na">linkUsed</span><span class="p">:</span> <span class="kc">true</span> <span class="p">})</span> <span class="kd">let</span> <span class="nx">accounts</span><span class="p">,</span> <span class="nx">account</span> <span class="k">try</span> <span class="p">{</span> <span class="nx">accounts</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">getAccounts</span><span class="p">()</span> <span class="nx">account</span> <span class="o">=</span> <span class="nx">accounts</span><span class="p">.</span><span class="nx">find</span><span class="p">(</span><span class="nx">i</span> <span class="o">=&gt;</span> <span class="nx">i</span><span class="p">.</span><span class="nx">email</span> <span class="o">===</span> <span class="nx">verifySession</span><span class="p">.</span><span class="nx">email</span> <span class="o">&amp;&amp;</span> <span class="nx">i</span><span class="p">.</span><span class="nx">authConfig</span><span class="p">?.</span><span class="nx">loginWith</span><span class="p">?.</span><span class="nx">email</span><span class="p">)</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">}</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nx">account</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span><span class="na">location</span><span class="p">:</span><span class="dl">'</span><span class="s1">/login/magic-link</span><span class="dl">'</span><span class="p">}</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">accountVerified</span> <span class="o">=</span> <span class="nx">account</span><span class="p">?.</span><span class="nx">verified</span><span class="p">?.</span><span class="nx">email</span> <span class="kd">const</span> <span class="p">{</span> <span class="na">password</span><span class="p">:</span> <span class="nx">removePassword</span><span class="p">,</span> <span class="p">...</span><span class="nx">sanitizedAccount</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">account</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nx">accountVerified</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">session</span><span class="p">:</span> <span class="p">{</span> <span class="na">redirectAfterAuth</span><span class="p">:</span><span class="nx">verifySession</span><span class="p">?.</span><span class="nx">redirectAfterAuth</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">,</span> <span class="na">unverified</span><span class="p">:</span> <span class="p">{</span> <span class="p">...</span><span class="nx">sanitizedAccount</span> <span class="p">}</span> <span class="p">},</span> <span class="na">location</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/verify</span><span class="dl">'</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="p">{</span> <span class="na">session</span><span class="p">:</span> <span class="p">{</span> <span class="na">authorized</span><span class="p">:</span> <span class="p">{</span> <span class="p">...</span><span class="nx">sanitizedAccount</span> <span class="p">}</span> <span class="p">},</span> <span class="na">location</span><span class="p">:</span> <span class="nx">verifySession</span><span class="p">?.</span><span class="nx">redirectAfterAuth</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">/</span><span class="dl">'</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nx">post</span><span class="p">(</span><span class="nx">req</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">session</span> <span class="o">=</span> <span class="nx">req</span><span class="p">?.</span><span class="nx">session</span> <span class="kd">const</span> <span class="p">{</span><span class="nx">email</span><span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">redirectAfterAuth</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">/</span><span class="dl">'</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">session</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nx">email</span><span class="p">){</span> <span class="k">return</span> <span class="p">{</span> <span class="na">session</span><span class="p">:</span> <span class="p">{...</span><span class="nx">session</span><span class="p">,</span> <span class="na">problems</span><span class="p">:{</span><span class="na">form</span><span class="p">:</span><span class="dl">'</span><span class="s1">No Email Address</span><span class="dl">'</span><span class="p">}},</span> <span class="na">location</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/login/magic-link</span><span class="dl">'</span> <span class="p">}</span> <span class="p">}</span> <span class="k">if</span> <span class="p">(</span><span class="nx">email</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">accounts</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">getAccounts</span><span class="p">()</span> <span class="kd">const</span> <span class="nx">account</span> <span class="o">=</span> <span class="nx">accounts</span><span class="p">.</span><span class="nx">find</span><span class="p">(</span><span class="nx">a</span> <span class="o">=&gt;</span> <span class="nx">a</span><span class="p">.</span><span class="nx">email</span> <span class="o">===</span> <span class="nx">email</span> <span class="o">&amp;&amp;</span> <span class="nx">a</span><span class="p">.</span><span class="nx">verified</span><span class="p">?.</span><span class="nx">email</span> <span class="o">&amp;&amp;</span> <span class="nx">a</span><span class="p">.</span><span class="nx">authConfig</span><span class="p">?.</span><span class="nx">loginWith</span><span class="p">?.</span><span class="nx">email</span><span class="p">)</span> <span class="k">if</span> <span class="p">(</span><span class="nx">account</span><span class="p">)</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">sendLink</span><span class="p">({</span> <span class="nx">email</span><span class="p">,</span> <span class="na">subject</span><span class="p">:</span><span class="dl">'</span><span class="s1">Enhance Auth Login Link</span><span class="dl">'</span><span class="p">,</span> <span class="na">linkPath</span><span class="p">:</span><span class="dl">'</span><span class="s1">/login/magic-link</span><span class="dl">'</span><span class="p">,</span> <span class="nx">redirectAfterAuth</span> <span class="p">})</span> <span class="p">}</span> <span class="k">return</span> <span class="p">{</span> <span class="na">location</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/login/wait-link</span><span class="dl">'</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Magic code/SMS </h2> <p>As discussed in the previous post, <a href="https://www.forbes.com/sites/zakdoffman/2020/10/11/apple-iphone-imessage-and-android-messages-sms-passcode-security-update">SMS messages are not as secure</a> as email addresses. For this reason, allowing users to log in with just a phone number is also less secure. There are situations where this might be a reasonable tradeoff. It may be fine, for example, as a login to a survey to ensure that each user only submits one response.<br> The form below is the log in by phone example.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--g8zoCy11--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/gguarnqmkn9k4vfxmzfu.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--g8zoCy11--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/gguarnqmkn9k4vfxmzfu.png" alt="log in with phone number" width="800" height="506"></a><br> In this case, a one-time code is sent to the phone number and a new form is presented in the browser for entering that code. After the one-time code is submitted, the user is logged in and receives the same confirmation message as in the magic link. </p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--r04iy4QR--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/sqv4jbwc8ucfzztb36d2.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--r04iy4QR--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/sqv4jbwc8ucfzztb36d2.png" alt="enter magic code" width="800" height="440"></a></p> <h2> Email only streamlined registration </h2> <p>One advantage of the magic link is a more streamlined login experience. In some cases, you might want to streamline registration also. An email (or phone number) might be the only piece of information needed from the user.<br> There are two options for this. First is to remove everything from the registration form except for the email or phone number. Another option is to drop the registration altogether. If a new email is submitted for login, it can be registered as a new user then.</p> <h2> Try it out </h2> <p>The code for the full example can be found at <a href="https://github.com/enhance-dev/enhance-auth">github.com/enhance-dev/enhance-auth</a>. Try out the deployed <a href="https://play-n8x.begin.app">example using magic link login</a>.</p> <h2> Next Step </h2> <p>The next post in this series will cover how to do social login. It is another popular option that can streamline logging in down to a single click.</p> enhance authentication Ryan Bethel Wed, 14 Jun 2023 13:15:50 +0000 https://dev.to/begin/verify-email-and-phone-for-new-accounts-5alp https://dev.to/begin/verify-email-and-phone-for-new-accounts-5alp <p>Having a verified way to communicate with account owners is critical for most applications. It is the best way to recover account access if a password is lost or forgotten. In our previous authentication posts, we covered <a href="https://begin.com/blog/posts/2023-05-10-why-you-should-roll-your-own-auth">Why you should roll your own auth</a> and <a href="https://begin.com/blog/posts/2023-05-26-password-username-auth-flow">Authentication for a username and password flow</a>. This third installment of the series focuses on account verification with an email or phone number.</p> <h2> TL;DR </h2> <ol> <li>An email or phone number is given at registration.</li> <li>Using SendGrid, an email is sent with a verification link.</li> <li>Using Twilio, a one time code is sent as an SMS message.</li> <li>The account is verified as soon as one of those links/codes is used.</li> <li>At login, if the user forgets their password, they can click “forgot password”.</li> <li>They will receive a password reset link to recover the account.</li> </ol> <p>Now, let's deep-dive into each of these components.</p> <h2> Lego not Ikea </h2> <p>Think of this authentication series as more like Lego, less like Ikea. Ikea furniture has detailed instructions for only one outcome, Lego gives flexibility to choose the parts you want for different outcomes. Although we include both phone and email options, often, email is enough. SMS has some vulnerabilities that make it less secure than email. These are building blocks; use only what you need.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s---S2x8thM--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/rwqn934i3fbd5eg9fd3m.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s---S2x8thM--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/rwqn934i3fbd5eg9fd3m.png" alt="Lego not Ikea" width="800" height="263"></a></p> <h2> Twilio and SendGrid </h2> <p>Software projects require constant build versus buy decisions. This series started by making the case that you should build your own authentication rather than buy it from a third party. But here, we use <a href="https://sendgrid.com/">SendGrid</a> and <a href="https://www.twilio.com/en-us">Twilio</a> for email and phone messages. Email deliverability is a <a href="https://repost.aws/knowledge-center/ses-email-flagged-as-spam">significant challenge</a>. The likelihood of your messages being seen by users is much higher with a reputable email service. And the only practical way to send SMS messages is to connect to the network through a third party.</p> <p>Both these services have a limited free tier so you can try them more easily. Note that for Twilio this demo uses their <a href="https://www.twilio.com/docs/verify/api">Verify API</a>. It is built for this purpose and it handles the logic of sending and verifying the one time codes.</p> <p>Your mileage may vary. But in general, the cost and complexity of adding third party dependencies only grows with time, so it is still best to avoid them when possible.</p> <h2> Environment variables </h2> <p>Configuring the services requires five environment variables. For SendGrid, an API key is needed as well as the email address that will be used as sender for messages. Twilio has an API token and an account service ID. The SMS messages come from a Twilio verified number. The test phone number is where the SMS messages will be sent during local development. That means you can register accounts with fake phone numbers and the SMS code will all be sent to this phone number.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># /.env</span> <span class="nv">SENDGRID_API_KEY</span><span class="o">=</span>key <span class="nv">TRANSACTION_SEND_EMAIL</span><span class="o">=</span>me@example.com <span class="nv">TWILIO_API_ACCOUNT_SID</span><span class="o">=</span>key <span class="nv">TWILIO_API_TOKEN</span><span class="o">=</span>key <span class="nv">SMS_TEST_PHONE</span><span class="o">=</span>+15555551111 </code></pre> </div> <h2> Local development without API keys </h2> <p>Local development is valuable for testing business logic and iterating quickly. This demo is written so that the code functions in local dev even with no API keys. Without them, the app will print the email validation link and SMS one time codes to the console. This makes it easier to add authentication to an app during the earliest stages of development. Then when the app is ready to be deployed, real API keys can be added.</p> <h2> Email verification </h2> <p>When a user registers with an email address, a unique verification link is sent. When the link is clicked a success message confirms that their account is verified. The database entry for that account is updated to reflect that the account has been verified.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--NybxGNry--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/zp2ms74ib4jn2iobgqnl.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--NybxGNry--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/zp2ms74ib4jn2iobgqnl.png" alt="Success message for validating email address" width="800" height="318"></a></p> <p>The handler below is on the <code>/verify</code> route. After submitting registration, the unverified user info is added to the session and redirected here. This endpoint initiates the verification of email, phone, or both.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// /app/api/verify/index.mjs</span> <span class="k">import</span> <span class="p">{</span><span class="nx">sendCode</span><span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../../auth-shared/sms-code-verify.mjs</span><span class="dl">'</span> <span class="k">import</span> <span class="nx">sendLink</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../../auth-shared/send-email-link.mjs</span><span class="dl">'</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="kd">get</span><span class="p">(</span><span class="nx">req</span><span class="p">){</span> <span class="kd">const</span> <span class="nx">session</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">session</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">unverified</span><span class="p">,</span> <span class="nx">authorized</span><span class="p">,</span> <span class="nx">redirectAfterAuth</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">,</span> <span class="p">...</span><span class="nx">restSession</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">session</span> <span class="kd">let</span> <span class="nx">phone</span><span class="p">,</span><span class="nx">email</span><span class="p">,</span><span class="nx">phoneVerified</span><span class="p">,</span><span class="nx">emailVerified</span> <span class="k">if</span> <span class="p">(</span><span class="nx">unverified</span><span class="p">)</span> <span class="p">{</span> <span class="nx">phone</span> <span class="o">=</span> <span class="nx">unverified</span><span class="p">.</span><span class="nx">phone</span> <span class="nx">email</span> <span class="o">=</span> <span class="nx">unverified</span><span class="p">.</span><span class="nx">email</span> <span class="nx">phoneVerified</span> <span class="o">=</span> <span class="nx">unverified</span><span class="p">.</span><span class="nx">verified</span><span class="p">?.</span><span class="nx">phone</span> <span class="nx">emailVerified</span> <span class="o">=</span> <span class="nx">unverified</span><span class="p">.</span><span class="nx">verified</span><span class="p">?.</span><span class="nx">email</span> <span class="kd">const</span> <span class="nx">verifyPhone</span> <span class="o">=</span> <span class="nx">phone</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="nx">phoneVerified</span> <span class="kd">const</span> <span class="nx">verifyEmail</span> <span class="o">=</span> <span class="nx">email</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="nx">emailVerified</span> <span class="k">if</span> <span class="p">(</span><span class="nx">verifyEmail</span><span class="p">){</span> <span class="c1">// send verification link</span> <span class="k">await</span> <span class="nx">sendLink</span><span class="p">({</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">redirectAfterAuth</span><span class="p">,</span> <span class="na">subject</span><span class="p">:</span><span class="dl">'</span><span class="s1">Enhance Auth Verify Email Link</span><span class="dl">'</span><span class="p">,</span> <span class="na">linkPath</span><span class="p">:</span><span class="dl">'</span><span class="s1">/verify/email</span><span class="dl">'</span> <span class="p">})</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nx">verifyPhone</span><span class="p">){</span> <span class="k">return</span> <span class="p">{</span> <span class="na">location</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/verify/waiting-email</span><span class="dl">'</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">if</span> <span class="p">(</span><span class="nx">verifyPhone</span><span class="p">){</span> <span class="c1">// send SMS code</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">smsVerify</span><span class="p">,</span> <span class="nx">unverified</span><span class="p">,</span> <span class="nx">authorized</span><span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">session</span> <span class="kd">const</span> <span class="nx">serviceSid</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">sendCode</span><span class="p">({</span> <span class="nx">phone</span><span class="p">,</span> <span class="na">friendlyName</span><span class="p">:</span><span class="dl">'</span><span class="s1">Enhance Auth Verify Phone</span><span class="dl">'</span> <span class="p">})</span> <span class="kd">const</span> <span class="nx">newSession</span> <span class="o">=</span> <span class="p">{</span> <span class="p">...</span><span class="nx">req</span><span class="p">.</span><span class="nx">session</span> <span class="p">}</span> <span class="nx">newSession</span><span class="p">.</span><span class="nx">smsVerify</span> <span class="o">=</span> <span class="p">{</span><span class="na">otp</span><span class="p">:{</span> <span class="nx">serviceSid</span> <span class="p">}}</span> <span class="k">return</span> <span class="p">{</span> <span class="na">session</span><span class="p">:</span> <span class="nx">newSession</span><span class="p">,</span> <span class="na">location</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/verify/phone</span><span class="dl">'</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">else</span> <span class="k">if</span> <span class="p">(</span><span class="nx">authorized</span><span class="p">)</span> <span class="p">{</span> <span class="nx">phone</span> <span class="o">=</span> <span class="nx">authorized</span><span class="p">.</span><span class="nx">phone</span> <span class="nx">email</span> <span class="o">=</span> <span class="nx">authorized</span><span class="p">.</span><span class="nx">email</span> <span class="nx">phoneVerified</span> <span class="o">=</span> <span class="nx">authorized</span><span class="p">.</span><span class="nx">verified</span><span class="p">?.</span><span class="nx">phone</span> <span class="nx">emailVerified</span> <span class="o">=</span> <span class="nx">authorized</span><span class="p">.</span><span class="nx">verified</span><span class="p">?.</span><span class="nx">email</span> <span class="k">return</span> <span class="p">{</span> <span class="na">json</span><span class="p">:{</span> <span class="na">verifyPhone</span><span class="p">:</span><span class="nx">phone</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="nx">phoneVerified</span><span class="p">,</span> <span class="na">verifyEmail</span><span class="p">:</span><span class="nx">email</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="nx">emailVerified</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The function below sends the verification link using the SendGrid API. It sets a reference to the token being sent with some meta data so that when the link is clicked the server can continue verifying the account. A key difference with the email link verification vs. the phone is that when the email verification link is clicked, it opens in a new browser window, and therefore starts with a new session.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// /app/auth-shared/send-email-link.mjs</span> <span class="k">import</span> <span class="nx">crypto</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">crypto</span><span class="dl">'</span> <span class="k">import</span> <span class="nx">db</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@begin/data</span><span class="dl">'</span> <span class="k">import</span> <span class="nx">sgMail</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@sendgrid/mail</span><span class="dl">'</span> <span class="k">export</span> <span class="k">default</span> <span class="k">async</span> <span class="kd">function</span> <span class="nx">sendLink</span><span class="p">({</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">subject</span><span class="o">=</span><span class="dl">''</span><span class="p">,</span> <span class="nx">text</span><span class="p">,</span> <span class="nx">html</span><span class="p">,</span> <span class="nx">linkPath</span><span class="p">,</span> <span class="nx">redirectAfterAuth</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">,</span> <span class="nx">newRegistration</span> <span class="o">=</span> <span class="kc">false</span> <span class="p">}){</span> <span class="kd">const</span> <span class="nx">isLocal</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">ARC_ENV</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">testing</span><span class="dl">'</span> <span class="kd">const</span> <span class="nx">requiredEnvs</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">TRANSACTION_SEND_EMAIL</span> <span class="o">&amp;&amp;</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">SENDGRID_API_KEY</span> <span class="kd">const</span> <span class="nx">domain</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">DOMAIN_NAME</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">http://localhost:3333</span><span class="dl">'</span> <span class="kd">const</span> <span class="nx">verifyToken</span> <span class="o">=</span> <span class="nx">crypto</span><span class="p">.</span><span class="nx">randomBytes</span><span class="p">(</span><span class="mi">32</span><span class="p">).</span><span class="nx">toString</span><span class="p">(</span><span class="dl">'</span><span class="s1">base64</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">link</span> <span class="o">=</span> <span class="s2">`</span><span class="p">${</span><span class="nx">domain</span><span class="p">}${</span><span class="nx">linkPath</span><span class="p">}</span><span class="s2">?token=</span><span class="p">${</span><span class="nb">encodeURIComponent</span><span class="p">(</span><span class="nx">verifyToken</span><span class="p">)}</span><span class="s2">`</span> <span class="kd">const</span> <span class="nx">ttl</span> <span class="o">=</span> <span class="nb">Date</span><span class="p">.</span><span class="nx">now</span><span class="p">()</span> <span class="o">+</span> <span class="mi">60</span><span class="o">*</span><span class="mi">60</span><span class="o">*</span><span class="mi">1000</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="kd">set</span><span class="p">({</span> <span class="na">table</span><span class="p">:</span> <span class="dl">'</span><span class="s1">session</span><span class="dl">'</span><span class="p">,</span> <span class="na">key</span><span class="p">:</span> <span class="nx">verifyToken</span><span class="p">,</span> <span class="nx">verifyToken</span><span class="p">,</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">redirectAfterAuth</span><span class="p">,</span> <span class="nx">newRegistration</span><span class="p">,</span> <span class="na">linkUsed</span><span class="p">:</span><span class="kc">false</span><span class="p">,</span> <span class="nx">ttl</span><span class="p">})</span> <span class="c1">// Local Development Testing Setup</span> <span class="k">if</span> <span class="p">(</span><span class="nx">isLocal</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="s2">`</span><span class="p">${</span><span class="nx">subject</span><span class="p">}</span><span class="s2">: </span><span class="p">${</span><span class="nx">link</span><span class="p">}</span><span class="s2">`</span><span class="p">)</span> <span class="p">}</span> <span class="k">if</span> <span class="p">(</span><span class="nx">requiredEnvs</span><span class="p">)</span> <span class="p">{</span> <span class="nx">sgMail</span><span class="p">.</span><span class="nx">setApiKey</span><span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">SENDGRID_API_KEY</span><span class="p">)</span> <span class="kd">let</span> <span class="nx">toEmail</span> <span class="o">=</span> <span class="nx">email</span> <span class="k">if</span><span class="p">(</span><span class="nx">isLocal</span><span class="p">)</span> <span class="nx">toEmail</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">TRANSACTION_SEND_EMAIL</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">msg</span> <span class="o">=</span> <span class="p">{</span> <span class="na">to</span><span class="p">:</span> <span class="nx">toEmail</span><span class="p">,</span> <span class="na">from</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">TRANSACTION_SEND_EMAIL</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="nx">subject</span><span class="p">,</span> <span class="p">}</span> <span class="k">if</span> <span class="p">(</span><span class="nx">text</span><span class="p">)</span> <span class="p">{</span> <span class="nx">msg</span><span class="p">.</span><span class="nx">text</span> <span class="o">=</span> <span class="nx">text</span><span class="p">(</span><span class="nx">link</span><span class="p">)</span> <span class="p">}</span> <span class="k">else</span> <span class="k">if</span> <span class="p">(</span><span class="nx">html</span><span class="p">)</span> <span class="p">{</span> <span class="nx">msg</span><span class="p">.</span><span class="nx">html</span> <span class="o">=</span> <span class="nx">html</span><span class="p">(</span><span class="nx">link</span><span class="p">)</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">msg</span><span class="p">.</span><span class="nx">text</span> <span class="o">=</span> <span class="s2">`</span><span class="p">${</span><span class="nx">subject</span><span class="p">}</span><span class="s2">: </span><span class="p">${</span><span class="nx">link</span><span class="p">}</span><span class="s2">`</span> <span class="p">}</span> <span class="k">try</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">sgMail</span><span class="p">.</span><span class="nx">send</span><span class="p">(</span><span class="nx">msg</span><span class="p">)</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nx">error</span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="nx">console</span><span class="p">.</span><span class="nx">error</span><span class="p">(</span><span class="nx">e</span><span class="p">.</span><span class="nx">response</span><span class="p">.</span><span class="nx">body</span><span class="p">.</span><span class="nx">errors</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">TRANSACTION_SEND_EMAIL and SENDGRID_API_KEY needed to send</span><span class="dl">'</span><span class="p">)</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">verifyToken</span> <span class="p">}</span> </code></pre> </div> <p>Once email verification is initiated, the server redirects to the <code>/verify/email</code> route. The handler for that route is below. It checks the status of the verification and shows a success or waiting message.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// /app/verify/email.mjs</span> <span class="k">import</span> <span class="nx">db</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@begin/data</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">getAccounts</span><span class="p">,</span> <span class="nx">upsertAccount</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../../models/accounts.mjs</span><span class="dl">'</span> <span class="cm">/** * @type {import('@enhance/types').EnhanceApiFn} */</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="kd">get</span><span class="p">(</span><span class="nx">req</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">query</span><span class="p">?.</span><span class="nx">token</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">authorized</span><span class="p">,</span> <span class="nx">unverified</span><span class="p">,</span> <span class="p">...</span><span class="nx">newSession</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">session</span> <span class="k">if</span> <span class="p">(</span><span class="nx">token</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">verifySession</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="kd">get</span><span class="p">({</span> <span class="na">table</span><span class="p">:</span> <span class="dl">'</span><span class="s1">session</span><span class="dl">'</span><span class="p">,</span> <span class="na">key</span><span class="p">:</span> <span class="nx">token</span> <span class="p">})</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">linkUsed</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">verifySession</span> <span class="kd">const</span> <span class="nx">linkExpired</span> <span class="o">=</span> <span class="nx">verifySession</span><span class="p">?.</span><span class="nx">ttl</span> <span class="o">&lt;</span> <span class="nb">Date</span><span class="p">.</span><span class="nx">now</span><span class="p">()</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nx">verifySession</span> <span class="o">||</span> <span class="nx">linkUsed</span> <span class="o">||</span> <span class="nx">linkExpired</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span> <span class="na">location</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/verify/expired</span><span class="dl">'</span> <span class="p">};</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="kd">set</span><span class="p">({</span> <span class="p">...</span><span class="nx">verifySession</span><span class="p">,</span> <span class="na">table</span><span class="p">:</span> <span class="dl">'</span><span class="s1">session</span><span class="dl">'</span><span class="p">,</span> <span class="na">key</span><span class="p">:</span> <span class="nx">token</span><span class="p">,</span> <span class="na">linkUsed</span><span class="p">:</span> <span class="kc">true</span> <span class="p">})</span> <span class="kd">let</span> <span class="nx">accounts</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">getAccounts</span><span class="p">()</span> <span class="kd">let</span> <span class="nx">account</span> <span class="o">=</span> <span class="nx">accounts</span><span class="p">.</span><span class="nx">find</span><span class="p">(</span><span class="nx">acct</span> <span class="o">=&gt;</span> <span class="nx">verifySession</span><span class="p">.</span><span class="nx">email</span> <span class="o">===</span> <span class="nx">acct</span><span class="p">.</span><span class="nx">email</span><span class="p">)</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nx">account</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span> <span class="na">location</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span> <span class="p">};</span> <span class="nx">account</span><span class="p">.</span><span class="nx">verified</span> <span class="o">=</span> <span class="nx">account</span><span class="p">.</span><span class="nx">verified</span> <span class="p">?</span> <span class="p">{...</span><span class="nx">account</span><span class="p">.</span><span class="nx">verified</span> <span class="p">,</span> <span class="na">email</span><span class="p">:</span><span class="kc">true</span><span class="p">}</span> <span class="p">:</span> <span class="p">{</span><span class="na">email</span><span class="p">:</span><span class="kc">true</span><span class="p">}</span> <span class="nx">account</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">upsertAccount</span><span class="p">({</span> <span class="p">...</span><span class="nx">account</span> <span class="p">})</span> <span class="k">return</span> <span class="p">{</span> <span class="na">session</span><span class="p">:</span> <span class="p">{},</span> <span class="na">location</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/verify/success-email</span><span class="dl">'</span> <span class="p">}</span> <span class="p">}</span> <span class="k">else</span> <span class="k">if</span> <span class="p">(</span><span class="nx">unverified</span><span class="p">)</span> <span class="p">{</span> <span class="kd">let</span> <span class="nx">accounts</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">getAccounts</span><span class="p">()</span> <span class="kd">let</span> <span class="nx">account</span> <span class="o">=</span> <span class="nx">accounts</span><span class="p">.</span><span class="nx">find</span><span class="p">(</span><span class="nx">acct</span> <span class="o">=&gt;</span> <span class="nx">unverified</span><span class="p">.</span><span class="nx">email</span> <span class="o">===</span> <span class="nx">acct</span><span class="p">.</span><span class="nx">email</span> <span class="p">)</span> <span class="kd">const</span> <span class="nx">accountVerified</span> <span class="o">=</span> <span class="nx">account</span><span class="p">.</span><span class="nx">verified</span><span class="p">?.</span><span class="nx">email</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nx">account</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span><span class="na">location</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span><span class="p">};</span> <span class="k">if</span> <span class="p">(</span><span class="nx">accountVerified</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">session</span><span class="p">:</span> <span class="p">{},</span> <span class="na">location</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/verify/success-email</span><span class="dl">'</span> <span class="p">}</span> <span class="p">}</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">redirectAfterAuth</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">/</span><span class="dl">'</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">session</span> <span class="k">await</span> <span class="nx">sendLink</span><span class="p">({</span> <span class="na">email</span><span class="p">:</span> <span class="nx">account</span><span class="p">.</span><span class="nx">email</span><span class="p">,</span> <span class="na">subject</span><span class="p">:</span><span class="dl">'</span><span class="s1">Enhance Auth Verify Email Link</span><span class="dl">'</span><span class="p">,</span> <span class="na">linkPath</span><span class="p">:</span><span class="dl">'</span><span class="s1">/verify/email</span><span class="dl">'</span><span class="p">,</span> <span class="nx">redirectAfterAuth</span> <span class="p">})</span> <span class="k">return</span> <span class="p">{</span> <span class="na">session</span><span class="p">:</span> <span class="p">{},</span> <span class="na">location</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/verify/waiting-email</span><span class="dl">'</span> <span class="p">}</span> <span class="p">}</span> <span class="k">else</span> <span class="k">if</span> <span class="p">(</span><span class="nx">authorized</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="nx">authorized</span><span class="p">.</span><span class="nx">verified</span><span class="p">?.</span><span class="nx">email</span><span class="o">===</span><span class="kc">true</span><span class="p">){</span> <span class="k">return</span> <span class="p">{</span> <span class="na">location</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/verify/success-email</span><span class="dl">'</span> <span class="p">}</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">location</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/verify/success-email</span><span class="dl">'</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">location</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Phone verification </h2> <p>When an account is registered with a phone number, the unverified account info is added to the session and the browser is redirected to <code>/verify</code>. A one time code is sent to the phone number, and the user is then prompted to enter this code.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--jmsz8XB0--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/1jeqxsrzejslelja9icb.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--jmsz8XB0--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/1jeqxsrzejslelja9icb.png" alt="Form for validating phone number" width="800" height="359"></a></p> <p>The function below uses the Twilio Verify API to send the one time code. Note that if you are in a local development environment and the environment variables are not present, the API is bypassed and a code is sent to the console.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// /app/auth-shared/sms-code-verify.mjs</span> <span class="k">import</span> <span class="nx">twilio</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">twilio</span><span class="dl">"</span> <span class="kd">const</span> <span class="nx">accountSid</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">TWILIO_API_ACCOUNT_SID</span> <span class="kd">const</span> <span class="nx">authToken</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">TWILIO_API_TOKEN</span> <span class="kd">const</span> <span class="nx">isLocal</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">ARC_ENV</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">testing</span><span class="dl">'</span> <span class="kd">const</span> <span class="nx">requiredEnvs</span> <span class="o">=</span> <span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">TWILIO_API_ACCOUNT_SID</span> <span class="o">&amp;&amp;</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">TWILIO_API_TOKEN</span><span class="p">)</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nx">sendCode</span><span class="p">({</span><span class="nx">phone</span><span class="p">,</span><span class="nx">friendlyName</span><span class="p">}){</span> <span class="kd">let</span> <span class="nx">service</span> <span class="k">if</span> <span class="p">(</span><span class="nx">requiredEnvs</span><span class="p">){</span> <span class="kd">const</span> <span class="nx">toPhone</span> <span class="o">=</span> <span class="nx">isLocal</span> <span class="p">?</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">SMS_TEST_PHONE</span> <span class="p">:</span> <span class="dl">'</span><span class="s1">+1</span><span class="dl">'</span><span class="o">+</span><span class="nx">phone</span><span class="p">.</span><span class="nx">replace</span><span class="p">(</span><span class="dl">'</span><span class="s1">-</span><span class="dl">'</span><span class="p">,</span><span class="dl">''</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">client</span> <span class="o">=</span> <span class="nx">twilio</span><span class="p">(</span><span class="nx">accountSid</span><span class="p">,</span> <span class="nx">authToken</span><span class="p">)</span> <span class="nx">service</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">client</span><span class="p">.</span><span class="nx">verify</span><span class="p">.</span><span class="nx">v2</span><span class="p">.</span><span class="nx">services</span><span class="p">.</span><span class="nx">create</span><span class="p">({</span> <span class="nx">friendlyName</span><span class="p">,</span> <span class="p">});</span> <span class="k">await</span> <span class="nx">client</span><span class="p">.</span><span class="nx">verify</span><span class="p">.</span><span class="nx">v2</span><span class="p">.</span><span class="nx">services</span><span class="p">(</span><span class="nx">service</span><span class="p">.</span><span class="nx">sid</span><span class="p">).</span><span class="nx">verifications</span><span class="p">.</span><span class="nx">create</span><span class="p">({</span> <span class="na">to</span><span class="p">:</span> <span class="nx">toPhone</span><span class="p">,</span> <span class="na">channel</span><span class="p">:</span> <span class="dl">'</span><span class="s1">sms</span><span class="dl">'</span><span class="p">,</span> <span class="p">});</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">SMS_TEST_PHONE</span><span class="p">)</span> <span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Warning: SMS messages will be sent to phone numbers unless SMS_TEST_PHONE is set</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Missing required environment variables</span><span class="dl">'</span><span class="p">)</span> <span class="k">if</span> <span class="p">(</span><span class="nx">isLocal</span><span class="p">){</span> <span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Use simulated One Time Password "123456" for testing</span><span class="dl">'</span><span class="p">)</span> <span class="nx">service</span> <span class="o">=</span> <span class="p">{</span><span class="na">sid</span><span class="p">:</span><span class="dl">'</span><span class="s1">simulated-testing</span><span class="dl">'</span><span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">service</span><span class="p">.</span><span class="nx">sid</span> <span class="p">}</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nx">verifyCode</span><span class="p">({</span><span class="nx">phone</span><span class="p">,</span> <span class="nx">serviceSid</span><span class="p">,</span> <span class="nx">smsCode</span> <span class="p">}){</span> <span class="kd">let</span> <span class="nx">verification</span><span class="p">,</span> <span class="nx">status</span> <span class="k">if</span> <span class="p">(</span><span class="nx">requiredEnvs</span><span class="p">){</span> <span class="kd">const</span> <span class="nx">toPhone</span> <span class="o">=</span> <span class="nx">isLocal</span> <span class="p">?</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">SMS_TEST_PHONE</span> <span class="p">:</span> <span class="dl">'</span><span class="s1">+1</span><span class="dl">'</span><span class="o">+</span> <span class="nx">phone</span><span class="p">.</span><span class="nx">replace</span><span class="p">(</span><span class="dl">'</span><span class="s1">-</span><span class="dl">'</span><span class="p">,</span><span class="dl">''</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">client</span> <span class="o">=</span> <span class="nx">twilio</span><span class="p">(</span><span class="nx">accountSid</span><span class="p">,</span> <span class="nx">authToken</span><span class="p">)</span> <span class="nx">verification</span><span class="o">=</span> <span class="k">await</span> <span class="nx">client</span><span class="p">.</span><span class="nx">verify</span><span class="p">.</span><span class="nx">v2</span> <span class="p">.</span><span class="nx">services</span><span class="p">(</span><span class="nx">serviceSid</span><span class="p">)</span> <span class="p">.</span><span class="nx">verificationChecks</span><span class="p">.</span><span class="nx">create</span><span class="p">({</span> <span class="na">to</span><span class="p">:</span> <span class="nx">toPhone</span><span class="p">,</span> <span class="na">code</span><span class="p">:</span> <span class="nx">smsCode</span> <span class="p">})</span> <span class="nx">status</span> <span class="o">=</span> <span class="nx">verification</span><span class="p">.</span><span class="nx">status</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="dl">'</span><span class="s1">Missing required environment variables</span><span class="dl">'</span><span class="p">)</span> <span class="k">if</span> <span class="p">(</span><span class="nx">isLocal</span><span class="p">){</span> <span class="nx">status</span> <span class="o">=</span> <span class="nx">smsCode</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">123456</span><span class="dl">'</span> <span class="p">?</span> <span class="dl">'</span><span class="s1">approved</span><span class="dl">'</span> <span class="p">:</span> <span class="kc">false</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">status</span> <span class="p">}</span> </code></pre> </div> <p>The following is the handler for <code>/verify/phone</code>. This handles the forms for entering the code and success messages once verified.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// /app/api/verify/phone.mjs</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">sendCode</span><span class="p">,</span> <span class="nx">verifyCode</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">../../auth-shared/sms-code-verify.mjs</span><span class="dl">"</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">getAccount</span><span class="p">,</span> <span class="nx">upsertAccount</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">../../models/accounts.mjs</span><span class="dl">"</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="kd">get</span><span class="p">(</span><span class="nx">req</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">redirectAfterAuth</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">/</span><span class="dl">'</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">session</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">smsVerify</span><span class="p">,</span> <span class="nx">unverified</span><span class="p">,</span> <span class="nx">authorized</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">session</span> <span class="kd">const</span> <span class="p">{</span><span class="nx">otp</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">smsVerify</span> <span class="o">||</span> <span class="p">{}</span> <span class="kd">const</span> <span class="nx">phoneVerified</span> <span class="o">=</span> <span class="nx">authorized</span><span class="p">?.</span><span class="nx">verified</span><span class="p">?.</span><span class="nx">phone</span> <span class="o">||</span> <span class="nx">unverified</span><span class="p">?.</span><span class="nx">verified</span><span class="p">?.</span><span class="nx">phone</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nx">authorized</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="nx">unverified</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">location</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span> <span class="p">}</span> <span class="p">}</span> <span class="k">if</span> <span class="p">(</span><span class="nx">phoneVerified</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">location</span><span class="p">:</span><span class="dl">'</span><span class="s1">/verify/success-phone</span><span class="dl">'</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="p">{</span> <span class="na">json</span><span class="p">:</span> <span class="p">{</span> <span class="na">otpSent</span><span class="p">:</span> <span class="o">!!</span><span class="p">(</span><span class="nx">otp</span><span class="p">?.</span><span class="nx">serviceSid</span><span class="p">)</span> <span class="p">},</span> <span class="p">}</span> <span class="p">}</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nx">post</span><span class="p">(</span><span class="nx">req</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">otpCode</span><span class="p">,</span> <span class="nx">request</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">smsVerify</span><span class="p">,</span> <span class="nx">unverified</span><span class="p">,</span> <span class="nx">authorized</span><span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">session</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">otp</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">smsVerify</span> <span class="o">||</span> <span class="p">{}</span> <span class="kd">const</span> <span class="nx">phoneVerified</span> <span class="o">=</span> <span class="nx">authorized</span><span class="p">?.</span><span class="nx">verified</span><span class="p">?.</span><span class="nx">phone</span> <span class="o">||</span> <span class="nx">unverified</span><span class="p">?.</span><span class="nx">verified</span><span class="p">?.</span><span class="nx">phone</span> <span class="kd">const</span> <span class="nx">phone</span><span class="o">=</span> <span class="nx">authorized</span><span class="p">?.</span><span class="nx">phone</span> <span class="o">||</span> <span class="nx">unverified</span><span class="p">?.</span><span class="nx">phone</span> <span class="k">if</span> <span class="p">(</span><span class="nx">request</span> <span class="o">&amp;&amp;</span> <span class="nx">phone</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">serviceSid</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">sendCode</span><span class="p">({</span><span class="nx">phone</span><span class="p">,</span> <span class="na">friendlyName</span><span class="p">:</span><span class="dl">'</span><span class="s1">Enhance Auth Verify Phone</span><span class="dl">'</span><span class="p">})</span> <span class="kd">const</span> <span class="nx">newSession</span> <span class="o">=</span> <span class="p">{</span> <span class="p">...</span><span class="nx">req</span><span class="p">.</span><span class="nx">session</span> <span class="p">}</span> <span class="nx">newSession</span><span class="p">.</span><span class="nx">smsVerify</span> <span class="o">=</span> <span class="p">{</span><span class="na">otp</span><span class="p">:{</span> <span class="nx">serviceSid</span> <span class="p">}}</span> <span class="k">return</span> <span class="p">{</span> <span class="na">session</span><span class="p">:</span> <span class="nx">newSession</span><span class="p">,</span> <span class="na">location</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/verify/phone</span><span class="dl">'</span> <span class="p">}</span> <span class="p">}</span> <span class="k">if</span> <span class="p">(</span><span class="nx">otpCode</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">serviceSid</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">otp</span> <span class="kd">const</span> <span class="nx">status</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">verifyCode</span><span class="p">({</span><span class="nx">phone</span><span class="p">,</span> <span class="nx">serviceSid</span><span class="p">,</span> <span class="na">smsCode</span><span class="p">:</span><span class="nx">otpCode</span><span class="p">})</span> <span class="k">if</span> <span class="p">(</span><span class="nx">status</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">approved</span><span class="dl">'</span><span class="p">)</span> <span class="p">{</span> <span class="kd">let</span> <span class="p">{</span> <span class="nx">smsVerify</span><span class="p">,</span> <span class="nx">unverified</span><span class="p">,</span> <span class="nx">authorized</span><span class="p">,</span> <span class="p">...</span><span class="nx">newSession</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">session</span> <span class="kd">let</span> <span class="nx">key</span> <span class="o">=</span> <span class="nx">authorized</span><span class="p">?.</span><span class="nx">key</span> <span class="o">||</span> <span class="nx">unverified</span><span class="p">?.</span><span class="nx">key</span> <span class="kd">let</span> <span class="nx">account</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">getAccount</span><span class="p">(</span><span class="nx">key</span><span class="p">)</span> <span class="kd">let</span> <span class="nx">match</span> <span class="o">=</span> <span class="nx">account</span><span class="p">?.</span><span class="nx">phone</span> <span class="o">===</span> <span class="nx">phone</span> <span class="kd">let</span> <span class="nx">verified</span> <span class="o">=</span> <span class="nx">account</span><span class="p">?.</span><span class="nx">verified</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nx">match</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">session</span><span class="p">:</span> <span class="p">{},</span> <span class="na">location</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span> <span class="p">}</span> <span class="p">}</span> <span class="k">if</span> <span class="p">(</span><span class="nx">verified</span><span class="p">)</span> <span class="p">{</span> <span class="nx">account</span><span class="p">.</span><span class="nx">verified</span><span class="p">.</span><span class="nx">phone</span> <span class="o">=</span> <span class="kc">true</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">account</span><span class="p">.</span><span class="nx">verified</span> <span class="o">=</span> <span class="p">{</span><span class="na">phone</span><span class="p">:</span><span class="kc">true</span><span class="p">}</span> <span class="p">}</span> <span class="k">if</span> <span class="p">(</span><span class="nx">match</span><span class="p">)</span> <span class="p">{</span> <span class="kd">let</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">upsertAccount</span><span class="p">(</span><span class="nx">account</span><span class="p">)</span> <span class="kd">let</span> <span class="p">{</span><span class="na">password</span><span class="p">:</span><span class="nx">removePassword</span><span class="p">,</span> <span class="p">...</span><span class="nx">newAccount</span><span class="p">}</span> <span class="o">=</span> <span class="nx">result</span> <span class="kd">const</span> <span class="nx">redirectAfterAuth</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">session</span><span class="p">.</span><span class="nx">redirectAfterAuth</span> <span class="o">||</span> <span class="dl">'</span><span class="s1">/</span><span class="dl">'</span> <span class="k">return</span> <span class="p">{</span> <span class="na">session</span><span class="p">:</span> <span class="p">{</span> <span class="p">...</span><span class="nx">newSession</span><span class="p">,</span> <span class="na">authorized</span><span class="p">:</span><span class="nx">newAccount</span> <span class="p">},</span> <span class="na">location</span><span class="p">:</span> <span class="nx">redirectAfterAuth</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="p">{</span> <span class="na">location</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/verify/phone</span><span class="dl">'</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Forgot Password </h2> <p>With a verified account, users can recover if a password is lost or forgotten. On the login screen there is a “Forgot password” link that initiates this process. After entering their phone or email address, a link or one time code is generated.</p> <h2> Next steps </h2> <p>Now that we have a fully verified account we have the option to allow users to login directly with just their email or phone number. We will cover using these magic links in the next post. To try out this code <a href="https://meadow-yvg.begin.app/">here is an example deployed on Begin</a>. You can register an account to try resetting your password. Note that in this deployed example accounts are automatically deleted from the database after a day. The code for the full example can be found on GitHub at <a href="https://github.com/enhance-dev/enhance-auth">https://github.com/enhance-dev/enhance-auth</a>.</p> enhance authentication Ryan Bethel Tue, 30 May 2023 19:57:22 +0000 https://dev.to/begin/authentication-for-a-username-and-password-flow-4636 https://dev.to/begin/authentication-for-a-username-and-password-flow-4636 <p>Passwords are the oldest form of authentication for shared systems. There are many alternatives now that offer advantages, but sometimes a password is still the best fit. This post explains how to set up password authentication for Enhance.</p> <p>This is the second part of our series on authentication. The goal is to build a complete authentication system one piece at a time. The first post, <a href="https://begin.com/blog/posts/2023-05-10-why-you-should-roll-your-own-auth">Why you should roll your own auth</a>, makes a case for not outsourcing authentication to a third party. Now we cover username/password authentication with secure sessions.</p> <h2> TL&amp;DR </h2> <p>Before anyone can login an account needs to be created.</p> <ol> <li>The registration form takes input for a new account.</li> <li> This input is validated by a registration endpoint. </li> <li>And stored as a new account in the database.</li> </ol> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--pVd0qAbv--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/2ygdc998im7ahcnehkcl.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--pVd0qAbv--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/2ygdc998im7ahcnehkcl.png" alt="Registration Flow" width="800" height="534"></a></p> <p>To login:</p> <ol> <li> The username and password are entered in a login form. </li> <li>Posted to the server login endpoint.</li> <li>Checked against the database for a matching account.</li> <li>If a matching account is found, the details are stored in a user session.</li> </ol> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--TRl64wYC--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/7jto04kux1ridnh5stmq.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--TRl64wYC--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/7jto04kux1ridnh5stmq.png" alt="Login Flow" width="800" height="483"></a></p> <p>Now let's break down each of those components.</p> <h2> Secure Sessions </h2> <p>Secure sessions are the basis for authentication. Enhance uses HTTP only cookies for sessions because this is the most secure approach. It ensures no sensitive user information is stored on the client. The cookie is sent with each request to the server. The server can respond with the same cookie or modify it and send it that back with the response. In this way the session persists as long as the user interacts with the site, or it is cleared by the server. Refer to the <a href="https://begin.com/blog/posts/2023-02-03-bulletproof-sessions-with-httponly-cookies">Bulletproof Sessions</a> post for more details on Enhance sessions. After a user logs in, their account name and other details are attached to the session and used later to authenticate them when they make restricted requests. This session data is securely encrypted so that it cannot be read or modified except on the server. A long secret key is stored in an environment variable <code>ARC_APP_SECRET</code> to secure the sessions.</p> <h2> Register New Accounts </h2> <p>Before anyone can login a new account needs to be created. This is done with a plain HTML form sending a POST to the server. Here is a <a href="https://meadow-yvg.begin.app/register/username">deployed example</a>. Either a phone number or email is required to verify the account and as a recovery mechanism if the password is lost or forgotten. The email and phone verification will be covered in the next blog post.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--vc8JiCG0--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/yycaepy8e0z9hvke8bcj.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--vc8JiCG0--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/yycaepy8e0z9hvke8bcj.png" alt="Registration Form Screenshot" width="800" height="658"></a></p> <h2> Validation </h2> <p>The markup for the registration form is shown below (or in the source <a href="https://github.com/enhance-dev/enhance-auth/blob/main/app/pages/register/username.mjs">repo on GitHub</a>). To properly validate form data requires both client and server validation. Client validation is the fastest way to catch small errors, but some things like uniqueness must be checked on the server. Client validation should not be trusted because it can be bypassed easily. If the server-side validation fails, the problems are returned along with the previous values entered so the user can pick up where they left off and fix any errors. The details of this validation loop are explained in the <a href="https://begin.com/blog/posts/2022-08-25-progressively-enhancing-form-submissions-with-web-components">Progressively enhancing form submission with web components</a> post.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// /app/pages/register/username.mjs</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nx">register</span><span class="p">({</span> <span class="nx">html</span><span class="p">,</span> <span class="nx">state</span> <span class="p">})</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">problems</span><span class="p">,</span> <span class="nx">register</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">state</span><span class="p">.</span><span class="nx">store</span> <span class="k">return</span> <span class="nx">html</span><span class="s2">` &lt;enhance-page-container&gt; &lt;nav-menu&gt;&lt;/nav-menu&gt; &lt;main&gt; &lt;h1 class="mb1 font-semibold text2"&gt;Register a new Account&lt;/h1&gt; &lt;enhance-form action="/register/username" method="post"&gt; &lt;div class="</span><span class="p">${</span><span class="nx">problems</span><span class="p">?.</span><span class="nx">form</span> <span class="p">?</span> <span class="dl">'</span><span class="s1">block</span><span class="dl">'</span> <span class="p">:</span> <span class="dl">'</span><span class="s1">hidden</span><span class="dl">'</span><span class="p">}</span><span class="s2">"&gt; &lt;p&gt;Found some problems!&lt;/p&gt; &lt;ul&gt;</span><span class="p">${</span><span class="nx">problems</span><span class="p">?.</span><span class="nx">form</span><span class="p">}</span><span class="s2">&lt;/ul&gt; &lt;/div&gt; &lt;enhance-text-input label="Display Name" id="displayName" name="displayName" type="text" pattern="^[a-zA-Z0-9_\-]*$" maxlength="30" errors="</span><span class="p">${</span><span class="nx">problems</span><span class="p">?.</span><span class="nx">displayName</span><span class="p">?.</span><span class="nx">errors</span><span class="p">}</span><span class="s2">" value="</span><span class="p">${</span><span class="nx">register</span><span class="p">?.</span><span class="nx">displayName</span> <span class="o">||</span> <span class="dl">''</span><span class="p">}</span><span class="s2">" required &gt; &lt;/enhance-text-input&gt; &lt;enhance-text-input label="Username" id="username" name="username" type="text" pattern="^[a-zA-Z0-9_\-]*$" maxlength="30" errors="</span><span class="p">${</span><span class="nx">problems</span><span class="p">?.</span><span class="nx">username</span><span class="p">?.</span><span class="nx">errors</span><span class="p">}</span><span class="s2">" value="</span><span class="p">${</span><span class="nx">register</span><span class="p">?.</span><span class="nx">username</span> <span class="o">||</span> <span class="dl">''</span><span class="p">}</span><span class="s2">" description="Numbers, letters, and underscores" required &gt; &lt;/enhance-text-input&gt; &lt;enhance-text-input label="Password" id="password" name="password" type="password" minlength="8" errors="</span><span class="p">${</span><span class="nx">problems</span><span class="p">?.</span><span class="nx">password</span><span class="p">?.</span><span class="nx">errors</span><span class="p">}</span><span class="s2">" description="At least 8 characters" required &gt; &lt;/enhance-text-input&gt; &lt;enhance-text-input label="Confirm Password" id="confirmPassword" name="confirmPassword" type="password" minlength="8" errors="</span><span class="p">${</span><span class="nx">problems</span><span class="p">?.</span><span class="nx">confirmPassword</span><span class="p">?.</span><span class="nx">errors</span><span class="p">}</span><span class="s2">" required &gt; &lt;/enhance-text-input&gt; &lt;enhance-text-input label="Email" id="email" name="email" type="email" value="</span><span class="p">${</span><span class="nx">register</span><span class="p">?.</span><span class="nx">email</span> <span class="o">||</span> <span class="dl">''</span><span class="p">}</span><span class="s2">" errors="</span><span class="p">${</span><span class="nx">problems</span><span class="p">?.</span><span class="nx">email</span><span class="p">?.</span><span class="nx">errors</span><span class="p">}</span><span class="s2">" &gt; &lt;/enhance-text-input&gt; &lt;enhance-text-input label="Phone Number" id="phone" name="phone" type="tel" pattern="[0-9]{3}-[0-9]{3}-[0-9]{4}" errors="</span><span class="p">${</span><span class="nx">problems</span><span class="p">?.</span><span class="nx">phone</span><span class="p">?.</span><span class="nx">errors</span><span class="p">}</span><span class="s2">" value="</span><span class="p">${</span><span class="nx">register</span><span class="p">?.</span><span class="nx">phone</span> <span class="o">||</span> <span class="dl">''</span><span class="p">}</span><span class="s2">" description="Format: 123-456-7890" &gt; &lt;/enhance-text-input&gt; &lt;enhance-submit-button style="float: right"&gt; &lt;span slot="label"&gt;Register&lt;/span&gt; &lt;/enhance-submit-button&gt; &lt;/enhance-form&gt; &lt;/main&gt; &lt;/enhance-page-container&gt; `</span><span class="p">}</span> </code></pre> </div> <h2> Storing Passwords </h2> <p>When the form is submitted a post request is sent to the server. One of the most critical parts of password authentication is properly handling passwords. They need to be stored so they can be verified at login. But they should also be stored so that if the account data is breached, the original passwords cannot be easily discovered. The solution is to store a hashed and salted version of the password. The hash is a one-way function that is very difficult and time-consuming to reverse.<br> See the OWASP cheatsheet on <a href="https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#hashing-vs-encryption">hashing-vs-encryption</a> for more information. For hashing and salting, <code>bcrypt</code> is used with ten salting passes. As an additional precaution if there are form validation problems, the password is not returned to the front end with the other form inputs. It needs to be entered again to resubmit. Below is the POST handler for creating a new account (or refer to the source <a href="https://github.com/enhance-dev/enhance-auth/blob/main/app/api/register/username.mjs">repo on GitHub</a>).<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="c1">// /app/api/register/username.mjs</span> <span class="k">import</span> <span class="nx">bcrypt</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">bcryptjs</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">validate</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../../models/register-username.mjs</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">upsertAccount</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../../models/accounts.mjs</span><span class="dl">'</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="kd">get</span><span class="p">(</span><span class="nx">req</span><span class="p">)</span> <span class="p">{</span> <span class="kd">let</span> <span class="p">{</span> <span class="nx">problems</span><span class="p">,</span> <span class="nx">register</span><span class="p">,</span> <span class="p">...</span><span class="nx">newSession</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">session</span> <span class="k">if</span> <span class="p">(</span><span class="nx">problems</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">session</span><span class="p">:</span> <span class="nx">newSession</span><span class="p">,</span> <span class="na">json</span><span class="p">:</span> <span class="p">{</span> <span class="nx">problems</span><span class="p">,</span> <span class="nx">register</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nx">post</span><span class="p">(</span><span class="nx">req</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">session</span> <span class="o">=</span> <span class="nx">req</span><span class="p">?.</span><span class="nx">session</span> <span class="c1">// eslint-disable-next-line no-unused-vars</span> <span class="kd">let</span> <span class="p">{</span> <span class="na">authorized</span><span class="p">:</span> <span class="nx">removedAuthorize</span><span class="p">,</span> <span class="na">problems</span><span class="p">:</span> <span class="nx">removedProblems</span><span class="p">,</span> <span class="na">register</span><span class="p">:</span> <span class="nx">removedRegister</span><span class="p">,</span> <span class="na">unverified</span><span class="p">:</span> <span class="nx">removedUnverified</span><span class="p">,</span> <span class="p">...</span><span class="nx">newSession</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">session</span> <span class="kd">let</span> <span class="p">{</span> <span class="nx">problems</span><span class="p">,</span> <span class="nx">register</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">validate</span><span class="p">.</span><span class="nx">create</span><span class="p">(</span><span class="nx">req</span><span class="p">)</span> <span class="k">if</span> <span class="p">(</span><span class="nx">problems</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// eslint-disable-next-line no-unused-vars</span> <span class="kd">let</span> <span class="p">{</span> <span class="na">password</span><span class="p">:</span><span class="nx">removedPassword</span><span class="p">,</span> <span class="na">confirmPassword</span><span class="p">:</span><span class="nx">removedConfirm</span><span class="p">,</span> <span class="p">...</span><span class="nx">sanitizedRegister</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">register</span> <span class="k">return</span> <span class="p">{</span> <span class="na">session</span><span class="p">:</span> <span class="p">{</span> <span class="p">...</span><span class="nx">newSession</span><span class="p">,</span> <span class="nx">problems</span><span class="p">,</span> <span class="na">register</span><span class="p">:</span> <span class="nx">sanitizedRegister</span> <span class="p">},</span> <span class="na">location</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/register/username</span><span class="dl">'</span> <span class="p">}</span> <span class="p">}</span> <span class="k">try</span> <span class="p">{</span> <span class="k">delete</span> <span class="nx">register</span><span class="p">.</span><span class="nx">confirmPassword</span> <span class="nx">register</span><span class="p">.</span><span class="nx">password</span> <span class="o">=</span> <span class="nx">bcrypt</span><span class="p">.</span><span class="nx">hashSync</span><span class="p">(</span><span class="nx">register</span><span class="p">.</span><span class="nx">password</span><span class="p">,</span> <span class="mi">10</span><span class="p">)</span> <span class="nx">register</span><span class="p">.</span><span class="nx">authConfig</span> <span class="o">=</span> <span class="p">{</span> <span class="na">loginWith</span><span class="p">:</span> <span class="p">{</span><span class="na">password</span><span class="p">:</span><span class="kc">true</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span><span class="kc">true</span><span class="p">,</span> <span class="na">phone</span><span class="p">:</span><span class="kc">true</span><span class="p">}</span> <span class="p">}</span> <span class="nx">register</span><span class="p">.</span><span class="nx">scopes</span> <span class="o">=</span> <span class="p">[</span><span class="dl">'</span><span class="s1">member</span><span class="dl">'</span><span class="p">]</span> <span class="c1">// eslint-disable-next-line no-unused-vars</span> <span class="kd">const</span> <span class="p">{</span> <span class="na">password</span><span class="p">:</span> <span class="nx">removePassword</span><span class="p">,</span> <span class="p">...</span><span class="nx">newAccount</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">upsertAccount</span><span class="p">(</span><span class="nx">register</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span> <span class="na">session</span><span class="p">:</span> <span class="p">{</span> <span class="na">unverified</span><span class="p">:</span> <span class="nx">newAccount</span> <span class="p">},</span> <span class="na">location</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/verify</span><span class="dl">'</span> <span class="p">}</span> <span class="p">}</span> <span class="k">catch</span> <span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span> <span class="na">session</span><span class="p">:</span> <span class="p">{</span> <span class="p">...</span><span class="nx">newSession</span><span class="p">,</span> <span class="na">error</span><span class="p">:</span> <span class="nx">err</span><span class="p">.</span><span class="nx">message</span> <span class="p">},</span> <span class="na">location</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/register/username</span><span class="dl">'</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Login </h2> <p>The login handler is shown below (or in the source <a href="https://github.com/enhance-dev/enhance-auth/blob/main/app/api/login/username.mjs">repo on GitHub</a>). A password and username submitted as a POST request. They are then checked against the database to find a matching verified account. If one is found an <code>authorized</code> object is added to the session to identify the account.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// /app/api/login/username.mjs</span> <span class="k">import</span> <span class="nx">bcrypt</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">bcryptjs</span><span class="dl">'</span> <span class="k">import</span> <span class="nx">xss</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">xss</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">getAccounts</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">../../models/accounts.mjs</span><span class="dl">'</span> <span class="c1">// Hardcoded admin account to bootstrap accounts.</span> <span class="c1">// The password is defined in environment variables</span> <span class="kd">const</span> <span class="nx">hardcodedAdmin</span> <span class="o">=</span> <span class="p">{</span> <span class="na">username</span><span class="p">:</span> <span class="dl">'</span><span class="s1">hardcoded</span><span class="dl">'</span><span class="p">,</span> <span class="na">scopes</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">admin</span><span class="dl">'</span><span class="p">],</span> <span class="p">}</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="kd">get</span><span class="p">(</span><span class="nx">req</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">problems</span><span class="p">,</span> <span class="nx">login</span><span class="p">,</span> <span class="p">...</span><span class="nx">newSession</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">session</span> <span class="k">if</span> <span class="p">(</span><span class="nx">problems</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">session</span><span class="p">:</span> <span class="nx">newSession</span><span class="p">,</span> <span class="na">json</span><span class="p">:</span> <span class="p">{</span> <span class="nx">problems</span><span class="p">,</span> <span class="nx">login</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nx">post</span><span class="p">(</span><span class="nx">req</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">session</span> <span class="o">=</span> <span class="nx">req</span><span class="p">?.</span><span class="nx">session</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">password</span><span class="p">,</span> <span class="nx">username</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">redirectAfterAuth</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">/</span><span class="dl">'</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">session</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nx">password</span> <span class="o">||</span> <span class="o">!</span><span class="nx">username</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">session</span><span class="p">:</span> <span class="p">{</span> <span class="na">problems</span><span class="p">:</span> <span class="p">{</span> <span class="na">form</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Missing Username or Password</span><span class="dl">'</span> <span class="p">},</span> <span class="na">login</span><span class="p">:</span> <span class="p">{</span><span class="na">username</span><span class="p">:</span><span class="nx">xss</span><span class="p">(</span><span class="nx">username</span><span class="p">)},</span> <span class="nx">redirectAfterAuth</span> <span class="p">},</span> <span class="na">location</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/login/username</span><span class="dl">'</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// Hardcoded admin account to bootstrap accounts</span> <span class="c1">// To disable remove the HARDCODED_ADMIN_PASSWORD from environment variables</span> <span class="k">if</span> <span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">HARDCODED_ADMIN_PASSWORD</span> <span class="o">&amp;&amp;</span> <span class="nx">username</span> <span class="o">===</span> <span class="nx">hardcodedAdmin</span><span class="p">.</span><span class="nx">username</span> <span class="o">&amp;&amp;</span> <span class="nx">password</span> <span class="o">===</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">HARDCODED_ADMIN_PASSWORD</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">session</span><span class="p">:</span> <span class="p">{</span> <span class="na">authorized</span><span class="p">:</span> <span class="nx">hardcodedAdmin</span> <span class="p">},</span> <span class="na">location</span><span class="p">:</span> <span class="nx">redirectAfterAuth</span> <span class="p">?</span> <span class="nx">redirectAfterAuth</span> <span class="p">:</span> <span class="dl">'</span><span class="s1">/</span><span class="dl">'</span> <span class="p">}</span> <span class="p">}</span> <span class="kd">let</span> <span class="nx">accounts</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">getAccounts</span><span class="p">()</span> <span class="kd">const</span> <span class="nx">account</span> <span class="o">=</span> <span class="nx">accounts</span><span class="p">.</span><span class="nx">find</span><span class="p">(</span><span class="nx">a</span> <span class="o">=&gt;</span> <span class="nx">a</span><span class="p">.</span><span class="nx">username</span> <span class="o">===</span> <span class="nx">username</span> <span class="o">&amp;&amp;</span> <span class="nx">a</span><span class="p">.</span><span class="nx">authConfig</span><span class="p">?.</span><span class="nx">loginWith</span><span class="p">?.</span><span class="nx">username</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">match</span> <span class="o">=</span> <span class="nx">account</span> <span class="p">?</span> <span class="nx">bcrypt</span><span class="p">.</span><span class="nx">compareSync</span><span class="p">(</span><span class="nx">password</span><span class="p">,</span> <span class="nx">account</span><span class="p">?.</span><span class="nx">password</span><span class="p">)</span> <span class="p">:</span> <span class="kc">false</span> <span class="kd">const</span> <span class="nx">accountVerified</span> <span class="o">=</span> <span class="nx">match</span> <span class="p">?</span> <span class="o">!!</span><span class="p">(</span><span class="nx">account</span><span class="p">.</span><span class="nx">verified</span><span class="p">?.</span><span class="nx">email</span> <span class="o">||</span> <span class="nx">account</span><span class="p">.</span><span class="nx">verified</span><span class="p">?.</span><span class="nx">phone</span><span class="p">)</span> <span class="p">:</span> <span class="kc">false</span> <span class="kd">const</span> <span class="p">{</span> <span class="na">password</span><span class="p">:</span> <span class="nx">removePassword</span><span class="p">,</span> <span class="p">...</span><span class="nx">sanitizedAccount</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">account</span> <span class="o">||</span> <span class="p">{}</span> <span class="k">if</span> <span class="p">(</span><span class="nx">accountVerified</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">session</span><span class="p">:</span> <span class="p">{</span> <span class="na">authorized</span><span class="p">:</span> <span class="nx">sanitizedAccount</span> <span class="p">},</span> <span class="na">location</span><span class="p">:</span> <span class="nx">redirectAfterAuth</span> <span class="p">?</span> <span class="nx">redirectAfterAuth</span> <span class="p">:</span> <span class="dl">'</span><span class="s1">/</span><span class="dl">'</span> <span class="p">}</span> <span class="p">}</span> <span class="k">if</span> <span class="p">(</span><span class="nx">match</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="nx">accountVerified</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">session</span><span class="p">:</span> <span class="p">{</span> <span class="na">unverified</span><span class="p">:</span> <span class="nx">sanitizedAccount</span><span class="p">,</span> <span class="nx">redirectAfterAuth</span> <span class="p">},</span> <span class="na">location</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/verify</span><span class="dl">'</span> <span class="p">}</span> <span class="p">}</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nx">match</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">session</span><span class="p">:</span> <span class="p">{</span> <span class="na">problems</span><span class="p">:</span> <span class="p">{</span> <span class="na">form</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Incorrect Username or Password</span><span class="dl">'</span> <span class="p">},</span> <span class="na">login</span><span class="p">:</span> <span class="p">{</span><span class="na">username</span><span class="p">:</span><span class="nx">xss</span><span class="p">(</span><span class="nx">username</span><span class="p">)}</span> <span class="p">},</span> <span class="na">location</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/login/username</span><span class="dl">'</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Hard coded accounts </h2> <p>One problem setting up an app is creating the first account with administrative permissions. The new account registration form should only create regular accounts without admin permissions. There are many ways to do this, but one option is to hard code a user into the app to start. This is an alternative password authentication like that shown in <a href="https://begin.com/blog/posts/2023-02-03-bulletproof-sessions-with-httponly-cookies">Bulletproof Sessions</a>. In this demo the username is <code>hardcoded</code> and the password is set with the environment variable <code>HARDCODED_ADMIN_PASSWORD</code>. This account can be used in the admin dashboard to modify permissions of other accounts as needed.</p> <h2> Next Step </h2> <p>After registering a new account the email or phone number must be verified. This will be covered in the next blog post. To see it in action <a href="https://meadow-yvg.begin.app/">here is an example deployed on Begin</a>. You can register an account to try it out. Note that in this deployed example accounts are automatically deleted from the database after a day. The code for the full example can be found on GitHub at <a href="https://github.com/enhance-dev/enhance-auth">https://github.com/enhance-dev/enhance-auth</a>.</p> enhance authentication Ryan Bethel Tue, 14 Mar 2023 20:33:47 +0000 https://dev.to/begin/my-experience-learning-to-code-2id1 https://dev.to/begin/my-experience-learning-to-code-2id1 <p>Photo by <a href="https://unsplash.com/@tobbes_rd?utm_source=unsplash&amp;utm_medium=referral&amp;utm_content=creditCopyText">Tobias Rademacher</a> on <a href="https://unsplash.com">Unsplash</a></p> <p>About 10 years ago, I built my first site using the web. A few years after that, I made it a goal to do it professionally. Since that time, the number of developers worldwide has grown by roughly 5-10X<sup id="fnref1">1</sup>. Which means most of us are new here.</p> <p>Early on, I read anything I could find sharing how others learned to code. Some were helpful. Some were not. I hope this is helpful. But to be clear, this is not meant to be prescriptive or motivational. Everyone's experience is very different. There are a lot of thought pieces lately by long time industry experts about the rise and fall of frameworks etc. This is not that. As I said, I am relatively new here. These are just observations from my own experience.</p> <h2> TL&amp;DR </h2> <p>One of the biggest challenges in learning to code on my own was choosing what to learn and how to invest my limited time and resources. Learning to code, as I experienced it, was a very non-linear process. I felt utterly stuck for long periods, followed by sudden breakthroughs where all the pieces fell into place. I chose early to invest heavily in learning React. Looking back, I would do that differently. One especially true paradox in coding is that it takes much longer to master, but less time to be productive than you think. I got stuck for a long time on the content consumption treadmill taking course after course. A better use of time is creating more real things that people use, even if they are just for yourself.</p> <h2> Background </h2> <p>I started my career as an engineer doing integrated circuit design. I did no web development, but I did use scripting languages like PERL, source control (before there was Git), and vim was my daily driver. Later that technical foundation helped accelerate my learning. But after just a few years, I burned out in that job. I made a career change away from tech completely for the next 12 years.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--vli4slwF--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_66%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/ow6ikn6a8m6fz2x2xud6.gif" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--vli4slwF--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_66%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/ow6ikn6a8m6fz2x2xud6.gif" alt="I gotta get outta here, I think I'm gonna lose it." width="500" height="266"></a></p> <p>For most of those years, I worked on a small specialized team in a much larger organization. I was a guide leading outdoor trips like whitewater rafting. As I slowly recovered from burnout, I realized I had missed working with technology.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--ecUy2mDX--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_66%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/wan2s8reljv6y5lwb6kw.gif" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--ecUy2mDX--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_66%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/wan2s8reljv6y5lwb6kw.gif" alt="This isn't so bad" width="500" height="227"></a></p> <p>As our team grew, we needed some tools to manage our trips, but we had no budget and no resources to get them. So we decided to build them ourselves. Building and maintaining those internal tools became a part time job for the next couple of years. Initially it was all about making things work any way I could. This was low code, no code, just get it done. I built many small websites and single purpose web apps to serve our teams. It was fun. In my mind, I could never build a "real app", but I could make a thing people could get to with a URL to do what they needed.</p> <p>I would not have called myself a developer at this point. But when I decided to make this my career, my pragmatic technology choices were suddenly clouded by asking myself how a real developer would do this. That might have been a good question if I knew the answer, but since I did not, it led me to overcomplicate things with tools I saw people talking about on Twitter.</p> <h2> My Goal </h2> <p>I had two goals in learning to code. First, to become proficient in solving problems using the web and second, to get a job as a developer. There is a big difference between those two goals. They are often completely at odds.</p> <p>Hiring in this industry is broken.</p> <p><a href="https://par.nsf.gov/servlets/purl/10139106">Interviews are broken</a>.</p> <p>If you are here to find my advice on how to get a job, I am sorry. I wish I had answers, but I don't. And I am not the right person to write that post.</p> <p>If, on the other hand, your goal is to build useful things, I can point out some mistakes I made that will hopefully save you time. The biggest mistake was not resisting the urge to follow what is popular. This is hard to do because it feels like a shortcut to credibility, but these fads die as fast as they are born.</p> <p>A podcast host (who I greatly respect still and will not name) recommended people learn Gatsby and GraphQL to advance their careers. I followed that advice. Recently, he was dumping on both of those tools on that same podcast. Few things feel as bad as spending months or years to learn Gatsby only to watch it become a punchline. That is the danger of chasing the hype train. To be fair, this is complicated. I do think that some of my early job opportunities came from having React, GraphQL, and Gatsby on my resume.</p> <h2> Finding time </h2> <p>So I decided to get serious about becoming a developer. But I had a full-time job and a family. Bootcamp was not realistic, so I had to find a different way. My solution was to wake up early. Before my family was up and before work started, for about two years (give or take), I woke up around 4 am to spend about two hours learning before my normal day started. I do not endorse this. I was sleep deprived and unhealthy because of it. If you are trying to make space and time for a career change, don't neglect your mental health, physical health, or family. If you do you might reach your goal and find it is not all you hoped it would be.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--JY-33wrG--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/wd8y1lzkhrrd5vyl5sd8.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--JY-33wrG--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/wd8y1lzkhrrd5vyl5sd8.png" alt="Thanks Mario but our princess is in another castle" width="680" height="530"></a></p> <p>Another way I supplemented learning was by consuming all the web dev content I could find. I didn't care what was popular, but I did take what was popular as a proxy for what must be good. I had no other sources. I didn't even know anybody in the industry personally. Twitter, podcasts, and blogs were what I had. So I immersed myself in the web dev communities there. Watching, listening, occasional DM's, but rarely making any noise myself. I listened to a steady diet of content while driving, washing dishes, mowing the lawn, etc. Like learning a foreign language by watching films without subtitles. It is not the fastest way, but it is one way to make use of unfocused time. If I heard something like "DOM" come up repeatedly I would make a note to study that up when I had time.</p> <h2> What to learn </h2> <p>Choosing what to learn on your own is like writing the curriculum for Calculus without any perspective of what is most important and what order to put it in. You don't know enough to do it well, but you have a sense that many people suggesting an answer have ulterior motives. Prior to this, my first real app was four HTML pages with forms served with JavaScript from Google Apps Scripts (GAS). The database/backend was a Google Sheet. I cobbled it together knowing almost nothing about web dev. I copy/pasted most of my code. I used Bootstrap to make it look decent. But now I wanted to be a professional, so this approach wouldn’t do. Everything I heard from my steady content diet said I had to choose Angular or React to be a pro. This was around 2016, so Angular was the industry leader and React was the new kid. No one (that I heard) was even suggesting you could build for the web without a framework. This was right during the Angular to Angular 2 transition that created a lot of negative sentiment toward Angular. That was enough to tip the scales for me toward React. So I went all in. From then on I narrowed my content consumption and learning heavily to React. React only grew from there. Which confirmed to me I had made the right choice.</p> <p>What I didn’t realize at the time was that many professionals just mind their business and do their job quietly. Their opinions are underrepresented on Twitter. Some of the most vocal people online are trying to look like professionals. Frameworks are still a huge industry, but a growing community is pointing back to using the platform with fewer layers of abstraction. I did not find this community until I was already working with an agency that placed React developers as contractors. I was starting to see the problems with jamming every website into a React shaped box. Even simple tasks required dozens of dependencies (meaning hundreds or thousands of sub-dependencies) that would break frequently. The simplest “Hello World” required complicated and fragile tooling setups. And the list goes on.</p> <p>The lesson I learned from my long framework detour is I wish that I had invested more time in learning the underlying fundamentals of the platform first. Whatever the hot framework is next year will be built on those same fundamentals. If you feel like you need to learn the blazingly fast, awesome DX, Kerplunk framework to get a job, then you should do that. But you can learn it faster and better knowing the bricks that it is built out of.</p> <h2> How to learn </h2> <p>I was not in tech at the time I was learning.<br> We did not have a family budget that allowed for throwing money at this problem. Then, like now, there was no shortage of paid content (courses, books, etc.) promising shortcuts. I was not opposed to spending some money, but I started with all the free resources I could find. Here is a sample of the material I used to learn. It’s only a partial list, but these are some of the better sources I can recommend. I will not list the junk content I encountered but suffice it to say there is a lot out there.</p> <ul> <li> <a href="https://www.learnenough.com/courses">Learn Enough</a> -I started with these short tutorials about web development topics to fill in some gaps. They are paid courses now. At the time, they were being developed, and the drafts were free. It's been years, and I think they were even sold to another company. I used these kinds of tutorials to fill in the gaps of HTML, CSS, JavaScript, Git, etc.</li> <li> <a href="https://freecodecamp.org">freecodecamp.org</a> - Free education content. Can't speak highly enough of this organization. I did not follow through their curriculum as recommended but I read and used a lot of the pieces.</li> <li> <a href="https://frontendmasters.com/courses/complete-react-v8/">Frontend Masters - Brian Holt React Course</a> - Frontend masters is a fantastic educational resource for professional development. It is paid and pretty expensive. It is targeted at developers with existing experience trying to learn a new thing. They offered a free weekend preview or another promotion that I took advantage of. I binged the course because it was only free for the weekend. It was like drinking from a firehose. I have always liked to learn by jumping in the deep end, especially where the risk of failing publicly is low. Frontend Masters is great. I highly recommend them. Their courses are excellent. But as I mentioned they are not really targeted at or priced for beginners, so beware.</li> <li> <a href="https://wesbos.com/courses">Wes Bos</a> - The first web development course I paid for was Wes Bos's Advanced React course. Should I have started with his beginner React course, or better yet, his Beginner JavaScript course? Probably yes, but as I said I like to jump in the deep end. Wes is great. He is a good teacher and his courses are worth the time and money.</li> </ul> <h2> A winding path </h2> <p>Like many complicated things, learning to code is not a linear process. Looking back, I can see the path I should have taken that was unclear when I first started my journey. My experience is no different from the many people who are learning these skills independently. Few industries approach similarly hard things without a university/college program or a skilled mentor (i.e. new electricians work under a master electrician, or a new wilderness guide works under a seasoned veteran guide) to teach them.</p> <p>When are you a developer? I cannot say. Some gatekeepers guard the term jealously. But if you build things for the web and that is what you want to be, own it, and then make it true. There will always be more to learn. I distinctly remember a moment when I suddenly had this insight: <em>"Oh, so a Promise is just like a regular Object, and the value just drops in sometime in the future".</em> So many things clicked into place with that one thought. Was I a developer before then with such an incomplete mental model of asynchronous programming? Am I one now with all the things I have yet to learn? The answer to both questions is <em>"yes"</em>. But the most important thing is that I have learned how to learn what I need when I need it, so yes, I call myself a developer.</p> <h2> Build real things </h2> <p>At one point, I wrote a small web app to manage some data for my team. It was a basic HTML page with forms served from <a href="https://www.google.com/script/start/">Apps Script</a>. When I was later learning React, I figured out a way to rewrite it with React and serve it from GAS. Which was not easy to do, and I may be the only one who ever figured out how to do it (probably not, but I felt like a conqueror). I had accomplished something worthwhile. Now we could do so much more with this tool since it was written in React like a professional web app. In reality, this was wasted effort. In fact, this made the app more fragile and harder to maintain. But I would not have seen that unless it was a real app used by real people.</p> <p>Building real things is the most critical part of learning to code. Building sample apps is helpful for learning concepts, but problems only show up with real use. If you are on your own and don't have anyone to build things for, it is even useful to build things for yourself. Simple tools, scripts, web sites, can turn into powerful feedback loops for learning if you use them to do a job. Look for those opportunities wherever you can.</p> <h2> Conclusion </h2> <p>Getting clear on your goals is essential. Becoming a professional web developer on your own is a slog. You should know that. And anyone who says otherwise is lying. If your goal is to solve problems using the web, it is much more achievable. Don’t get lost learning the next big thing. I wish I had focused on learning the fundamentals of the web platform earlier on.</p> <p>I ultimately think that the modern web development hype cycle is driven by exploiting the insecurity of developers. Looking back on my journey, I realized that when I was in that cycle, I felt the urgency to learn the next thing: React, Redux, GraphQL, Gatsby... because I felt like I could get the basics and put those words on my resume I stood a better chance of finding a job. It was because I felt genuinely learning the fundamentals was out of reach, and I needed to keep up with the latest thing to stand any chance. Now I don't feel that urgency, not because I feel smarter, but because I know enough, and I can learn anything I need to when I need to.</p> <p>If you want to learn some web fundamentals check out these resources:</p> <ul> <li> <a href="https://developer.mozilla.org/en-US/docs/Learn">MDN:Learn Web Development</a> - This set of articles aims to guide complete beginners to web development with all that they need to start coding websites.</li> <li> <a href="https://w3cx.org/">W3Cx</a> - Master the foundational programming languages for Web development, HTML5, CSS and JavaScript.</li> <li> <a href="https://enhance.dev">enhance.dev</a> - A tool that makes it easy to build functional web apps easier than anything I know of.</li> </ul> <ol> <li id="fn1"> <p>That is taking GitHub user growth as a proxy for developers in general (<a href="https://en.wikipedia.org/wiki/Timeline_of_GitHub">wikipedia</a>) ↩</p> </li> </ol> Ryan Bethel Fri, 17 Feb 2023 18:49:38 +0000 https://dev.to/begin/uploading-files-with-html-forms-part-2-3178 https://dev.to/begin/uploading-files-with-html-forms-part-2-3178 <p>Photo By <a href="https://unsplash.com/es/@dodancs?utm_source=unsplash&amp;utm_medium=referral&amp;utm_content=creditCopyText">Dominik Dancs</a></p> <p>In <a href="https://begin.com/blog/posts/2023-02-08-upload-files-in-forms-part-1">Part 1</a> of this post we built a form and backend code to accept files and images uploaded from a browser. If you missed that post you should read it first and then come back here. We built it with an HTML first approach so that it will work with no client side JavaScript. Here in Part 2 we will add some improvement using a little JavaScript.</p> <h2> Preprocessing image on the client using <code>&lt;canvas&gt;</code> </h2> <p>In <a href="https://begin.com/blog/posts/2023-02-08-upload-files-in-forms-part-1">Part 1</a> images were reduced on the server so that large images did not waste space, but more importantly so that we did not have to serve those large images back as part of displaying the user profile.</p> <p>The problem with the server side processing for scaling the image is that you have already sent a larger than necessary image to the server to throw away most of those bits. It would be better to only send what you need. Another problem is that the AWS lambda request has a payload limit of 6 MB maximum. Large images can easily exceed this, and the request will fail before your server sees it.<br> It also adds a significant delay to the response when submitting to wait for the server to process it.</p> <p>A better solution is resizing it in the browser before sending it over the network. So with our non-JavaScript solution in place, we will add our first client side JavaScript enhancement.</p> <p>There are many ways to scale an image in a browser. One good solution might be to send the <code>wasm-vips</code> library to the client and use it inside a worker to run the same scaling in the browser. The pros are the symmetry between the client side result or the server side result.<br> One downside is the extra dependency and having to ship that code for the library to the client in the first place.</p> <p>In this example, we will use the browser itself, specifically the <code>&lt;canvas&gt;</code> element to do the image scaling. With no added dependencies! You can read more about using the canvas element for this purpose here (<a href="https://imagekit.io/blog/how-to-resize-image-in-javascript/">https://imagekit.io/blog/how-to-resize-image-in-javascript/</a>).</p> <p>The code here is encapsulated in a custom element using an <a href="https://enhance.dev/docs/learn/concepts/single-file-components">Enhance single file component</a>. First, we add a hidden image tag at the end of the form that will eventually be a preview of the scaled image. The code at the bottom has a resize method that uses the FileReader API to read the image the user selects from disk and assign it as the src of an image we created.<br> When that image is loaded, we define the scaling parameters and then redraw the image in a canvas element with the new size. We then create a data URL with that scaled image. And finally, we assign that data URL to our preview image and change it from hidden to visible.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code>// /app/pages/profiles/new.mjs export default function Html ({ html, state }) { return html` <span class="nt">&lt;main</span> <span class="na">class=</span><span class="s">"container"</span><span class="nt">&gt;</span> <span class="nt">&lt;article&gt;</span> <span class="nt">&lt;h1&gt;</span>New Profile<span class="nt">&lt;/h1&gt;</span> <span class="nt">&lt;form</span> <span class="na">action=</span><span class="s">"/profiles/new"</span> <span class="na">method=</span><span class="s">"POST"</span> <span class="na">enctype=</span><span class="s">multipart/form-data</span><span class="nt">&gt;</span> <span class="nt">&lt;label&gt;</span>First Name <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"text"</span> <span class="na">name=</span><span class="s">"firstname"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;/label&gt;</span> <span class="nt">&lt;label&gt;</span>First Name <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"text"</span> <span class="na">name=</span><span class="s">"lastname"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;/label&gt;</span> <span class="nt">&lt;label&gt;</span> Profile Picture <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"file"</span> <span class="na">autocomplete=</span><span class="s">"off"</span> <span class="na">name=</span><span class="s">"picture"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;/label&gt;</span> <span class="nt">&lt;img</span> <span class="na">class=</span><span class="s">"hidden"</span> <span class="na">id=</span><span class="s">"profile-preview"</span> <span class="na">alt=</span><span class="s">"profile picture preview"</span><span class="nt">/&gt;</span> <span class="nt">&lt;button</span> <span class="na">type=</span><span class="s">submit</span> <span class="nt">&gt;</span>Save<span class="nt">&lt;/button&gt;</span> <span class="nt">&lt;/form&gt;</span> <span class="nt">&lt;/article&gt;</span> <span class="nt">&lt;/main&gt;</span> <span class="nt">&lt;script </span><span class="na">type=</span><span class="s">module</span> <span class="nt">&gt;</span> <span class="kd">class</span> <span class="nx">PageProfilesNew</span> <span class="kd">extends</span> <span class="nx">HTMLElement</span> <span class="p">{</span> <span class="kd">constructor</span><span class="p">()</span> <span class="p">{</span> <span class="k">super</span><span class="p">()</span> <span class="k">this</span><span class="p">.</span><span class="nx">form</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">querySelector</span><span class="p">(</span><span class="dl">'</span><span class="s1">form</span><span class="dl">'</span><span class="p">)</span> <span class="k">this</span><span class="p">.</span><span class="nx">imageInput</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">querySelector</span><span class="p">(</span><span class="dl">'</span><span class="s1">input[name=picture]</span><span class="dl">'</span><span class="p">)</span> <span class="k">this</span><span class="p">.</span><span class="nx">imagePreview</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">querySelector</span><span class="p">(</span><span class="dl">'</span><span class="s1">#profile-preview</span><span class="dl">'</span><span class="p">)</span> <span class="k">this</span><span class="p">.</span><span class="nx">resize</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">resize</span><span class="p">.</span><span class="nx">bind</span><span class="p">(</span><span class="k">this</span><span class="p">)</span> <span class="k">this</span><span class="p">.</span><span class="nx">dataURLtoBlob</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">dataURLtoBlob</span><span class="p">.</span><span class="nx">bind</span><span class="p">(</span><span class="k">this</span><span class="p">)</span> <span class="k">this</span><span class="p">.</span><span class="nx">imageInput</span><span class="p">.</span><span class="nx">addEventListener</span><span class="p">(</span><span class="dl">'</span><span class="s1">change</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">e</span><span class="p">)</span><span class="o">=&gt;</span><span class="k">this</span><span class="p">.</span><span class="nx">resize</span><span class="p">(</span><span class="nx">e</span><span class="p">))</span> <span class="p">}</span> <span class="nx">resize</span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nx">e</span><span class="p">.</span><span class="nx">target</span><span class="p">.</span><span class="nx">files</span><span class="p">.</span><span class="nx">length</span><span class="p">)</span> <span class="k">return</span><span class="p">;</span> <span class="c1">// for input file null</span> <span class="k">if</span> <span class="p">(</span><span class="nx">e</span><span class="p">.</span><span class="nx">target</span><span class="p">.</span><span class="nx">files</span><span class="p">)</span> <span class="p">{</span> <span class="kd">let</span> <span class="nx">imageFile</span> <span class="o">=</span> <span class="nx">e</span><span class="p">.</span><span class="nx">target</span><span class="p">.</span><span class="nx">files</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="kd">const</span> <span class="nx">reader</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">FileReader</span><span class="p">()</span> <span class="nx">reader</span><span class="p">.</span><span class="nx">onload</span> <span class="o">=</span> <span class="p">(</span><span class="nx">e</span><span class="p">)</span><span class="o">=&gt;</span><span class="p">{</span> <span class="kd">let</span> <span class="nx">image</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nx">createElement</span><span class="p">(</span><span class="dl">"</span><span class="s2">img</span><span class="dl">"</span><span class="p">)</span> <span class="nx">image</span><span class="p">.</span><span class="nx">onload</span> <span class="o">=</span> <span class="p">(</span><span class="nx">event</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">size</span> <span class="o">=</span> <span class="mi">350</span> <span class="kd">const</span> <span class="nx">width</span> <span class="o">=</span> <span class="nx">image</span><span class="p">.</span><span class="nx">width</span> <span class="kd">const</span> <span class="nx">height</span> <span class="o">=</span> <span class="nx">image</span><span class="p">.</span><span class="nx">height</span> <span class="kd">const</span> <span class="nx">widthScale</span> <span class="o">=</span> <span class="nx">size</span><span class="o">/</span><span class="nx">width</span> <span class="kd">const</span> <span class="nx">heightScale</span> <span class="o">=</span> <span class="nx">size</span><span class="o">/</span><span class="nx">height</span> <span class="kd">const</span> <span class="nx">outputScale</span> <span class="o">=</span> <span class="nb">Math</span><span class="p">.</span><span class="nx">min</span><span class="p">(</span><span class="nx">widthScale</span><span class="p">,</span><span class="nx">heightScale</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">outWidth</span> <span class="o">=</span> <span class="nx">outputScale</span><span class="o">*</span><span class="nx">width</span> <span class="kd">const</span> <span class="nx">outHeight</span><span class="o">=</span> <span class="nx">outputScale</span><span class="o">*</span><span class="nx">height</span> <span class="kd">const</span> <span class="nx">canvas</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nx">createElement</span><span class="p">(</span><span class="dl">"</span><span class="s2">canvas</span><span class="dl">"</span><span class="p">)</span> <span class="nx">canvas</span><span class="p">.</span><span class="nx">width</span> <span class="o">=</span> <span class="nx">outWidth</span> <span class="nx">canvas</span><span class="p">.</span><span class="nx">height</span> <span class="o">=</span> <span class="nx">outHeight</span> <span class="kd">const</span> <span class="nx">context</span> <span class="o">=</span> <span class="nx">canvas</span><span class="p">.</span><span class="nx">getContext</span><span class="p">(</span><span class="dl">"</span><span class="s2">2d</span><span class="dl">"</span><span class="p">)</span> <span class="nx">context</span><span class="p">.</span><span class="nx">drawImage</span><span class="p">(</span><span class="nx">image</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="nx">outWidth</span><span class="p">,</span> <span class="nx">outHeight</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">dataurl</span> <span class="o">=</span> <span class="nx">canvas</span><span class="p">.</span><span class="nx">toDataURL</span><span class="p">(</span><span class="nx">imageFile</span><span class="p">.</span><span class="nx">type</span><span class="p">)</span> <span class="k">this</span><span class="p">.</span><span class="nx">imagePreview</span><span class="p">.</span><span class="nx">src</span> <span class="o">=</span> <span class="nx">dataurl</span> <span class="k">this</span><span class="p">.</span><span class="nx">imagePreview</span><span class="p">.</span><span class="nx">classList</span><span class="p">.</span><span class="nx">remove</span><span class="p">(</span><span class="dl">"</span><span class="s2">hidden</span><span class="dl">"</span><span class="p">)</span> <span class="p">}</span> <span class="nx">image</span><span class="p">.</span><span class="nx">src</span> <span class="o">=</span> <span class="nx">e</span><span class="p">.</span><span class="nx">target</span><span class="p">.</span><span class="nx">result</span> <span class="p">}</span> <span class="nx">reader</span><span class="p">.</span><span class="nx">readAsDataURL</span><span class="p">(</span><span class="nx">imageFile</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">customElements</span><span class="p">.</span><span class="nx">define</span><span class="p">(</span><span class="dl">"</span><span class="s2">page-profiles-new</span><span class="dl">"</span><span class="p">,</span> <span class="nx">PageProfilesNew</span><span class="p">)</span> <span class="nt">&lt;/script&gt;</span> ` } </code></pre> </div> <p>We now have a scaled image created on the client that we can send to the server instead of the larger raw version of that image.</p> <h2> To Fetch or Not to Fetch </h2> <p>The question is, now that we have a transformed image in the canvas, how should we send that image to the server. There are two options, each with their own trade-offs. We can stay in JavaScript and send the new file with a fetch request, or we can push the new image back into the <code>&lt;form&gt;</code> to be sent with the built-in form submission.</p> <p>Fetch is probably the most common choice in this situation, so let's briefly cover how to do that. The advantage is that we don’t have to push the new file back into the form's original form state (which is a little complicated). The disadvantage is we have to pull the rest of the form data over into JavaScript and then handle the response, including error handling and redirect after success, with JavaScript. The basic code for fetch submit is:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">form</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nx">querySelector</span><span class="p">(</span><span class="dl">'</span><span class="s1">form</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">formData</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">FormData</span><span class="p">(</span><span class="nx">form</span><span class="p">)</span> <span class="nx">formData</span><span class="p">.</span><span class="kd">set</span><span class="p">(</span><span class="dl">'</span><span class="s1">picture</span><span class="dl">'</span><span class="p">,</span> <span class="nx">processedFile</span><span class="p">)</span> <span class="nx">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">/profiles/new</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="dl">'</span><span class="s1">POST</span><span class="dl">'</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="nx">formData</span><span class="p">,</span> <span class="p">})</span> </code></pre> </div> <p>Any error handling and redirect on success would then need to be added.</p> <p>One important caveat is for this to work with multipart encoding, you <strong>cannot set <code>Content-Type</code> headers for this fetch request ( <a href="https://muffinman.io/blog/uploading-files-using-fetch-multipart-form-data/">https://muffinman.io/blog/uploading-files-using-fetch-multipart-form-data/</a>)</strong>. Letting the browser set them automatically will work, but if you set them here, it will fail.</p> <p>Our previous HTML and server solution allowed for handling errors on the server, setting session, and redirecting following the POST request. With fetch, we have to replicate all that behavior in JavaScript. For this reason, and because it is the less common approach that might be useful to demonstrate here, we will submit the form with HTML instead.</p> <h2> Using JavaScript to populate a form <code>&lt;input type=file/&gt;</code> </h2> <p>You cannot programmatically add a file to an <code>&lt;input&gt;</code> from the user's disk because of the browser's security model. But you can create a file in memory and use the browser's DataTransfer API to add that to the input. This code is added below after the data URL (a data URL is a base 64 encoded string of binary data) is added to the preview image.</p> <p>First, the data URL is converted back into a blob (a Binary Large Object) which is passed to the File constructor. This file is then wrapped with the <code>DataTransfer</code> constructor and added to a new <code>&lt;input type=file name=processed-picture/&gt;</code>. Now we need to set the original file input to null so we don’t send the original image when we submit.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code>// /app/pages/profiles/new.mjs export default function Html ({ html, state }) { return html` <span class="nt">&lt;main</span> <span class="na">class=</span><span class="s">"container"</span><span class="nt">&gt;</span> <span class="nt">&lt;article&gt;</span> <span class="nt">&lt;form</span> <span class="na">action=</span><span class="s">"/profiles/new"</span> <span class="na">method=</span><span class="s">"POST"</span> <span class="na">enctype=</span><span class="s">multipart/form-data</span><span class="nt">&gt;</span> <span class="nt">&lt;label&gt;</span>First Name <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"text"</span> <span class="na">name=</span><span class="s">"firstname"</span><span class="nt">/&gt;</span> <span class="nt">&lt;/label&gt;</span> <span class="nt">&lt;label&gt;</span>First Name <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"text"</span> <span class="na">name=</span><span class="s">"lastname"</span><span class="nt">/&gt;</span> <span class="nt">&lt;/label&gt;</span> <span class="nt">&lt;label&gt;</span> Profile Picture <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"file"</span> <span class="na">autocomplete=</span><span class="s">"off"</span> <span class="na">name=</span><span class="s">"picture"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;/label&gt;</span> <span class="nt">&lt;img</span> <span class="na">class=</span><span class="s">"hidden"</span> <span class="na">id=</span><span class="s">"profile-preview"</span> <span class="na">alt=</span><span class="s">"profile picture preview"</span><span class="nt">/&gt;</span> <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">file</span> <span class="na">name=</span><span class="s">"processed-picture"</span> <span class="na">class=</span><span class="s">"hidden"</span><span class="nt">/&gt;</span> <span class="nt">&lt;button</span> <span class="na">type=</span><span class="s">"submit"</span> <span class="nt">&gt;</span>Save<span class="nt">&lt;/button&gt;</span> <span class="nt">&lt;/form&gt;</span> <span class="nt">&lt;/article&gt;</span> <span class="nt">&lt;/main&gt;</span> <span class="nt">&lt;script </span><span class="na">type=</span><span class="s">"module"</span><span class="nt">&gt;</span> <span class="kd">class</span> <span class="nx">PageProfilesNew</span> <span class="kd">extends</span> <span class="nx">HTMLElement</span> <span class="p">{</span> <span class="kd">constructor</span><span class="p">()</span> <span class="p">{</span> <span class="k">super</span><span class="p">()</span> <span class="k">this</span><span class="p">.</span><span class="nx">form</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">querySelector</span><span class="p">(</span><span class="dl">'</span><span class="s1">form</span><span class="dl">'</span><span class="p">)</span> <span class="k">this</span><span class="p">.</span><span class="nx">imageInput</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">querySelector</span><span class="p">(</span><span class="dl">'</span><span class="s1">input[name=picture]</span><span class="dl">'</span><span class="p">)</span> <span class="k">this</span><span class="p">.</span><span class="nx">imagePreview</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">querySelector</span><span class="p">(</span><span class="dl">'</span><span class="s1">#profile-preview</span><span class="dl">'</span><span class="p">)</span> <span class="k">this</span><span class="p">.</span><span class="nx">scaledImageInput</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">querySelector</span><span class="p">(</span><span class="dl">'</span><span class="s1">input[name=processed-picture]</span><span class="dl">'</span><span class="p">)</span> <span class="k">this</span><span class="p">.</span><span class="nx">resize</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">resize</span><span class="p">.</span><span class="nx">bind</span><span class="p">(</span><span class="k">this</span><span class="p">)</span> <span class="k">this</span><span class="p">.</span><span class="nx">dataURLtoBlob</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">dataURLtoBlob</span><span class="p">.</span><span class="nx">bind</span><span class="p">(</span><span class="k">this</span><span class="p">)</span> <span class="k">this</span><span class="p">.</span><span class="nx">imageInput</span><span class="p">.</span><span class="nx">addEventListener</span><span class="p">(</span><span class="dl">'</span><span class="s1">change</span><span class="dl">'</span><span class="p">,</span> <span class="p">(</span><span class="nx">e</span><span class="p">)</span><span class="o">=&gt;</span><span class="k">this</span><span class="p">.</span><span class="nx">resize</span><span class="p">(</span><span class="nx">e</span><span class="p">))</span> <span class="p">}</span> <span class="nx">resize</span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="o">!</span><span class="nx">e</span><span class="p">.</span><span class="nx">target</span><span class="p">.</span><span class="nx">files</span><span class="p">.</span><span class="nx">length</span><span class="p">)</span> <span class="k">return</span><span class="p">;</span> <span class="c1">// for when input type=file is set to null</span> <span class="k">if</span> <span class="p">(</span><span class="nx">e</span><span class="p">.</span><span class="nx">target</span><span class="p">.</span><span class="nx">files</span><span class="p">)</span> <span class="p">{</span> <span class="kd">let</span> <span class="nx">imageFile</span> <span class="o">=</span> <span class="nx">e</span><span class="p">.</span><span class="nx">target</span><span class="p">.</span><span class="nx">files</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="kd">const</span> <span class="nx">reader</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">FileReader</span><span class="p">()</span> <span class="nx">reader</span><span class="p">.</span><span class="nx">onload</span> <span class="o">=</span> <span class="p">(</span><span class="nx">e</span><span class="p">)</span><span class="o">=&gt;</span><span class="p">{</span> <span class="kd">let</span> <span class="nx">image</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nx">createElement</span><span class="p">(</span><span class="dl">"</span><span class="s2">img</span><span class="dl">"</span><span class="p">)</span> <span class="nx">image</span><span class="p">.</span><span class="nx">onload</span> <span class="o">=</span> <span class="p">(</span><span class="nx">event</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">size</span> <span class="o">=</span> <span class="mi">350</span> <span class="kd">const</span> <span class="nx">width</span> <span class="o">=</span> <span class="nx">image</span><span class="p">.</span><span class="nx">width</span> <span class="kd">const</span> <span class="nx">height</span> <span class="o">=</span> <span class="nx">image</span><span class="p">.</span><span class="nx">height</span> <span class="kd">const</span> <span class="nx">widthScale</span> <span class="o">=</span> <span class="nx">size</span><span class="o">/</span><span class="nx">width</span> <span class="kd">const</span> <span class="nx">heightScale</span> <span class="o">=</span> <span class="nx">size</span><span class="o">/</span><span class="nx">height</span> <span class="kd">const</span> <span class="nx">outputScale</span> <span class="o">=</span> <span class="nb">Math</span><span class="p">.</span><span class="nx">min</span><span class="p">(</span><span class="nx">widthScale</span><span class="p">,</span><span class="nx">heightScale</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">outWidth</span> <span class="o">=</span> <span class="nx">outputScale</span><span class="o">*</span><span class="nx">width</span> <span class="kd">const</span> <span class="nx">outHeight</span><span class="o">=</span> <span class="nx">outputScale</span><span class="o">*</span><span class="nx">height</span> <span class="kd">const</span> <span class="nx">canvas</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nx">createElement</span><span class="p">(</span><span class="dl">"</span><span class="s2">canvas</span><span class="dl">"</span><span class="p">)</span> <span class="nx">canvas</span><span class="p">.</span><span class="nx">width</span> <span class="o">=</span> <span class="nx">outWidth</span> <span class="nx">canvas</span><span class="p">.</span><span class="nx">height</span> <span class="o">=</span> <span class="nx">outHeight</span> <span class="kd">const</span> <span class="nx">context</span> <span class="o">=</span> <span class="nx">canvas</span><span class="p">.</span><span class="nx">getContext</span><span class="p">(</span><span class="dl">"</span><span class="s2">2d</span><span class="dl">"</span><span class="p">)</span> <span class="nx">context</span><span class="p">.</span><span class="nx">drawImage</span><span class="p">(</span><span class="nx">image</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="nx">outWidth</span><span class="p">,</span> <span class="nx">outHeight</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">dataurl</span> <span class="o">=</span> <span class="nx">canvas</span><span class="p">.</span><span class="nx">toDataURL</span><span class="p">(</span><span class="nx">imageFile</span><span class="p">.</span><span class="nx">type</span><span class="p">)</span> <span class="k">this</span><span class="p">.</span><span class="nx">imagePreview</span><span class="p">.</span><span class="nx">src</span> <span class="o">=</span> <span class="nx">dataurl</span> <span class="k">this</span><span class="p">.</span><span class="nx">imagePreview</span><span class="p">.</span><span class="nx">classList</span><span class="p">.</span><span class="nx">remove</span><span class="p">(</span><span class="dl">"</span><span class="s2">hidden</span><span class="dl">"</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">fileName</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">scaled-image</span><span class="dl">'</span> <span class="kd">const</span> <span class="nx">blob</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">dataURLtoBlob</span><span class="p">(</span><span class="nx">dataurl</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">file</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">File</span><span class="p">([</span><span class="nx">blob</span><span class="p">],</span> <span class="nx">fileName</span><span class="p">,</span> <span class="p">{</span><span class="na">type</span><span class="p">:</span><span class="nx">blob</span><span class="p">.</span><span class="nx">type</span><span class="p">,</span> <span class="na">lastModified</span><span class="p">:</span><span class="k">new</span> <span class="nb">Date</span><span class="p">().</span><span class="nx">getTime</span><span class="p">()},</span> <span class="dl">'</span><span class="s1">utf-8</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">container</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">DataTransfer</span><span class="p">()</span> <span class="nx">container</span><span class="p">.</span><span class="nx">items</span><span class="p">.</span><span class="nx">add</span><span class="p">(</span><span class="nx">file</span><span class="p">)</span> <span class="k">this</span><span class="p">.</span><span class="nx">scaledImageInput</span><span class="p">.</span><span class="nx">files</span> <span class="o">=</span> <span class="nx">container</span><span class="p">.</span><span class="nx">files</span> <span class="k">this</span><span class="p">.</span><span class="nx">imageInput</span><span class="p">.</span><span class="nx">value</span> <span class="o">=</span> <span class="kc">null</span> <span class="p">}</span> <span class="nx">image</span><span class="p">.</span><span class="nx">src</span> <span class="o">=</span> <span class="nx">e</span><span class="p">.</span><span class="nx">target</span><span class="p">.</span><span class="nx">result</span> <span class="p">}</span> <span class="nx">reader</span><span class="p">.</span><span class="nx">readAsDataURL</span><span class="p">(</span><span class="nx">imageFile</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">dataURLtoBlob</span><span class="p">(</span><span class="nx">dataurl</span><span class="p">)</span> <span class="p">{</span> <span class="kd">let</span> <span class="nx">dataUrlParts</span> <span class="o">=</span> <span class="nx">dataurl</span><span class="p">.</span><span class="nx">split</span><span class="p">(</span><span class="dl">'</span><span class="s1">,</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">mime</span> <span class="o">=</span> <span class="nx">dataUrlParts</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">match</span><span class="p">(</span><span class="sr">/:</span><span class="se">(</span><span class="sr">.*</span><span class="se">?)</span><span class="sr">;/</span><span class="p">)[</span><span class="mi">1</span><span class="p">]</span> <span class="kd">const</span> <span class="nx">binary</span> <span class="o">=</span> <span class="nx">atob</span><span class="p">(</span><span class="nx">dataUrlParts</span><span class="p">[</span><span class="mi">1</span><span class="p">])</span> <span class="kd">let</span> <span class="nx">n</span> <span class="o">=</span> <span class="nx">binary</span><span class="p">.</span><span class="nx">length</span> <span class="kd">const</span> <span class="nx">binaryArray</span> <span class="o">=</span> <span class="k">new</span> <span class="nb">Uint8Array</span><span class="p">(</span><span class="nx">n</span><span class="p">);</span> <span class="k">while</span><span class="p">(</span><span class="nx">n</span><span class="o">--</span><span class="p">){</span> <span class="nx">binaryArray</span><span class="p">[</span><span class="nx">n</span><span class="p">]</span> <span class="o">=</span> <span class="nx">binary</span><span class="p">.</span><span class="nx">charCodeAt</span><span class="p">(</span><span class="nx">n</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="k">new</span> <span class="nx">Blob</span><span class="p">([</span><span class="nx">binaryArray</span><span class="p">],</span> <span class="p">{</span><span class="na">type</span><span class="p">:</span><span class="nx">mime</span><span class="p">});</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">customElements</span><span class="p">.</span><span class="nx">define</span><span class="p">(</span><span class="dl">"</span><span class="s2">page-profiles-new</span><span class="dl">"</span><span class="p">,</span> <span class="nx">PageProfilesNew</span><span class="p">)</span> <span class="nt">&lt;/script&gt;</span> ` } </code></pre> </div> <p>Now we add logic to the server side handler so that if we send a processed image it doesn't get resized again on the server.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// /app/api/profiles/new.mjs</span> <span class="p">...</span> <span class="kd">const</span> <span class="nx">preprocessed</span> <span class="o">=</span> <span class="nx">parsedForm</span><span class="p">.</span><span class="nx">files</span><span class="p">?.</span><span class="nx">find</span><span class="p">(</span><span class="nx">file</span><span class="o">=&gt;</span> <span class="nx">file</span><span class="p">.</span><span class="nx">fieldname</span><span class="o">===</span><span class="dl">'</span><span class="s1">processed-picture</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">unprocessed</span> <span class="o">=</span> <span class="nx">parsedForm</span><span class="p">.</span><span class="nx">files</span><span class="p">?.</span><span class="nx">find</span><span class="p">(</span><span class="nx">file</span><span class="o">=&gt;</span> <span class="nx">file</span><span class="p">.</span><span class="nx">fieldname</span><span class="o">===</span><span class="dl">'</span><span class="s1">picture</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">picture</span> <span class="o">=</span> <span class="nx">preprocessed</span> <span class="o">||</span> <span class="nx">unprocessed</span> <span class="kd">const</span> <span class="nx">pictureBuffer</span> <span class="o">=</span> <span class="nx">picture</span><span class="p">.</span><span class="nx">content</span> <span class="kd">const</span> <span class="nx">profilePicture</span> <span class="o">=</span> <span class="nx">preprocessed</span> <span class="p">?</span> <span class="nx">pictureBuffer</span> <span class="p">:</span> <span class="k">await</span> <span class="nx">resize</span><span class="p">(</span><span class="nx">pictureBuffer</span><span class="p">,</span> <span class="mi">350</span><span class="p">)</span> <span class="p">...</span> </code></pre> </div> <h2> Avoiding a Double Submit </h2> <p>If a user accidentally clicks submit multiple times the browser will happily send multiple <code>POST</code>s. This is the double submit problem we discussed in depth in <a href="https://begin.com/blog/posts/2023-02-08-upload-files-in-forms-part-1">part 1</a>.</p> <p>We built a working solution without the need for client side JavaScript. With just a sprinkle of JavaScript we can make it even better by making sure the extra <code>POST</code> is not sent rather than handling it after the fact.</p> <p>To prevent a double submit we disable the submit button after it’s clicked. We could also display a “submitting” message on the button or another visual indication for the user.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// /app/pages/profiles/new.mjs</span> <span class="p">...</span> <span class="o">&lt;</span><span class="nx">script</span> <span class="nx">type</span><span class="o">=</span><span class="nx">module</span> <span class="o">&gt;</span> <span class="kd">class</span> <span class="nx">PageProfilesNew</span> <span class="kd">extends</span> <span class="nx">HTMLElement</span> <span class="p">{</span> <span class="kd">constructor</span><span class="p">()</span> <span class="p">{</span> <span class="k">super</span><span class="p">()</span> <span class="k">this</span><span class="p">.</span><span class="nx">form</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">querySelector</span><span class="p">(</span><span class="dl">'</span><span class="s1">form</span><span class="dl">'</span><span class="p">)</span> <span class="k">this</span><span class="p">.</span><span class="nx">submitButton</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">querySelector</span><span class="p">(</span><span class="dl">'</span><span class="s1">button[type=submit]</span><span class="dl">'</span><span class="p">)</span> <span class="k">this</span><span class="p">.</span><span class="nx">tempDisableSubmit</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">tempDisableSubmit</span><span class="p">.</span><span class="nx">bind</span><span class="p">(</span><span class="k">this</span><span class="p">)</span> <span class="k">this</span><span class="p">.</span><span class="nx">form</span><span class="p">.</span><span class="nx">addEventListener</span><span class="p">(</span><span class="dl">'</span><span class="s1">submit</span><span class="dl">'</span><span class="p">,</span> <span class="k">this</span><span class="p">.</span><span class="nx">tempDisableSubmit</span><span class="p">)</span> <span class="p">}</span> <span class="nx">tempDisableSubmit</span><span class="p">()</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">submitButton</span><span class="p">.</span><span class="nx">disabled</span> <span class="o">=</span> <span class="kc">true</span> <span class="nx">setTimeout</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span><span class="k">this</span><span class="p">.</span><span class="nx">submitButton</span><span class="p">.</span><span class="nx">disabled</span> <span class="o">=</span> <span class="kc">false</span> <span class="p">},</span> <span class="mi">5000</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">customElements</span><span class="p">.</span><span class="nx">define</span><span class="p">(</span><span class="dl">"</span><span class="s2">page-profiles-new</span><span class="dl">"</span><span class="p">,</span> <span class="nx">PageProfilesNew</span><span class="p">)</span> <span class="o">&lt;</span><span class="sr">/script</span><span class="err">&gt; </span><span class="p">...</span> </code></pre> </div> <p>We add an event listener to the submit and call a <code>tempSubmitDisable()</code> method. This method disables the submit button for 5 seconds. The reason for the timer is in case the request does fail for some reason the user can try to submit again after a short delay.</p> <p>This is a clean concise solution to the double submit problem, but it does require JavaScript. My goal is for this example is an acceptable HTML first solution. Avoiding a double submit is really a must have feature for a functional site so we will look for a reasonable solution without JavaScript.</p> <h2> Summary </h2> <p>In <a href="https://begin.com/blog/posts/2023-02-08-upload-files-in-forms-part-1">Part 1</a> of this series we covered the HTML first solution to uploading files. In this we have made some small improvements with JavaScript. The full example repository with the code in this post can be found here: <a href="https://github.com/ryanbethel/thumbnail-upload-example">https://github.com/ryanbethel/thumbnail-upload-example</a>. Try out <a href="https://enhance.dev/">enhance.dev</a> for your next project. It has pretty much everything you need to build a functional web app.</p> enhance webdev webcomponents Ryan Bethel Wed, 08 Feb 2023 15:35:00 +0000 https://dev.to/begin/uploading-files-with-html-forms-part-1-2d7k https://dev.to/begin/uploading-files-with-html-forms-part-1-2d7k <p><small>Photo by <a href="https://unsplash.com/@neonbrand?utm_source=unsplash&amp;utm_medium=referral&amp;utm_content=creditCopyText" rel="noopener noreferrer">Kenny Eliason</a> on <a href="https://unsplash.com/s/photos/taking-photo?utm_source=unsplash&amp;utm_medium=referral&amp;utm_content=creditCopyText" rel="noopener noreferrer">Unsplash</a><br> </small></p> <p>Most websites send images, data and files from the server to the user's browser. Sending files and images from the browser to the server is less common but still critical for many useful applications.</p> <p>In this post, we will cover what you need to know to upload images to the server from the browser using an HTML first approach. HTML first to me means: Make it work with HTML (and CSS) and then make it better with JavaScript. This is similar to what people used to call <a href="https://developer.mozilla.org/en-US/docs/Glossary/Progressive_Enhancement" rel="noopener noreferrer">Progressive Enhancement</a> although most people confuse that for <a href="https://developer.mozilla.org/en-US/docs/Glossary/Graceful_degradation" rel="noopener noreferrer">Graceful Degradation</a> which is completely different.So we will start with the simplest approach that could possibly work and then tackle some of the most common problems to make it more robust. This post will be in two parts. The first covers how to make it work without client side JavaScript. The second part will add improvements with some client side code.</p> <p>Most of this will work for any website hosted anywhere.Some of the details, specifically where and how to store and serve the images, is specific to hosting an <a href="//enhance.dev">Enhance</a> project on <a href="//begin.com">Begin.com</a>.</p> <h2> Start with a real <code>&lt;form&gt;</code> </h2> <p>Building sites today many people skip right over platform features like HTML <code>&lt;form&gt;</code>s. That is a mistake. Forms are battle-tested, and if you are looking for the simplest thing that could possibly work you should not rebuild form handling from scratch with JavaScript and <code>fetch</code>. The <code>&lt;input type="file"/&gt;</code> was added to HTML in the late 90s. Adding this one tag to an HTML form will allow someone to pick a file from their computer or mobile device to upload.</p> <p>To send that binary data for the file along with other form fields the encoding type must be set correctly with: <code>&lt;form ... enctype="multipart/form-data"&gt;</code>.</p> <p>The example here demonstrates creating a user profile that includes first name, last name, and an uploaded profile picture. The basic form is shown below.</p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;h1&gt;</span>New Profile<span class="nt">&lt;/h1&gt;</span> <span class="nt">&lt;form</span> <span class="na">action=</span><span class="s">"/profiles/new"</span> <span class="na">method=</span><span class="s">"POST"</span> <span class="na">enctype=</span><span class="s">"multipart/form-data"</span><span class="nt">&gt;</span> <span class="nt">&lt;label&gt;</span>First Name <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"text"</span> <span class="na">name=</span><span class="s">"firstname"</span><span class="nt">/&gt;</span> <span class="nt">&lt;/label&gt;</span> <span class="nt">&lt;label&gt;</span>Last Name <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"text"</span> <span class="na">name=</span><span class="s">"lastname"</span><span class="nt">/&gt;</span> <span class="nt">&lt;/label&gt;</span> <span class="nt">&lt;label&gt;</span>Profile Picture <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"file"</span> <span class="na">name=</span><span class="s">"picture"</span><span class="nt">/&gt;</span> <span class="nt">&lt;/label&gt;</span> <span class="nt">&lt;button</span> <span class="na">type=</span><span class="s">"submit"</span><span class="nt">&gt;</span>Save<span class="nt">&lt;/button&gt;</span> <span class="nt">&lt;/form&gt;</span> </code></pre> </div> <p>With this we have a working solution. Now we need a place for those files to go.</p> <h2> Decoding the multipart form-data </h2> <p>The form data and file will arrive at the server encoded in a combined payload. We now need to decode that payload. There are many parsers that will handle multipart data for node. We will use the <code>lambda-multipart-parser</code> that is specifically for use in AWS Lambda.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npm <span class="nb">install </span>lambda-multipart-parser </code></pre> </div> <p>Architect does some preprocessing of the request body, but in this case, the multipart parser expects to receive the raw body. When you pass the request to the parser, you can substitute <code>rawBody</code> for body as shown below in line 5.</p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="nx">multipart</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">lambda-multipart-parser</span><span class="dl">'</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">post</span> <span class="p">(</span><span class="nx">req</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// the body property needs to be swapped out for rawBody</span> <span class="kd">const</span> <span class="nx">form</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">multipart</span><span class="p">.</span><span class="nf">parse</span><span class="p">({...</span><span class="nx">req</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span><span class="nx">req</span><span class="p">.</span><span class="nx">rawBody</span><span class="p">})</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">firstName</span><span class="p">,</span> <span class="nx">lastName</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">form</span> <span class="kd">const</span> <span class="nx">buffer</span> <span class="o">=</span> <span class="nx">form</span><span class="p">.</span><span class="nx">files</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">content</span> <span class="c1">// Do something with it</span> <span class="k">return</span> <span class="p">{</span> <span class="cm">/* redirect */</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>After decoding the content property holds the file itself as a buffer (an in memory binary chunk of data that represents a file).</p> <h2> Storing Files on the Server </h2> <p>This section is specific to hosting an <a href="//enhance.dev">Enhance</a> project on <a href="//begin.com">Begin.com</a>. This will also work for <a href="//arc.codes">Architect</a> to deploy directly to AWS. <a href="//arc.codes">Architect</a> and <a href="//begin.com">Begin.com</a> provision an S3 bucket for each project deployed. This is where static assets like CSS files and images placed in the <code>/public</code> folder of the project end up. These assets are then served with a special URL directly from this bucket. We will store the uploaded images directly in this bucket when received without using the public folder locally.</p> <p>The code below identifies the S3 bucket with <code>process.env.ARC_STATIC_BUCKET</code>. It writes the image using the S3 client in the AWS SDK. For local development, it writes the file to a temporary folder instead. The code for local development uses dynamic imports so that importing these dependencies doesn’t slow down the project once deployed.</p> <p>Begin-data is a thin wrapper for DynamoDB. We will use it (<code>@begin/data</code>) as a database to store the other form data. We generate a UUID as a random filename for the image and then put the reference to that filename in the database as well.</p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="nx">multipart</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">lambda-multipart-parser</span><span class="dl">'</span> <span class="k">import</span> <span class="nx">crypto</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">crypto</span><span class="dl">'</span> <span class="k">import</span> <span class="nx">data</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@begin/data</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">S3Client</span><span class="p">,</span> <span class="nx">PutObjectCommand</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-sdk/client-s3</span><span class="dl">'</span> <span class="kd">const</span> <span class="nx">env</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">ARC_ENV</span> <span class="kd">const</span> <span class="nx">isLocal</span> <span class="o">=</span> <span class="nx">env</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">testing</span><span class="dl">'</span> <span class="kd">const</span> <span class="nx">staticDir</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">ARC_STATIC_BUCKET</span> <span class="kd">const</span> <span class="nx">imageFolder</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">.uploaded-images</span><span class="dl">'</span> <span class="kd">const</span> <span class="nx">REGION</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">AWS_REGION</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">post</span> <span class="p">(</span><span class="nx">req</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// the body property needs to be swapped out for rawBody</span> <span class="kd">const</span> <span class="nx">parsedForm</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">multipart</span><span class="p">.</span><span class="nf">parse</span><span class="p">({...</span><span class="nx">req</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span><span class="nx">req</span><span class="p">.</span><span class="nx">rawBody</span><span class="p">})</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">firstName</span><span class="p">,</span> <span class="nx">lastName</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">parsedForm</span> <span class="kd">const</span> <span class="nx">profilePicture</span> <span class="o">=</span> <span class="nx">parsedForm</span><span class="p">.</span><span class="nx">files</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">content</span> <span class="c1">// Save the image to S3 bucket (or temp folder for local dev)</span> <span class="kd">const</span> <span class="nx">filename</span> <span class="o">=</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">randomUUID</span><span class="p">()</span> <span class="k">if </span><span class="p">(</span><span class="nx">isLocal</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span><span class="nx">writeFileSync</span><span class="p">,</span><span class="nx">mkdirSync</span><span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="k">import</span><span class="p">(</span><span class="dl">'</span><span class="s1">fs</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="p">{</span><span class="nx">join</span><span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="k">import</span><span class="p">(</span><span class="dl">'</span><span class="s1">path</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="p">{</span><span class="na">default</span><span class="p">:</span><span class="nx">url</span><span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="k">import</span><span class="p">(</span><span class="dl">'</span><span class="s1">url</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">__dirname</span> <span class="o">=</span> <span class="nx">url</span><span class="p">.</span><span class="nf">fileURLToPath</span><span class="p">(</span><span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="dl">'</span><span class="s1">.</span><span class="dl">'</span><span class="p">,</span> <span class="k">import</span><span class="p">.</span><span class="nx">meta</span><span class="p">.</span><span class="nx">url</span><span class="p">));</span> <span class="kd">const</span> <span class="nx">imageDir</span> <span class="o">=</span> <span class="nf">join</span><span class="p">(</span><span class="nx">__dirname</span><span class="p">,</span><span class="dl">'</span><span class="s1">..</span><span class="dl">'</span><span class="p">,</span><span class="dl">'</span><span class="s1">..</span><span class="dl">'</span><span class="p">,</span><span class="dl">'</span><span class="s1">..</span><span class="dl">'</span><span class="p">,</span><span class="nx">imageFolder</span><span class="p">)</span> <span class="k">try</span> <span class="p">{</span> <span class="nf">mkdirSync</span><span class="p">(</span><span class="nx">imageDir</span><span class="p">)</span> <span class="p">}</span> <span class="k">catch</span><span class="p">(</span><span class="nx">e</span><span class="p">){</span> <span class="p">}</span> <span class="nf">writeFileSync</span><span class="p">(</span><span class="nf">join</span><span class="p">(</span><span class="nx">imageDir</span><span class="p">,</span><span class="nx">filename</span><span class="p">),</span><span class="nx">profilePicture</span><span class="p">)</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">client</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">S3Client</span><span class="p">({</span> <span class="na">region</span><span class="p">:</span> <span class="nx">REGION</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">command</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">PutObjectCommand</span><span class="p">({</span> <span class="na">Bucket</span><span class="p">:</span><span class="nx">staticDir</span><span class="p">,</span> <span class="na">Key</span><span class="p">:</span><span class="s2">`</span><span class="p">${</span><span class="nx">imageFolder</span><span class="p">}</span><span class="s2">/</span><span class="p">${</span><span class="nx">filename</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="na">Body</span><span class="p">:</span> <span class="nx">profilePicture</span><span class="p">})</span> <span class="k">await</span> <span class="nx">client</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="nx">command</span><span class="p">)</span> <span class="p">}</span> <span class="k">await</span> <span class="nx">data</span><span class="p">.</span><span class="nf">set</span><span class="p">({</span><span class="na">table</span><span class="p">:</span><span class="dl">'</span><span class="s1">profile</span><span class="dl">'</span><span class="p">,</span> <span class="nx">firstName</span><span class="p">,</span> <span class="nx">lastName</span><span class="p">,</span> <span class="nx">filename</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span> <span class="na">location</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/profiles</span><span class="dl">'</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>To avoid the possibility of uploaded files being accidentally pruned the following line should be added to the <code>.arc</code> file.</p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>@static ignore .uploaded-images </code></pre> </div> <p>Again this approach is specific to <a href="//arc.codes">Architect</a> and <a href="//begin.com">Begin.com</a> projects. It works even with free accounts since the S3 bucket for static asserts is available to any project.</p> <h2> Caveats </h2> <p>Using this S3 bucket for uploaded images comes with a few caveats. It is configured as a public bucket since its primary purpose is to serve public assets. This makes it a good choice for something like profile pictures that are shown as the public part of a user's account. Using a random filename (UUID, for instance) gives only minimal security through obscurity for these files. But it is safest to assume that anything stored here could be accessed. Again good for public profile pictures and bad for tax documents.</p> <p>There are many other ways to store files on the backend. With <a href="//arc.codes">Architect</a> by itself there is a plugin available to provision a <a href="https://www.npmjs.com/package/@architect/plugin-storage-private" rel="noopener noreferrer">private bucket</a> that can put these files behind whatever authentication you use for the rest of your app. The private bucket plugin is not currently supported on <a href="https://begin.com/" rel="noopener noreferrer">begin.com</a> but stay tuned.</p> <h2> Serving Uploaded Images </h2> <p>Architect has built-in handlers for serving assets in the public S3 bucket, but since we are using this bucket indirectly, we need to build a handler to serve them correctly. First, we will host this API handler in <code>/app/api/image/$image.mjs</code>. With Enhance's file-based routing, any request to <code>/image/my-picture.jpeg</code> will access these images with the filename as the last part of the path. The <code>$image.mjs</code> is a catchall for that route.</p> <p>This handler uses the <code>@architect/asap</code> package to serve the images from the S3 bucket. It modifies the request path to point to the correct path inside the bucket. This package helps set headers properly based on content type etc. For local development, it serves files from the same temporary folder we used in the other handler. Again the local development dependencies are only imported when it runs locally. One crucial detail is that here the <code>cache-control</code> header is set to the max length, which effectively tells the browser or CDN these files can be cached for a long time. This is appropriate because we stored them with a UUID, so every one will be unique even if the same image is modified by the user and uploaded again. If this is not true for your implementation (i.e. if users can edit the images and store them again with the same name) this cache setting can be changed.</p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="nx">asap</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@architect/asap</span><span class="dl">'</span> <span class="kd">const</span> <span class="nx">env</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">ARC_ENV</span> <span class="kd">const</span> <span class="nx">isLocal</span> <span class="o">=</span> <span class="nx">env</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">testing</span><span class="dl">'</span> <span class="kd">function</span> <span class="nf">escapeRegex</span> <span class="p">(</span><span class="nx">string</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">string</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="sr">/</span><span class="se">[</span><span class="sr">.*+?^${}()|[</span><span class="se">\]\\]</span><span class="sr">/g</span><span class="p">,</span> <span class="dl">'</span><span class="se">\\</span><span class="s1">$&amp;</span><span class="dl">'</span><span class="p">)</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">uploadFolderName</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">.uploaded-images</span><span class="dl">'</span> <span class="kd">const</span> <span class="nx">pathPrefix</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">/image</span><span class="dl">'</span> <span class="c1">// partial path to remove</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">get</span> <span class="p">(</span><span class="nx">req</span><span class="p">)</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">isLocal</span><span class="p">){</span> <span class="kd">const</span> <span class="p">{</span><span class="nx">join</span><span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="k">import</span><span class="p">(</span><span class="dl">'</span><span class="s1">path</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="p">{</span><span class="nx">readFileSync</span><span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="k">import</span><span class="p">(</span><span class="dl">'</span><span class="s1">fs</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="p">{</span><span class="na">default</span><span class="p">:</span><span class="nx">url</span><span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="k">import</span><span class="p">(</span><span class="dl">'</span><span class="s1">url</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="p">{</span><span class="nx">fileTypeFromBuffer</span><span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="k">import</span><span class="p">(</span><span class="dl">'</span><span class="s1">file-type</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">__dirname</span> <span class="o">=</span> <span class="nx">url</span><span class="p">.</span><span class="nf">fileURLToPath</span><span class="p">(</span><span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="dl">'</span><span class="s1">.</span><span class="dl">'</span><span class="p">,</span> <span class="k">import</span><span class="p">.</span><span class="nx">meta</span><span class="p">.</span><span class="nx">url</span><span class="p">))</span> <span class="kd">const</span> <span class="nx">rootDir</span> <span class="o">=</span> <span class="nf">join</span><span class="p">(</span><span class="nx">__dirname</span><span class="p">,</span><span class="dl">'</span><span class="s1">..</span><span class="dl">'</span><span class="p">,</span><span class="dl">'</span><span class="s1">..</span><span class="dl">'</span><span class="p">,</span><span class="dl">'</span><span class="s1">..</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">imageDir</span> <span class="o">=</span> <span class="nf">join</span><span class="p">(</span><span class="nx">rootDir</span><span class="p">,</span><span class="nx">uploadFolderName</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">imageFilename</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">params</span><span class="p">.</span><span class="nx">image</span> <span class="kd">const</span> <span class="nx">buffer</span> <span class="o">=</span> <span class="nf">readFileSync</span><span class="p">(</span><span class="nf">join</span><span class="p">(</span><span class="nx">imageDir</span><span class="p">,</span><span class="nx">imageFilename</span><span class="p">))</span> <span class="kd">const</span> <span class="nx">mime</span> <span class="o">=</span> <span class="nf">fileTypeFromBuffer</span><span class="p">(</span><span class="nx">buffer</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span> <span class="na">statusCode</span><span class="p">:</span> <span class="mi">200</span><span class="p">,</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">cache-control</span><span class="dl">'</span><span class="p">:</span> <span class="dl">'</span><span class="s1">max-age=31536000</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">content-type</span><span class="dl">'</span><span class="p">:</span> <span class="s2">`</span><span class="p">${</span><span class="nx">mime</span><span class="p">}</span><span class="s2">; charset=utf8`</span><span class="p">,</span> <span class="p">},</span> <span class="na">isBase64Encoded</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span> <span class="nx">buffer</span><span class="p">.</span><span class="nf">toString</span><span class="p">(</span><span class="dl">'</span><span class="s1">base64</span><span class="dl">'</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">config</span> <span class="o">=</span> <span class="p">{</span> <span class="na">assets</span><span class="p">:</span> <span class="p">{},</span> <span class="na">cacheControl</span><span class="p">:</span> <span class="dl">'</span><span class="s1">max-age=31536000</span><span class="dl">'</span><span class="p">,</span> <span class="p">}</span> <span class="nx">req</span><span class="p">.</span><span class="nx">rawPath</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">rawPath</span><span class="p">.</span><span class="nf">replace</span><span class="p">(</span><span class="nf">escapeRegex</span><span class="p">(</span><span class="nx">pathPrefix</span><span class="p">),</span> <span class="nx">uploadFolderName</span><span class="p">)</span> <span class="k">return</span> <span class="nf">asap</span><span class="p">(</span><span class="nx">config</span><span class="p">)(</span><span class="nx">req</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="k">catch</span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">statusCode</span><span class="p">:</span><span class="mi">404</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Back button confusion </h2> <p>The browser's security model has safeguards around accessing files in the user's disk. This can result in an unexpected behavior if you are used to dealing with forms in other contexts. If you fill out a form, navigate away from the page, and then use the back button to return to that page, the form state that you left is usually restored. But with files selected from the file system, this is not true. The filename will sometimes still be populated, giving the impression that a file is selected, but if you submit the form, the actual file is null. If you set <code>autocomplete="off"</code> on that input the filename field will not be populated when you hit back, which makes it more apparent that no file is selected. Note that the <code>bfcache</code> (back/forward cache) can interfere with this <code>autocomplete</code> setting. This fix works for Enhance/Begin/Architect projects because they set the <code>Cache-Control:no-store</code> header for HTML content which blocks the <code>bfcache</code>.</p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;h1&gt;</span>New Profile<span class="nt">&lt;/h1&gt;</span> <span class="nt">&lt;form</span> <span class="na">action=</span><span class="s">"/profiles/new"</span> <span class="na">method=</span><span class="s">"POST"</span> <span class="na">enctype=</span><span class="s">"multipart/form-data"</span><span class="nt">&gt;</span> <span class="nt">&lt;label&gt;</span>First Name <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"text"</span> <span class="na">name=</span><span class="s">"firstname"</span><span class="nt">/&gt;</span> <span class="nt">&lt;/label&gt;</span> <span class="nt">&lt;label&gt;</span>Last Name <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"text"</span> <span class="na">name=</span><span class="s">"lastname"</span><span class="nt">/&gt;</span> <span class="nt">&lt;/label&gt;</span> <span class="nt">&lt;label&gt;</span>Profile Picture <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"file"</span> <span class="na">autocomplete=</span><span class="s">"off"</span> <span class="na">name=</span><span class="s">"picture"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;/label&gt;</span> <span class="nt">&lt;button</span> <span class="na">type=</span><span class="s">"submit"</span><span class="nt">&gt;</span>Save<span class="nt">&lt;/button&gt;</span> <span class="nt">&lt;/form&gt;</span> </code></pre> </div> <h2> Preprocessing Images </h2> <p>Processing images before storing them is not strictly necessary, but almost. You can (and probably should) avoid that complexity initially for a small app or website until you need it. But you don’t have to become Facebook sized before it becomes a problem worth solving. The real problem is not storing the images because disk space is cheap. But if every user who loads that profile thumbnail has to download the 5 MB image, that is a much bigger problem. With smartphone cameras increasing in resolution every year, raw images are enormous relative to what is needed in most web applications.</p> <p>The easiest way to solve this problem is to process images on the server to scale them down before storing them. This is also the only solution that does not require JavaScript on the client. In <a href="">Part 2</a> of this post we will add a client side solution that does not add any dependencies using a <code>&lt;canvas&gt;</code> element.</p> <p>For this example, we will scale the received image down to 350 pixels max in height or width. And we will use the <code>wasm-vips</code> library to do it. The library is web assembly bindings for the Vips image library. Because it is web assembly it can be used in the AWS lambda node runtime without needing a custom native binary like some other image tools (i.e. ImageMagick).</p> <p>The code below adds the <code>wasm-vips</code> library and a resize function that scales the image down before storing it.</p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="nx">multipart</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">lambda-multipart-parser</span><span class="dl">'</span> <span class="k">import</span> <span class="nx">crypto</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">crypto</span><span class="dl">'</span> <span class="k">import</span> <span class="nx">data</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@begin/data</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">S3Client</span><span class="p">,</span> <span class="nx">PutObjectCommand</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-sdk/client-s3</span><span class="dl">'</span> <span class="k">import</span> <span class="nx">Vips</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">wasm-vips</span><span class="dl">'</span> <span class="kd">const</span> <span class="nx">env</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">ARC_ENV</span> <span class="kd">const</span> <span class="nx">isLocal</span> <span class="o">=</span> <span class="nx">env</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">testing</span><span class="dl">'</span> <span class="kd">const</span> <span class="nx">staticDir</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">ARC_STATIC_BUCKET</span> <span class="kd">const</span> <span class="nx">imageFolder</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">.uploaded-images</span><span class="dl">'</span> <span class="kd">const</span> <span class="nx">REGION</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">AWS_REGION</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">resize</span><span class="p">(</span><span class="nx">buffer</span><span class="p">,</span> <span class="nx">size</span><span class="p">){</span> <span class="kd">const</span> <span class="nx">vips</span> <span class="o">=</span> <span class="k">await</span> <span class="nc">Vips</span><span class="p">()</span> <span class="kd">const</span> <span class="nx">image</span> <span class="o">=</span> <span class="nx">vips</span><span class="p">.</span><span class="nx">Image</span><span class="p">.</span><span class="nf">newFromBuffer</span><span class="p">(</span><span class="nx">buffer</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">heightIn</span> <span class="o">=</span> <span class="nx">image</span><span class="p">.</span><span class="nx">height</span> <span class="kd">const</span> <span class="nx">widthIn</span> <span class="o">=</span> <span class="nx">image</span><span class="p">.</span><span class="nx">width</span> <span class="kd">const</span> <span class="nx">output</span> <span class="o">=</span> <span class="nx">image</span><span class="p">.</span><span class="nf">resize</span><span class="p">(</span><span class="nb">Math</span><span class="p">.</span><span class="nf">min</span><span class="p">(</span><span class="nx">size</span><span class="o">/</span><span class="nx">heightIn</span><span class="p">,</span><span class="nx">size</span><span class="o">/</span><span class="nx">widthIn</span><span class="p">))</span> <span class="k">return</span> <span class="nx">output</span><span class="p">.</span><span class="nf">writeToBuffer</span><span class="p">(</span><span class="dl">'</span><span class="s1">.jpeg</span><span class="dl">'</span><span class="p">)</span> <span class="p">}</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">post</span> <span class="p">(</span><span class="nx">req</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// the body property needs to be swapped out for rawBody</span> <span class="kd">const</span> <span class="nx">form</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">multipart</span><span class="p">.</span><span class="nf">parse</span><span class="p">({...</span><span class="nx">req</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span><span class="nx">req</span><span class="p">.</span><span class="nx">rawBody</span><span class="p">})</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">firstName</span><span class="p">,</span> <span class="nx">lastName</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">form</span> <span class="kd">const</span> <span class="nx">buffer</span> <span class="o">=</span> <span class="nx">form</span><span class="p">.</span><span class="nx">files</span><span class="p">[</span><span class="mi">0</span><span class="p">].</span><span class="nx">content</span> <span class="c1">// Save the image to S3 bucket (or temp folder for local dev)</span> <span class="kd">const</span> <span class="nx">filename</span> <span class="o">=</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">randomUUID</span><span class="p">()</span> <span class="k">if </span><span class="p">(</span><span class="nx">isLocal</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span><span class="nx">writeFileSync</span><span class="p">,</span><span class="nx">mkdirSync</span><span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="k">import</span><span class="p">(</span><span class="dl">'</span><span class="s1">fs</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="p">{</span><span class="nx">join</span><span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="k">import</span><span class="p">(</span><span class="dl">'</span><span class="s1">path</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="p">{</span><span class="na">default</span><span class="p">:</span><span class="nx">url</span><span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="k">import</span><span class="p">(</span><span class="dl">'</span><span class="s1">url</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">__dirname</span> <span class="o">=</span> <span class="nx">url</span><span class="p">.</span><span class="nf">fileURLToPath</span><span class="p">(</span><span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="dl">'</span><span class="s1">.</span><span class="dl">'</span><span class="p">,</span> <span class="k">import</span><span class="p">.</span><span class="nx">meta</span><span class="p">.</span><span class="nx">url</span><span class="p">));</span> <span class="kd">const</span> <span class="nx">imageDir</span> <span class="o">=</span> <span class="nf">join</span><span class="p">(</span><span class="nx">__dirname</span><span class="p">,</span><span class="dl">'</span><span class="s1">..</span><span class="dl">'</span><span class="p">,</span><span class="dl">'</span><span class="s1">..</span><span class="dl">'</span><span class="p">,</span><span class="dl">'</span><span class="s1">..</span><span class="dl">'</span><span class="p">,</span><span class="nx">imageFolder</span><span class="p">)</span> <span class="k">try</span> <span class="p">{</span> <span class="nf">mkdirSync</span><span class="p">(</span><span class="nx">imageDir</span><span class="p">)</span> <span class="p">}</span> <span class="k">catch</span><span class="p">(</span><span class="nx">e</span><span class="p">){</span> <span class="p">}</span> <span class="nf">writeFileSync</span><span class="p">(</span><span class="nf">join</span><span class="p">(</span><span class="nx">imageDir</span><span class="p">,</span><span class="nx">filename</span><span class="p">),</span><span class="nx">profilePicture</span><span class="p">)</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">client</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">S3Client</span><span class="p">({</span> <span class="na">region</span><span class="p">:</span> <span class="nx">REGION</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">command</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">PutObjectCommand</span><span class="p">({</span> <span class="na">Bucket</span><span class="p">:</span><span class="nx">staticDir</span><span class="p">,</span> <span class="na">Key</span><span class="p">:</span><span class="s2">`</span><span class="p">${</span><span class="nx">imageFolder</span><span class="p">}</span><span class="s2">/</span><span class="p">${</span><span class="nx">filename</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="na">Body</span><span class="p">:</span> <span class="k">await</span> <span class="nf">resize</span><span class="p">(</span><span class="nx">pictureBuffer</span><span class="p">,</span> <span class="mi">350</span><span class="p">)})</span> <span class="k">await</span> <span class="nx">client</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="nx">command</span><span class="p">)</span> <span class="p">}</span> <span class="k">await</span> <span class="nx">data</span><span class="p">.</span><span class="nf">set</span><span class="p">({</span><span class="na">table</span><span class="p">:</span><span class="dl">'</span><span class="s1">profile</span><span class="dl">'</span><span class="p">,</span> <span class="nx">firstName</span><span class="p">,</span> <span class="nx">lastName</span><span class="p">,</span> <span class="nx">filename</span><span class="p">)</span> <span class="k">return</span> <span class="p">{</span> <span class="na">location</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/profiles</span><span class="dl">'</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>As mentioned this is the simplest solution and it requires no changes to the HTML.</p> <h2> Avoiding a Double Submit </h2> <p>HTML forms typically send data to the server as a POST request. The browser can send multiple POST requests before a response is received. In this example, that could mean two identical profiles are created in the database, and two copies of the same image are stored in the S3 bucket. If your server responds fast enough, it minimizes the time for these multiple erroneous submissions. The double-click double submit is the hardest to catch because it can be very fast. Users often double-click the submit because they are conditioned to double-click in other contexts.</p> <p>This problem is more pronounced because the time to upload a large file and process it on the server can be multiple seconds. During this time, the user might have no indication of what is happening and a very natural response is to assume the message was not sent and to click again until something happens.</p> <p>If users edit a record, a double submit could be detected by comparing the IDs. When creating a new record, you don’t have an ID to compare.</p> <p>The easiest solution to the double submit is to disable the submit button after it’s clicked once. But we need JavaScript to do that so we will wait for <a href="">Part 2</a> to do that.</p> <h2> Using a Submit Token to avoid Double Submit </h2> <p>The only real way to avoid the double submit without JavaScript is to have the server handle it. The key is to detect if one client tries to make multiple POSTs in rapid succession. Enhance, and Architect have built-in sessions that make this easier. There is no real magic behind sessions. It's done by setting an HttpOnly cookie when a response is sent and detecting that cookie when a request is received. For details, check out this <a href="https://begin.com/blog/posts/2023-02-03-bulletproof-sessions-with-httponly-cookies" rel="noopener noreferrer">Brian Leroux post</a>.</p> <p>We will create a unique submit token for every GET request to the <code>/profiles/new</code> route. Then we check that token for every POST request received. If multiple posts are made with the same token, they can be assumed to be duplicates. This is a simple concept, but the bookkeeping to make it happen gets a little tricky.</p> <p>The double click is the worst-case scenario to catch since the two requests could be received with as little as 100 ms delay. This is fast enough that the first request will probably not be completed before a second is received by another lambda. The process is:</p> <ol> <li>Set unique submit token in the session on GET requests to <code>/profiles/new</code> </li> <li>For each POST to <code>/profiles/new</code> check token table to see if the submit token has been used</li> <li>If the token has been used: <ul> <li>Redirect (while keeping that same submit token on the session) to the <code>/profiles</code> list page.</li> <li>At the <code>/profiles</code> page check the profiles to see if the profile with that submit token has been entered.</li> <li>If it has been received, respond with the list of profiles OR if not wait for a short delay (~2 sec), check again and return the list of profiles.</li> </ul> </li> <li>If the token has not been used: <ul> <li>Record that token in the tokens table so that it can’t be used again.</li> <li>Record the new profile in the database and save the file to S3.</li> <li>Clear the submit token and forward the response to <code>/profiles</code> </li> </ul> </li> <li>Also note that when users hit the back button they make a new GET request and new submit token</li> </ol> <p>Below the API handler for the GET and POST requests is added with the submit token handling.</p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="nx">multipart</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">lambda-multipart-parser</span><span class="dl">'</span> <span class="k">import</span> <span class="nx">crypto</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">crypto</span><span class="dl">'</span> <span class="k">import</span> <span class="nx">Vips</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">wasm-vips</span><span class="dl">'</span> <span class="k">import</span> <span class="nx">data</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@begin/data</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">S3Client</span><span class="p">,</span> <span class="nx">PutObjectCommand</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@aws-sdk/client-s3</span><span class="dl">'</span> <span class="kd">const</span> <span class="nx">env</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">ARC_ENV</span> <span class="kd">const</span> <span class="nx">isLocal</span> <span class="o">=</span> <span class="nx">env</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">testing</span><span class="dl">'</span> <span class="kd">const</span> <span class="nx">staticDir</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">ARC_STATIC_BUCKET</span> <span class="kd">const</span> <span class="nx">imageFolder</span> <span class="o">=</span> <span class="dl">'</span><span class="s1">.uploaded-images</span><span class="dl">'</span> <span class="kd">const</span> <span class="nx">REGION</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">AWS_REGION</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">get</span> <span class="p">(</span><span class="nx">req</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">newToken</span> <span class="o">=</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">randomUUID</span><span class="p">()</span> <span class="k">return</span> <span class="p">{</span> <span class="na">session</span><span class="p">:{...</span><span class="nx">req</span><span class="p">.</span><span class="nx">session</span><span class="p">,</span> <span class="na">profileSubmitToken</span><span class="p">:</span><span class="nx">newToken</span><span class="p">},</span> <span class="p">}</span> <span class="p">}</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">post</span> <span class="p">(</span><span class="nx">req</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span><span class="nx">profileSubmitToken</span><span class="p">,</span> <span class="p">...</span><span class="nx">newSession</span><span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">session</span> <span class="kd">const</span> <span class="nx">submitting</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">data</span><span class="p">.</span><span class="nf">get</span><span class="p">({</span><span class="na">table</span><span class="p">:</span><span class="dl">'</span><span class="s1">token</span><span class="dl">'</span><span class="p">,</span> <span class="na">key</span><span class="p">:</span><span class="nx">profileSubmitToken</span><span class="p">})</span> <span class="k">if </span><span class="p">(</span><span class="nx">submitting</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="c1">// session will continue unless reset. If reset the submit token needs to be added to pass on</span> <span class="c1">// session:{...req.session, profileSubmitToken},</span> <span class="na">location</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/profiles</span><span class="dl">'</span> <span class="p">}</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">ttl</span> <span class="o">=</span> <span class="p">(</span><span class="nb">Date</span><span class="p">.</span><span class="nf">now</span><span class="p">()</span> <span class="o">/</span> <span class="mi">1000</span><span class="p">)</span> <span class="o">+</span> <span class="p">(</span><span class="mi">60</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">24</span> <span class="o">*</span> <span class="mi">1</span><span class="p">)</span> <span class="c1">// One day</span> <span class="k">await</span> <span class="nx">data</span><span class="p">.</span><span class="nf">set</span><span class="p">({</span><span class="na">table</span><span class="p">:</span><span class="dl">'</span><span class="s1">token</span><span class="dl">'</span><span class="p">,</span> <span class="na">key</span><span class="p">:</span><span class="nx">profileSubmitToken</span><span class="p">,</span> <span class="nx">ttl</span><span class="p">})</span> <span class="kd">const</span> <span class="nx">parsedForm</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">multipart</span><span class="p">.</span><span class="nf">parse</span><span class="p">({...</span><span class="nx">req</span><span class="p">,</span> <span class="na">body</span><span class="p">:</span><span class="nx">req</span><span class="p">.</span><span class="nx">rawBody</span><span class="p">})</span> <span class="kd">const</span> <span class="nx">firstname</span> <span class="o">=</span> <span class="nx">parsedForm</span><span class="p">?.</span><span class="nx">firstname</span> <span class="kd">const</span> <span class="nx">lastname</span> <span class="o">=</span> <span class="nx">parsedForm</span><span class="p">?.</span><span class="nx">lastname</span> <span class="c1">// Get uploaded image</span> <span class="kd">const</span> <span class="nx">unprocessed</span> <span class="o">=</span> <span class="nx">parsedForm</span><span class="p">.</span><span class="nx">files</span><span class="p">?.</span><span class="nf">find</span><span class="p">(</span><span class="nx">file</span><span class="o">=&gt;</span><span class="nx">file</span><span class="p">.</span><span class="nx">fieldname</span><span class="o">===</span><span class="dl">'</span><span class="s1">picture</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">profilePicture</span> <span class="o">=</span> <span class="nx">unprocessed</span><span class="p">.</span><span class="nx">content</span> <span class="c1">// Save the image to S3 bucket (or temp folder for local dev)</span> <span class="kd">const</span> <span class="nx">filename</span> <span class="o">=</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">randomUUID</span><span class="p">()</span> <span class="k">if </span><span class="p">(</span><span class="nx">isLocal</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span><span class="nx">writeFileSync</span><span class="p">,</span><span class="nx">mkdirSync</span><span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="k">import</span><span class="p">(</span><span class="dl">'</span><span class="s1">fs</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="p">{</span><span class="nx">join</span><span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="k">import</span><span class="p">(</span><span class="dl">'</span><span class="s1">path</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="p">{</span><span class="na">default</span><span class="p">:</span><span class="nx">url</span><span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="k">import</span><span class="p">(</span><span class="dl">'</span><span class="s1">url</span><span class="dl">'</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">__dirname</span> <span class="o">=</span> <span class="nx">url</span><span class="p">.</span><span class="nf">fileURLToPath</span><span class="p">(</span><span class="k">new</span> <span class="nc">URL</span><span class="p">(</span><span class="dl">'</span><span class="s1">.</span><span class="dl">'</span><span class="p">,</span> <span class="k">import</span><span class="p">.</span><span class="nx">meta</span><span class="p">.</span><span class="nx">url</span><span class="p">));</span> <span class="kd">const</span> <span class="nx">imageDir</span> <span class="o">=</span> <span class="nf">join</span><span class="p">(</span><span class="nx">__dirname</span><span class="p">,</span><span class="dl">'</span><span class="s1">..</span><span class="dl">'</span><span class="p">,</span><span class="dl">'</span><span class="s1">..</span><span class="dl">'</span><span class="p">,</span><span class="dl">'</span><span class="s1">..</span><span class="dl">'</span><span class="p">,</span><span class="nx">imageFolder</span><span class="p">)</span> <span class="k">try</span> <span class="p">{</span> <span class="nf">mkdirSync</span><span class="p">(</span><span class="nx">imageDir</span><span class="p">)</span> <span class="p">}</span> <span class="k">catch</span><span class="p">(</span><span class="nx">e</span><span class="p">){</span> <span class="p">}</span> <span class="nf">writeFileSync</span><span class="p">(</span><span class="nf">join</span><span class="p">(</span><span class="nx">imageDir</span><span class="p">,</span><span class="nx">filename</span><span class="p">),</span><span class="nx">profilePicture</span><span class="p">)</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">client</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">S3Client</span><span class="p">({</span> <span class="na">region</span><span class="p">:</span> <span class="nx">REGION</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">command</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">PutObjectCommand</span><span class="p">({</span> <span class="na">Bucket</span><span class="p">:</span><span class="nx">staticDir</span><span class="p">,</span> <span class="na">Key</span><span class="p">:</span><span class="s2">`</span><span class="p">${</span><span class="nx">imageFolder</span><span class="p">}</span><span class="s2">/</span><span class="p">${</span><span class="nx">filename</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="na">Body</span><span class="p">:</span> <span class="nx">profilePicture</span><span class="p">})</span> <span class="k">await</span> <span class="nx">client</span><span class="p">.</span><span class="nf">send</span><span class="p">(</span><span class="nx">command</span><span class="p">)</span> <span class="p">}</span> <span class="c1">// Store profile and redirect to profiles list view</span> <span class="k">await</span> <span class="nx">data</span><span class="p">.</span><span class="nf">set</span><span class="p">({</span><span class="na">table</span><span class="p">:</span><span class="dl">'</span><span class="s1">profile</span><span class="dl">'</span><span class="p">,</span> <span class="nx">firstname</span><span class="p">,</span> <span class="nx">lastname</span><span class="p">,</span> <span class="nx">filename</span><span class="p">,</span> <span class="na">submitToken</span><span class="p">:</span><span class="nx">profileSubmitToken</span><span class="p">})</span> <span class="k">return</span> <span class="p">{</span> <span class="na">session</span><span class="p">:</span> <span class="p">{...</span><span class="nx">newSession</span><span class="p">},</span> <span class="c1">// submit token is removed before continuing</span> <span class="na">location</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/profiles</span><span class="dl">'</span> <span class="p">}</span> <span class="p">}</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">resize</span><span class="p">(</span><span class="nx">buffer</span><span class="p">,</span> <span class="nx">size</span><span class="p">){</span> <span class="kd">const</span> <span class="nx">vips</span> <span class="o">=</span> <span class="k">await</span> <span class="nc">Vips</span><span class="p">()</span> <span class="kd">const</span> <span class="nx">image</span> <span class="o">=</span> <span class="nx">vips</span><span class="p">.</span><span class="nx">Image</span><span class="p">.</span><span class="nf">newFromBuffer</span><span class="p">(</span><span class="nx">buffer</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">heightIn</span> <span class="o">=</span> <span class="nx">image</span><span class="p">.</span><span class="nx">height</span> <span class="kd">const</span> <span class="nx">widthIn</span> <span class="o">=</span> <span class="nx">image</span><span class="p">.</span><span class="nx">width</span> <span class="kd">const</span> <span class="nx">output</span> <span class="o">=</span> <span class="nx">image</span><span class="p">.</span><span class="nf">resize</span><span class="p">(</span><span class="nb">Math</span><span class="p">.</span><span class="nf">min</span><span class="p">(</span><span class="nx">size</span><span class="o">/</span><span class="nx">heightIn</span><span class="p">,</span><span class="nx">size</span><span class="o">/</span><span class="nx">widthIn</span><span class="p">))</span> <span class="k">return</span> <span class="nx">output</span><span class="p">.</span><span class="nf">writeToBuffer</span><span class="p">(</span><span class="dl">'</span><span class="s1">.jpeg</span><span class="dl">'</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <p>Below is the API for the <code>/profiles</code> route checking for the submit token.</p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="nx">data</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@begin/data</span><span class="dl">'</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">get</span> <span class="p">(</span><span class="nx">req</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span><span class="nx">profileSubmitToken</span><span class="p">,</span> <span class="p">...</span><span class="nx">newSession</span><span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">session</span> <span class="kd">let</span> <span class="nx">profiles</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">data</span><span class="p">.</span><span class="nf">get</span><span class="p">({</span><span class="na">table</span><span class="p">:</span><span class="dl">'</span><span class="s1">profile</span><span class="dl">'</span><span class="p">})</span> <span class="k">if </span><span class="p">(</span><span class="nx">profileSubmitToken</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">newProfile</span> <span class="o">=</span> <span class="nx">profiles</span><span class="p">.</span><span class="nf">find</span><span class="p">(</span><span class="nx">p</span><span class="o">=&gt;</span><span class="nx">p</span><span class="p">.</span><span class="nx">submitToken</span><span class="o">===</span><span class="nx">profileSubmitToken</span><span class="p">)</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">newProfile</span><span class="p">)</span> <span class="p">{</span> <span class="k">await</span> <span class="k">new</span> <span class="nc">Promise</span><span class="p">(</span><span class="nx">resolve</span> <span class="o">=&gt;</span> <span class="nf">setTimeout</span><span class="p">(</span><span class="nx">resolve</span><span class="p">,</span> <span class="mi">2000</span><span class="p">))</span> <span class="c1">// wait 2sec</span> <span class="nx">profiles</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">data</span><span class="p">.</span><span class="nf">get</span><span class="p">({</span><span class="na">table</span><span class="p">:</span><span class="dl">'</span><span class="s1">profile</span><span class="dl">'</span><span class="p">})</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="p">{</span> <span class="na">session</span><span class="p">:</span><span class="nx">newSession</span><span class="p">,</span> <span class="na">json</span><span class="p">:{</span><span class="nx">profiles</span><span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h2> Summary </h2> <p>Uploading files from a website to a server can be done simply with an input of <code>type="file"</code>. If you are building an MVP just start there and don’t over complicate it. You can incrementally solve problems as they arise including scaling images, and avoiding double submits, etc. Validation is a critical feature of well built forms. But it is not unique to upload forms so we did not cover it here. Check out Simon MacDonald’s excellent post on <a href="https://begin.com/blog/posts/2022-08-25-progressively-enhancing-form-submissions-with-web-components" rel="noopener noreferrer">form submission problems</a> for more on that. The full example repository with the code for the example in this post can be found on <a href="https://github.com/ryanbethel/thumbnail-upload-example" rel="noopener noreferrer">GitHub</a>. Try out <a href="https://enhance.dev/" rel="noopener noreferrer">enhance.dev</a> for your next project. It has pretty much everything you need to build a functional web app.</p> <p><a href="">Part 2</a> of this post will cover improvements that can be made with a little client side JavaScript.</p> enhance webcomponents Ryan Bethel Thu, 12 Jan 2023 16:12:17 +0000 https://dev.to/begin/maintain-scroll-position-across-page-loads-without-an-spa-4dk1 https://dev.to/begin/maintain-scroll-position-across-page-loads-without-an-spa-4dk1 <p>Photo by <a href="https://unsplash.com/@taypaigey?utm_source=unsplash&amp;utm_medium=referral&amp;utm_content=creditCopyText" rel="noopener noreferrer">Taylor Flowe</a> on <a href="https://unsplash.com/s/photos/scroll?utm_source=unsplash&amp;utm_medium=referral&amp;utm_content=creditCopyText" rel="noopener noreferrer">Unsplash</a></p> <h3> Get the SPA features you want with the ease of a server-rendered MPA </h3> <p>This post shows how to fix the problem of preserving scroll position across page reloads without the need to buy into a messy Single Page App (SPA) architecture. If you want the TL;DR, skip to the solution at the end of this post. </p> <p>Server-rendered apps, multi-page apps (MPA), and Server Side Rendering (SSR) have seen renewed interest lately. All these jargon terms used to be just how the web worked. But as the web evolved, developers wanted their websites to feel more like native apps. It just wasn’t cool anymore to have your whole page reload just because you clicked on an item in the sidebar. </p> <p>For these reasons, the SPA was born. If we treat the entire site as one page and load a ton of JavaScript to handle all interactions right inside that page, everything would surely be awesome. </p> <blockquote> <p>Narrator: “It was not awesome”. </p> </blockquote> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1blf7u0za3x7cf8uehsb.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F1blf7u0za3x7cf8uehsb.gif" alt="dangersome" width="1024" height="1024"></a></p> <p>The problem is we had to throw out lots of good things and start from scratch. Out with <code>&lt;a&gt;</code>s and URLs in favor of client-side routers and a URL that does not reflect the actual state. Out with battle-tested HTML <code>&lt;form&gt;</code>s in favor of DIY forms backed by complicated state management libraries. These SPA architectures caused more problems than they solved with their increased complexity, required JavaScript, and resulting fragility. </p> <p>I want to show that we can have some of those nice things that were the goal of SPAs, without having all the downsides. One of those nice things is maintaining the scroll position.</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fequnuex43x1kcf2xslkz.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fequnuex43x1kcf2xslkz.gif" alt="Mr. T with a scroll" width="266" height="200"></a></p> <h2> The Jumping Scroll Problem </h2> <p>Picture a content site with a sidebar to navigate the content. As you scroll down the sidebar and click a link, it is nice to have the content show up but have the location in the sidebar not jump back to the top of the menu. <br> With an SPA you get this because you are likely only changing the center content. But with a server-rendered app, the whole page is loading so by default your sidebar will jump up to the top again. Bummer right? </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqpouks4x7dqzeob6uq97.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqpouks4x7dqzeob6uq97.gif" alt="scroll bar jumps on reload" width="836" height="510"></a></p> <p>This is a perfect opportunity for progressive enhancement. <br> Up to now, we could have built this content site with no JavaScript, making it fast, simple to build, and resilient. And even with the jumping scroll problem, annoying as it is, the site works. But with just a little bit of JavaScript, we can solve this problem.</p> <h2> The Solution </h2> <p>To solve the scroll jumping we can monitor the <code>scrollTop</code> setting for the sidebar and restore that location if we reload the page. <a href="https://enhance.dev/" rel="noopener noreferrer">Enhance.dev</a> uses custom elements to build reusable components. The <code>&lt;docs-layout&gt;</code> is one of those components. One of the benefits of custom elements is that we can easily attach JavaScript progressive enhancement behavior in a script tag defining that element.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;script </span><span class="na">type=</span><span class="s">"module"</span><span class="nt">&gt;</span> <span class="kd">class</span> <span class="nc">Layout</span> <span class="kd">extends</span> <span class="nc">HTMLElement</span> <span class="p">{</span> <span class="nf">constructor</span><span class="p">()</span> <span class="p">{</span> <span class="k">super</span><span class="p">()</span> <span class="kd">let</span> <span class="nx">sidebar</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nf">querySelector</span><span class="p">(</span><span class="dl">'</span><span class="s1">#sidebar</span><span class="dl">'</span><span class="p">)</span> <span class="kd">let</span> <span class="nx">top</span> <span class="o">=</span> <span class="nx">sessionStorage</span><span class="p">.</span><span class="nf">getItem</span><span class="p">(</span><span class="dl">'</span><span class="s1">docs-sidebar-scroll</span><span class="dl">'</span><span class="p">)</span> <span class="k">if </span><span class="p">(</span><span class="nx">top</span> <span class="o">!==</span> <span class="kc">null</span><span class="p">)</span> <span class="p">{</span> <span class="nx">sidebar</span><span class="p">.</span><span class="nx">scrollTop</span> <span class="o">=</span> <span class="nf">parseInt</span><span class="p">(</span><span class="nx">top</span><span class="p">,</span> <span class="mi">10</span><span class="p">)</span> <span class="p">}</span> <span class="nb">window</span><span class="p">.</span><span class="nf">addEventListener</span><span class="p">(</span><span class="dl">'</span><span class="s1">beforeunload</span><span class="dl">'</span><span class="p">,</span> <span class="p">()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">sessionStorage</span><span class="p">.</span><span class="nf">setItem</span><span class="p">(</span><span class="dl">'</span><span class="s1">docs-sidebar-scroll</span><span class="dl">'</span><span class="p">,</span> <span class="nx">sidebar</span><span class="p">.</span><span class="nx">scrollTop</span><span class="p">)</span> <span class="p">})</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">customElements</span><span class="p">.</span><span class="nf">define</span><span class="p">(</span><span class="dl">'</span><span class="s1">docs-layout</span><span class="dl">'</span><span class="p">,</span> <span class="nx">Layout</span><span class="p">)</span> <span class="nt">&lt;/script&gt;</span> </code></pre> </div> <p>When the JavaScript initializes it checks to see if a location was previously stored for the scroll. If so it restores that location. An event listener is set on the window using the <code>beforeunload</code> event trigger. This event will fire just prior to navigating away from the page. It stores the current location of the scroll using the <code>sessionStorage</code>. Session storage works similarly to local storage except that it is only attached to that session (or tab in most browsers). This means if you have multiple tabs open your scroll will be maintained independently in each tab. </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd5uomkxb9bqfjpzq6v5t.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fd5uomkxb9bqfjpzq6v5t.gif" alt="scroll bar restored on reload" width="797" height="510"></a></p> <p>With only 15 lines of code, we have fixed this scroll problem without buying into the whole SPA architecture with its many downsides. Granted, this is only one of the reasons people choose SPAs. But many of those reasons have similarly easy solutions, which we will explore in future blog posts. </p> <p><a href="https://twitter.com/slightlylate/status/1560020054971822080" rel="noopener noreferrer"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F46p9a0maudldxq67jbkc.png" alt="You don't have to accept the broken ideas that your next project should be an SPA. It probably shouldn't. - Alex Russell, Twitter" width="800" height="309"></a></p> <p>If this approach appeals to you give <a href="https://enhance.dev" rel="noopener noreferrer">enhance.dev</a> a try. It is the easiest and best way to build functional web apps.</p> watercooler vibecoding Ryan Bethel Tue, 20 Dec 2022 20:29:15 +0000 https://dev.to/begin/fixing-mobile-nav-state-with-autocompleteoff-obscure-html-attributes-ftw-14l https://dev.to/begin/fixing-mobile-nav-state-with-autocompleteoff-obscure-html-attributes-ftw-14l <p><small><br> Photo by <a href="https://unsplash.com/@tekton_tools?utm_source=unsplash&amp;utm_medium=referral&amp;utm_content=creditCopyText" rel="noopener noreferrer">Tekton</a> on <a href="https://unsplash.com/s/photos/wrench?utm_source=unsplash&amp;utm_medium=referral&amp;utm_content=creditCopyText" rel="noopener noreferrer">Unsplash</a><br> </small><br> <strong>Updated</strong>: February 08, 2023 to include the affects of <code>bfcache</code> (back/forward cache) on this solution.</p> <p>I am a big believer in the power of HTML first development. <br> It is simpler, faster to build, and easier to maintain. JavaScript has its place (mainly as a progressive enhancement), but it is not the first tool you should reach for. We built the Enhance framework to make this way of building apps easier. </p> <p>Building the <a href="https://enhance.dev" rel="noopener noreferrer">enhance.dev</a> site, we used a checkbox for the mobile nav control. This technique is not new and has been written about in lots of other places (i.e. <a href="https://css-tricks.com/three-css-alternatives-to-javascript-navigation/#aa-alternative-3-the-css-only-hamburger-menu" rel="noopener noreferrer">here</a>). But one edge case caused an annoying navigation problem. If you open the mobile nav and follow a link, and then use the back button to return to the previous page, the mobile menu will be open. This is because of the way form elements work in browsers. </p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Firl6ogrvs5sdndlxv71w.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Firl6ogrvs5sdndlxv71w.gif" alt="animation of broken nav menu" width="493" height="510"></a></p> <p>The input check box was checked when you navigated away, so the browser tries to help you when you return by restoring the state of that input. This would usually be the desired behavior if this were a normal form. It would allow the user to start where they left off. But as a control for a mobile nav menu, this is very unexpected behavior. </p> <p>My initial instinct was to fix this with JavaScript. It is a simple problem that a few lines of code could fix. But because I learned to think HTML first, I did some investigation to find a non-JavaScript solution. There is a way! HTML inputs have an <code>autocomplete</code> attribute that has many useful settings. We can set the value to <code>autocomplete=”off”</code> to solve this problem. This tells the browser not to try to restore the checkbox state even when the back button is pressed. Problem solved!</p> <blockquote> <p><strong>Note</strong>: The <code>bfcache</code> (back/forward cache) in some browsers can interfere with this autocomplete setting. This fix works for Enhance/Begin/Architect projects because they set the <code>Cache-Control:no-store</code> header for HTML content which blocks the <code>bfcache</code>.<br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;input</span> <span class="na">id=</span><span class="s">"burger-control"</span> <span class="na">class=</span><span class="s">"absolute opacity-0 z-1"</span> <span class="na">type=</span><span class="s">"checkbox"</span> <span class="na">name=</span><span class="s">"open-burger"</span> <span class="na">autocomplete=</span><span class="s">"off"</span> <span class="na">aria-label=</span><span class="s">"Open navigation"</span> <span class="nt">/&gt;</span> </code></pre> </div> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fybv1ebtncisnxd3irp12.gif" class="article-body-image-wrapper"><img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fybv1ebtncisnxd3irp12.gif" alt="fixed mobile nav menu" width="493" height="510"></a></p> <p>Ok, so the <code>autocomplete</code> attribute is not that obscure but using it to fix this edge case was not easy to google for, so I am putting it out here for anyone trying to do the same (also for future me). The other lesson here that was reinforced for me is never to count HTML and CSS out. MDN Docs are your friend. Whenever I think I need to reach for JavaScript to solve a problem, I question that assumption and spend just a few minutes looking for another solution. It doesn’t always work, but when it does, your app will be better for it. Better how you ask:</p> <ul> <li>Faster - No JavaScript means no waiting until JavaScript loads.</li> <li>More robust - No fragile code connecting by ids or <code>querySelector</code>.</li> <li>Simpler - An attribute directly on the HTML is collocated and with the thing it controls.</li> </ul> laravel php backend discuss Ryan Bethel Tue, 18 Oct 2022 20:25:00 +0000 https://dev.to/begin/an-accessible-modal-without-javascript-the-final-boss-2omm https://dev.to/begin/an-accessible-modal-without-javascript-the-final-boss-2omm <p>A modal is a pop-up dialog message that requires immediate attention. Since modal dialog's are intentionally disruptive, they should be used sparingly. But when you need one, it’s usually for something critical. Building an accessible modal is difficult. Doing it without JavaScript <em>has</em> been almost impossible. I am a <a href="https://blog.begin.com/posts/2022-06-21-forms-that-work-every-time-everywhere">fan of progressive enhancement</a>. Build it to work with only HTML (and CSS). Then improve it with just a little JavaScript. It is better for people, and it’s usually easier to build. Modals are an exception to the easy part. They need to hijack other built-in HTML interactions. Without JavaScript, that is hard to do. It’s been called the final boss of accessible components for a long time.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--HcT77fR1--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_66%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/f3yo4hwl8zufsyldj6gf.gif" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--HcT77fR1--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_66%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/f3yo4hwl8zufsyldj6gf.gif" alt="Video game final boss!" width="480" height="270"></a></p> <h3> TL&amp;DR </h3> <p>The goal is to build the best modal possible without JavaScript. Then add what’s missing with as little JavaScript as possible. <code>&lt;dialog&gt;</code> seems like the obvious answer, and it comes frustratingly close but for one fatal flaw. The real solution is a checkbox and a form reset button, combined with the new CSS <code>:has</code> selector. <code>:has()</code> is the final piece to unlock this longstanding problem component. It is available in two of the three major browsers and has reached the final stages in the third.</p> <h3> Background </h3> <p>The web is a great platform to build on. It steadily improves with new capabilities, but most critically, it remains backward compatible. Things that used to work will continue to work if they rely on web APIs. My old solution for this modal problem was quite complex, requiring hidden radio buttons and some complicated CSS using <code>:checked</code> selectors. But as time moves on, the web platform has upgraded itself, and the new solution using <code>:has()</code> is much simpler. That <a href="https://en.wikipedia.org/wiki/Rube_Goldberg">Rube Goldburg</a> modal can fade into history (except for those sites where I used it, which I am confident will continue to work until I want to change them).</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--x4L2a9UU--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/v99qjsyr9lx0ftsu2dcr.jpg" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--x4L2a9UU--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/v99qjsyr9lx0ftsu2dcr.jpg" alt="I have not failed. I have found 10,000 ways that don't work. Thomas Edison!" width="880" height="495"></a></p> <p>People coming into web development from this point forward will never know how many hacks it took to make some things like this work. That is a good thing. They can focus on new challenges.</p> <h3> Why not <code>&lt;dialog&gt;</code> </h3> <p>Before showing the working solution, you might ask “why not use the <code>&lt;dialog&gt;</code> element.” It is the most semantically correct element for a modal. Most of the difficult requirements, like trapping focus and escape to close, are built in. But <code>&lt;dialog&gt;</code> has one fatal flaw. <strong><em>You cannot open it without JavaScript.</em></strong> It can start, on the initial render, in the open state, and then a form submit button can close it without JavaScript. But rarely do you want to render a page with a modal open already. If you give up on an accessible working no JavaScript solution, then I recommend <code>&lt;dialog&gt;</code>. It is the cleanest and most straightforward solution <em>with</em> JavaScript. <a href="https://web.dev/building-a-dialog-component/">Web.dev</a> has a good post with examples. But I am not giving up, so <code>&lt;dialog&gt;</code> is out.</p> <h3> Requirements </h3> <p>Some of the critical features for a modal are:</p> <ol> <li>Opens above main content (i.e. not covered by sticky headers)</li> <li>Fully keyboard accessible</li> <li>Traps focus in the modal when open</li> <li>De-emphasizes main page content to focus attention on the modal</li> <li>Triggered from anywhere</li> <li>Multiple open and close targets</li> <li>Click outside to close</li> <li>Escape to close</li> </ol> <p>The markup below shows the ideal author experience for this modal. The dialog itself is after the other page content in the document flow. That ensures that no matter what sticky header z-index shenanigans happen in the main content, you can ensure the dialog is not trapped under some other content on the page.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"main-content"</span><span class="nt">&gt;</span> main content <span class="nt">&lt;trigger-modal</span> <span class="na">name=</span><span class="s">"my-modal"</span><span class="nt">&gt;</span>open modal<span class="nt">&lt;/trigger-modal&gt;</span> <span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;dialog-modal</span> <span class="na">name=</span><span class="s">"my-modal"</span> <span class="na">main-content-class=</span><span class="s">"main-content"</span><span class="nt">&gt;</span> Dialog Message <span class="nt">&lt;close-modal</span> <span class="na">name=</span><span class="s">"my-modal"</span><span class="nt">&gt;</span>close modal<span class="nt">&lt;/close-modal&gt;</span> <span class="nt">&lt;/dialog-modal&gt;</span> </code></pre> </div> <p>This example uses custom elements (i.e. <code>&lt;dialog-modal&gt;</code>) rendered with <a href="https://enhance.dev">Enhance</a>, which expands them with the internal elements necessary to make it work without JavaScript. The custom tag is just a container to author with and later a place to attach the progressively enhanced behavior. This same solution would work without <a href="https://enhance.dev">Enhance</a>. You just need to render the necessary elements into your page somehow.</p> <p>Here is a CodePen showing a full example.</p> <p><iframe height="600" src="https://codepen.io/rbethel/embed/BaxvGgB?height=600&amp;default-tab=result&amp;embed-version=2"> </iframe> </p> <p>The key to this modal is to combine a checkbox, <code>&lt;form&gt;</code>, reset button, and <code>:has()</code>. The so-called <a href="https://css-tricks.com/the-checkbox-hack/">checkbox hack</a> has been used to control UI elements for many years. But you had to have the checkbox positioned above and outside of the thing you wanted to control. That has all changed with <code>:has()</code>. Now that checkbox can be anywhere in the document, and it can affect the styles for elements anywhere on the page. We use a checkbox to trigger the modal to open, but how do we close it? If that checkbox trigger is in the main content, and the modal blocks that content once open, we can’t directly interact with it to close it. The solution is to add that checkbox to a <code>&lt;form&gt;</code> and use a <code>type=reset</code> button to close it. When that form is “reset” it will toggle the checkbox, no matter where it is in the document, back to its original state, which will close the modal.</p> <p>The markup below shows the modal in its most basic form. This is all you need to make this work. It takes a little more to make it nice (like styles and labels), but this is the essence of how it works. Note you can have any number of input checkboxes to open the modal and any number of reset buttons to close it if needed.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;style&gt;</span> <span class="c">/* Main content visibility hidden to trap focus in modal */</span> <span class="nc">.main-content</span><span class="nd">:has</span><span class="o">(</span><span class="nt">input</span><span class="o">[</span><span class="nt">form</span><span class="o">=</span><span class="s1">"modal-form-my-modal"</span><span class="o">]</span><span class="nd">:checked</span><span class="o">)</span> <span class="p">{</span> <span class="nl">visibility</span><span class="p">:</span> <span class="nb">hidden</span><span class="p">;</span> <span class="p">}</span> <span class="c">/* Show modal when open */</span> <span class="nt">body</span><span class="nd">:has</span><span class="o">(</span><span class="nt">input</span><span class="o">[</span><span class="nt">form</span><span class="o">=</span><span class="s1">"modal-form-my-modal"</span><span class="o">]</span><span class="nd">:checked</span><span class="o">)</span> <span class="nc">.modal-body</span> <span class="p">{</span> <span class="nl">display</span><span class="p">:</span> <span class="nb">block</span><span class="p">;</span> <span class="p">}</span> <span class="nt">&lt;/style&gt;</span> <span class="nt">&lt;body&gt;</span> <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"main-content"</span><span class="nt">&gt;</span> <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"checkbox"</span> <span class="na">role=</span><span class="s">"button"</span> <span class="na">form=</span><span class="s">"modal-form-my-modal"</span><span class="nt">&gt;</span> <span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;div</span> <span class="na">class=</span><span class="s">"modal-body"</span> <span class="na">role=</span><span class="s">"dialog"</span><span class="nt">&gt;</span> <span class="nt">&lt;button</span> <span class="na">type=</span><span class="s">"reset"</span> <span class="na">form=</span><span class="s">"modal-form-my-modal"</span><span class="nt">&gt;</span> Close Modal <span class="nt">&lt;/button&gt;</span> <span class="nt">&lt;form</span> <span class="na">id=</span><span class="s">"modal-form-my-modal"</span><span class="nt">&gt;&lt;/form&gt;</span> <span class="nt">&lt;/div&gt;</span> <span class="nt">&lt;/body&gt;</span> </code></pre> </div> <h3> Trap Focus without JavaScript </h3> <p>One of the most challenging requirements, without JavaScript, is to trap focus inside the modal when it’s open. Even solving this with JavaScript used to be difficult. You had to capture keyboard events and call <code>focus()</code> back inside the modal when it tried to escape. This is far easier now with the <code>inert</code> attribute. But without JavaScript, we can’t add an attribute. The solution is to set <code>visibility:hidden</code> on the page content instead. The downside is that this hides the main content completely; ideally, we only want to add an opaque layer to obscure the background. But setting visibility to hidden works for accessibility and is a reasonable compromise.</p> <p>The last two items in the list of requirements are: click outside to close and escape to close. An easy way to add click outside to close is to make the entire backdrop into another reset button when the modal is open. We set <code>tabindex=-1</code> so that this button is only a click target, and click to close is done.</p> <h3> Progressive Enhancements </h3> <p>That only leaves escape to close. As far as I know, there is still no way to do this without JavaScript. I consider it a nice to have, and I feel comfortable handling this as a progressive enhancement instead. The other compromise we made building the modal was using <code>visibility:hidden</code> instead of <code>inert</code>. Ideally, we wanted to keep the main content visible but set the <code>inert</code> attribute. And, finally, for keyboard control a button should respond to a space key or enter key. Without JavaScript a checkbox will only toggle with space key, so we should add enter key control. Let’s tackle these three items as progressive enhancements now. As a bonus, we will add them to the modal as a JavaScript upgrade in the form of a custom element definition.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">class</span> <span class="nx">DialogModal</span> <span class="kd">extends</span> <span class="nx">HTMLElement</span> <span class="p">{</span> <span class="kd">constructor</span><span class="p">()</span> <span class="p">{</span> <span class="k">super</span><span class="p">();</span> <span class="k">this</span><span class="p">.</span><span class="nx">form</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">querySelector</span><span class="p">(</span><span class="dl">"</span><span class="s2">form</span><span class="dl">"</span><span class="p">);</span> <span class="k">this</span><span class="p">.</span><span class="nx">inertMain</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">inertMain</span><span class="p">.</span><span class="nx">bind</span><span class="p">(</span><span class="k">this</span><span class="p">);</span> <span class="k">this</span><span class="p">.</span><span class="nx">unInertMain</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">unInertMain</span><span class="p">.</span><span class="nx">bind</span><span class="p">(</span><span class="k">this</span><span class="p">);</span> <span class="k">this</span><span class="p">.</span><span class="nx">escClose</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">escClose</span><span class="p">.</span><span class="nx">bind</span><span class="p">(</span><span class="k">this</span><span class="p">);</span> <span class="k">this</span><span class="p">.</span><span class="nx">enterOpen</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">enterOpen</span><span class="p">.</span><span class="nx">bind</span><span class="p">(</span><span class="k">this</span><span class="p">);</span> <span class="k">this</span><span class="p">.</span><span class="nx">form</span><span class="p">.</span><span class="nx">addEventListener</span><span class="p">(</span><span class="dl">"</span><span class="s2">reset</span><span class="dl">"</span><span class="p">,</span> <span class="k">this</span><span class="p">.</span><span class="nx">unInertMain</span><span class="p">);</span> <span class="nb">window</span><span class="p">.</span><span class="nx">addEventListener</span><span class="p">(</span><span class="dl">"</span><span class="s2">keyup</span><span class="dl">"</span><span class="p">,</span> <span class="k">this</span><span class="p">.</span><span class="nx">escClose</span><span class="p">);</span> <span class="p">}</span> <span class="nx">connectedCallback</span><span class="p">()</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">mainContentClass</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">getAttribute</span><span class="p">(</span><span class="dl">"</span><span class="s2">main-content-class</span><span class="dl">"</span><span class="p">);</span> <span class="k">this</span><span class="p">.</span><span class="nx">mainContent</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nx">querySelector</span><span class="p">(</span><span class="dl">"</span><span class="s2">.</span><span class="dl">"</span> <span class="o">+</span> <span class="k">this</span><span class="p">.</span><span class="nx">mainContentClass</span><span class="p">);</span> <span class="k">this</span><span class="p">.</span><span class="nx">name</span> <span class="o">=</span> <span class="k">this</span><span class="p">.</span><span class="nx">getAttribute</span><span class="p">(</span><span class="dl">"</span><span class="s2">name</span><span class="dl">"</span><span class="p">);</span> <span class="k">this</span><span class="p">.</span><span class="nx">allTriggers</span> <span class="o">=</span> <span class="nb">document</span><span class="p">.</span><span class="nx">querySelectorAll</span><span class="p">(</span> <span class="dl">"</span><span class="s2">input[type=checkbox][form=modal-form-</span><span class="dl">"</span> <span class="o">+</span> <span class="k">this</span><span class="p">.</span><span class="nx">name</span> <span class="o">+</span> <span class="dl">"</span><span class="s2">]</span><span class="dl">"</span> <span class="p">);</span> <span class="k">this</span><span class="p">.</span><span class="nx">allTriggers</span><span class="p">.</span><span class="nx">forEach</span><span class="p">((</span><span class="nx">trigger</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">trigger</span><span class="p">.</span><span class="nx">addEventListener</span><span class="p">(</span><span class="dl">"</span><span class="s2">change</span><span class="dl">"</span><span class="p">,</span> <span class="k">this</span><span class="p">.</span><span class="nx">inertMain</span><span class="p">);</span> <span class="nx">trigger</span><span class="p">.</span><span class="nx">addEventListener</span><span class="p">(</span><span class="dl">"</span><span class="s2">keydown</span><span class="dl">"</span><span class="p">,</span> <span class="k">this</span><span class="p">.</span><span class="nx">enterOpen</span><span class="p">);</span> <span class="p">});</span> <span class="p">}</span> <span class="nx">disconnectedCallback</span><span class="p">()</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">allTriggers</span><span class="p">.</span><span class="nx">forEach</span><span class="p">((</span><span class="nx">trigger</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">trigger</span><span class="p">.</span><span class="nx">removeEventListener</span><span class="p">(</span><span class="dl">"</span><span class="s2">change</span><span class="dl">"</span><span class="p">,</span> <span class="k">this</span><span class="p">.</span><span class="nx">inertMain</span><span class="p">);</span> <span class="nx">trigger</span><span class="p">.</span><span class="nx">removeEventListener</span><span class="p">(</span><span class="dl">"</span><span class="s2">keydown</span><span class="dl">"</span><span class="p">,</span> <span class="k">this</span><span class="p">.</span><span class="nx">enterOpen</span><span class="p">);</span> <span class="p">});</span> <span class="k">this</span><span class="p">.</span><span class="nx">form</span><span class="p">.</span><span class="nx">removeEventListener</span><span class="p">(</span><span class="dl">"</span><span class="s2">reset</span><span class="dl">"</span><span class="p">,</span> <span class="k">this</span><span class="p">.</span><span class="nx">unInertMain</span><span class="p">);</span> <span class="nb">window</span><span class="p">.</span><span class="nx">removeEventListener</span><span class="p">(</span><span class="dl">"</span><span class="s2">keyup</span><span class="dl">"</span><span class="p">,</span> <span class="k">this</span><span class="p">.</span><span class="nx">escClose</span><span class="p">);</span> <span class="p">}</span> <span class="nx">inertMain</span><span class="p">()</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">mainContent</span><span class="p">.</span><span class="nx">setAttribute</span><span class="p">(</span><span class="dl">"</span><span class="s2">inert</span><span class="dl">"</span><span class="p">,</span> <span class="dl">""</span><span class="p">);</span> <span class="p">}</span> <span class="nx">unInertMain</span><span class="p">()</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">mainContent</span><span class="p">.</span><span class="nx">removeAttribute</span><span class="p">(</span><span class="dl">"</span><span class="s2">inert</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="nx">enterOpen</span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="nx">e</span><span class="p">.</span><span class="nx">code</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">Enter</span><span class="dl">"</span><span class="p">)</span> <span class="p">{</span> <span class="nx">e</span><span class="p">.</span><span class="nx">target</span><span class="p">.</span><span class="nx">checked</span> <span class="o">=</span> <span class="kc">true</span><span class="p">;</span> <span class="k">this</span><span class="p">.</span><span class="nx">inertMain</span><span class="p">()</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">escClose</span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{</span> <span class="k">if</span> <span class="p">(</span><span class="nx">e</span><span class="p">.</span><span class="nx">code</span> <span class="o">===</span> <span class="dl">"</span><span class="s2">Escape</span><span class="dl">"</span><span class="p">)</span> <span class="p">{</span> <span class="k">this</span><span class="p">.</span><span class="nx">form</span><span class="p">.</span><span class="nx">reset</span><span class="p">();</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="nx">customElements</span><span class="p">.</span><span class="nx">define</span><span class="p">(</span><span class="dl">"</span><span class="s2">modal-dialog</span><span class="dl">"</span><span class="p">,</span> <span class="nx">DialogModal</span><span class="p">);</span> </code></pre> </div> <p>Some extra boilerplate comes with the custom element solution, but I love knowing that this solution will always work and is not tied to the shrinking lifespan of most frameworks.</p> <p>All this code does is add an event listener to any checkbox triggers that will add the <code>inert</code> attribute to the main content. And an event listener to the form reset that will remove that <code>inert</code> when it resets. We also set a keyup event listener to reset the form if escape is pressed.</p> <h3> Hidden benefits of a progressive enhancement mindset </h3> <p>One problem I encountered writing this JavaScript is how to undo the <code>visibility:hidden</code> that we set up for the initial solution. I could have done it all with JavaScript, but progressive enhancement has taught me to stop and think “would this be easier in HTML or CSS?” I realized that if we are using <code>inert</code>, then we don’t want to use <code>visibility</code> so I can update the CSS rule by adding a <code>:not([inert])</code> pseudo selector. I used to use JavaScript as my primary tool for everything. But when you first look to HTML and CSS to do what they do best, a lot of problems that take a lot of JavaScript are much easier to solve in the right domain.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight css"><code><span class="nc">.main-content</span><span class="nd">:not</span><span class="o">([</span><span class="nt">inert</span><span class="o">])</span><span class="nd">:has</span><span class="o">(</span><span class="nt">input</span><span class="o">[</span><span class="nt">form</span><span class="o">=</span><span class="s1">"modal-form-my-modal"</span><span class="o">]</span><span class="nd">:checked</span><span class="o">)</span> <span class="p">{</span> <span class="nl">visibility</span><span class="p">:</span> <span class="nb">hidden</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <h3> Finishing accessibility </h3> <p>The focus of this post has been making the modal fully functional so that it can be made accessible. There is a little more work to do for accessibility. The first rule of ARIA is don’t use ARIA if you are using semantic markup. But in this case we are using a checkbox for a button so we need some ARIA attributes. The checkbox needs to be set to <code>role=button</code>. Other attributes will be specific to the use case but you will probably need a few.</p> <h3> Is progressive enhancement really worth it </h3> <p>I think so. I am sure on Twitter at this very moment someone is saying, “who disables JavaScript these days.” While they are competing for likes with the other guy yelling, “HTML isn’t a real programming language” there are many more people quietly trying to build things in the best way they can. Progressive enhancement, using HTML and CSS first to do what they does best and adding small enhancements with JavaScript, is the best way. If that describes you, try using <a href="//enhance.dev">Enhance</a>. It is the best way to build progressively enhanced HTML-first web apps.</p> <p>If you are curious to see how this modal looks in Enhance here is a CodeSandbox with the Enhance components:<br> <a href="https://codesandbox.io/p/sandbox/enhance-modal-jyzhbf">https://codesandbox.io/p/sandbox/enhance-modal-jyzhbf</a></p> Ryan Bethel Fri, 07 Jan 2022 16:02:37 +0000 https://dev.to/begin/how-to-resize-and-transform-images-automatically-without-relying-on-3rd-party-apis-4jdi https://dev.to/begin/how-to-resize-and-transform-images-automatically-without-relying-on-3rd-party-apis-4jdi <h2> TL;DR </h2> <p>I got fed up with too many "A"s in my JAMstack and built an image processing plugin to eliminate one of them. If you are only interested in the Architect plugin for transforming images and want to skip my hot takes feel free to jump to Part 2.</p> <h2> Part 1: What’s my beef with 3rd party APIs? </h2> <p>About a year ago (before I worked for Begin), I was building a serious side project (meaning it made no money, but I had big dreams). It required managing lots of images. I used static hosting with a SPA frontend framework. I'm not naming names because I am not trying to throw shade on anyone in particular. All of these tools and techniques have a place and time when they work well. And a place where they break down, but I'm getting ahead of myself.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmcgdq8xd3f3gcscuoe96.jpeg" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmcgdq8xd3f3gcscuoe96.jpeg" alt="Hey there's too many of them"></a></p> <p>So stop me if you've heard this one before: dealing with images on the web is a pain in the app. To be performant requires many sizes and types for each image. And it would be best if you had some naming convention or system to organize them so you can use them correctly. This used to mean a bespoke manual process or custom scripts. But then there was JAMstack.</p> <h3> The JAMstack way </h3> <p>At its core, the JAMstack architecture has three tools for handling any problem:</p> <ol> <li>Client-Side JavaScript</li> <li>Build processes that produce static assets</li> <li>3rd Party APIs</li> </ol> <p>When you only have a hammer, every problem looks like a nail. For dealing with images, any client-side solution means you already sent the wrong image over the network, leaving only the last two hammers.</p> <p>Most frontend meta-frameworks now include some image component to generate these assets at build time. They are super popular and a big part of the rapid adoption of these frameworks. They are also why your "Hello World" may be hella fast, but your real site takes 30 minutes to build.</p> <h3> Here come the APIs </h3> <p>There are 3rd party APIs to do almost anything you can imagine, including image processing. Just upload your image to one of these services and request the converted version from a special url. This is an awesome solution to the problem.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsornqu14hgqsolu6hly8.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fsornqu14hgqsolu6hly8.png" alt="Here comes the bad part"></a></p> <p>But APIs are like npm packages. You probably need a few to get anything done, but they multiply fast until the fate of your app is no longer in your hands.</p> <p>The whole JAMstack movement was built on the premise that you can outsource almost any part of your app to other services through an API. It is the release valve for anything the architecture itself can't do.</p> <h3> So what is wrong with offloading complexity to other services? </h3> <p>You can’t remove complexity without paying for it eventually. Either literally with money or through the increasing complexity of coordinating all these services (see the <a href="https://en.wikipedia.org/wiki/Law_of_conservation_of_complexity" rel="noopener noreferrer">Law of Conservation of Complexity</a>).</p> <h3> No, really, what is wrong with a Frankenstein app approach? </h3> <p>Some specific downside of depending on lots of 3rd party solutions bolted together are:</p> <ol> <li>Cost: Each service has different limits and pricing structures that combine to make it hard to figure out what you will pay as your app scales.</li> <li>Coordination: Depending on one service can be tricky, but linking many of them together becomes exponentially difficult. Just the lack of local development and testing support for these services means large parts of your app may be untestable.</li> <li>Changes: These services are constantly changing. As much as you hope for proper API versioning, you are not guaranteed to get it. Even additive changes result in unplanned work and unscheduled downtime.</li> </ol> <h3> Climbs off soapbox </h3> <p>There are three kinds of apps: a toy, a side project, and a business. For the first type, it matters less. Use whatever you can to learn what you want to know. For the last one, you probably have a team of intelligent people with spreadsheets to weigh the trade-offs, so once again, do what you will. But for the serious side project that you hope will eventually become a business or that you want to run long term for other reasons, beware of depending on too many 3rd party services. At least choose a way of building that allows you to build some of this into your project. Architect and Begin are both excellent choices, in my opinion.</p> <h2> Part 2: An Architect plugin for transforming images </h2> <p>If you wanted to skip the hot takes and see the tech, you are in the right place. Let me show you the image plugin I built. And to be clear the real hero of this story that I am trying to promote is the way of building apps that makes this kind of bite size dynamic functionality easy to build in.</p> <h3> What it does </h3> <p>What I needed is to drop in large images and be able to use any size version of those images by just requesting them. The plugin itself is very basic. It does not do anywhere near as much as the 3rd party APIs it replaces. But for me, it does all that I need it to do.</p> <h3> How to Install it </h3> <p>You can install the plugin for any Architect app with <code>npm install @ryanbethel/arc-image-plugin</code>. You can then add it to your app manifest like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>#app.arc @app image-app @http get / get /transform/* #transform route for arc-image-plugin @plugins ryanbethel/arc-image-plugin </code></pre> </div> <p>Currently, you need to add the <code>get /transform/*</code> in line 7 to register a route for the handler. This is because plugins cannot currently add new routes easily, but that is coming soon. You also need to add the handler itself and the config file below for the same reason. Again will we will add this into the plugin in a future version.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// src/http/get-transform-catchall/index.js</span> <span class="kd">let</span> <span class="nx">arc</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">@architect/functions</span><span class="dl">'</span><span class="p">)</span> <span class="kd">let</span> <span class="p">{</span> <span class="nx">imageHandler</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">@ryanbethel/arc-image-plugin</span><span class="dl">'</span><span class="p">)</span> <span class="nx">exports</span><span class="p">.</span><span class="nx">handler</span> <span class="o">=</span> <span class="nx">arc</span><span class="p">.</span><span class="nx">http</span><span class="p">.</span><span class="k">async</span><span class="p">(</span><span class="nx">imageHandler</span><span class="p">)</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>#src/http/get-transform-catchall/config.arc @aws memory 1152 timeout 30 </code></pre> </div> <h3> How to use it </h3> <p>The Architect framework serves static assets from a local folder that becomes an S3 bucket when deployed to AWS. You drop your <code>giant.jpeg</code> image in the <code>public</code> folder, and then once deployed, you can access it from anywhere in your app at <code>http://example.com/_static/giant.jpeg</code> or with a root relative path at <code>/_static/giant.jpeg</code>.</p> <p>Architect includes built in fingerprinting, but lets ignore that for the moment for simplicity. With the image plugin, you can request the same image by swapping the “_static” for “transform” and include query parameters to get a different size (<code>/transform/giant.jpeg?width=100&amp;height=100</code>). This will scale the image to fit in those dimensions while maintaining the aspect ratio.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fib5if3j6fdjrnepse6nn.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fib5if3j6fdjrnepse6nn.png" alt="Sequence diagram with image not cached"></a></p> <p>The first time you make a request, it is transformed in a lambda and that new version is saved to a cache S3 bucket. The next request for that size is served from the cache. The uncached request can take 1-3 seconds, but the cached response takes only around 100ms. Scale to fit, cover, and contain transforms are supported as well as grayscale.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fy02c4unbqb1a3d2ktoze.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fy02c4unbqb1a3d2ktoze.png" alt="Sequence diagram with image cached"></a></p> <h3> Fingerprinting and Updates </h3> <p>Best practice for modern web development uses fingerprinting of static assets. This is so that if you change <code>giant.jpeg</code>, but use the same filename, all the many layers of cache between a user and your site will not block them from seeing your updates. If you use fingerprinting through Architect (see <a href="https://arc.codes/docs/en/guides/frontend/static-assets#referencing-fingerprinted-file-paths-at-runtime" rel="noopener noreferrer">fingerprinting</a> in the docs), a request to <code>giant.jpeg</code> is turned into a request to <code>giant-123abc.jpeg</code>. And transform requests become <code>/transform/giant-123abc.jpeg?width=100</code>. Then when you update the file the fingerprint changes to <code>giant-456xyz.jpeg</code>, and the plugin will generate a new version because you are now requesting <code>/transform/giant-456xyz.jpeg?width=100</code>.</p> <p>If you are interested, you can see the code for the plugin at <a href="https://github.com/ryanbethel/arc-image-plugin" rel="noopener noreferrer">https://github.com/ryanbethel/arc-image-plugin</a>.</p> <h3> Local Development </h3> <p>One of the most valuable features of using Architect is local development support for almost everything. I built this plugin to have the same. It uses a local temp directory as a cache for transformed images, and it works just as it would when deployed.</p> <h3> What if I don’t want to write my own plugin </h3> <p>You are welcome to install and use this plugin for your own project. It is brand new, and you should consider it under development. Pull requests are welcome or if you want to fork it and make it your own that's great too.</p> <p>If you are new to Architect or if you are using Begin.com (which does not yet have full support for plugins), you can replicate most of what it does in a single route/lambda in your app. That is what I did before I rolled it into a plugin to be more portable. If you aren’t using <a href="https://begin.com/join" rel="noopener noreferrer">Begin</a> or <a href="https://arc.codes/docs/en/get-started/quickstart" rel="noopener noreferrer">Architect</a>, you should try them out.</p> Ryan Bethel Tue, 16 Nov 2021 18:43:54 +0000 https://dev.to/begin/avoid-surprise-bills-from-aws-3d75 https://dev.to/begin/avoid-surprise-bills-from-aws-3d75 <p>Architect users often ask for some way to avoid large surprise bills from AWS. The budget-watch plugin sets a cost limit for your app and temporarily shuts it down when the limit is reached. It is the first step to solving this problem for our community.</p> <p>Scaling is a built-in feature of dynamic apps using cloud functions. But if your app can scale to infinity, so can your bill. Many users have this concern, even though it rarely happens. Amazon has many services to help monitor billing. Setting an account-wide budget alert is a relatively easy first line of defense. But configuring more fine-grained monitoring for a single app is not so easy. It's a little like trying to fix your car by breaking into your mechanic's garage. The billing services are too complicated for a small team to devote their limited resources to.</p> <p>The unit of deployment in Architect is an individual app. None of the AWS budget solutions easily scope to a single app. You might have one app you expect to cost $100 per month and a dozen other experimental apps that you expect to be free. You should be able to easily set these limits and have some assurance there will be no surprises.</p> <h2> What budget-watch does </h2> <p>There are many ways an app could run up your bill. Maybe you hit the top of hacker news, or you might have an infinite loop. The simplest way to stop a runaway app is to shut down the compute resources. By setting reserved concurrency (how many simultaneous executions can run) on all lambdas to zero, you can effectively stop most things that cost money in your app. You install the plugin with <code>npm install @architect/plugin-budget-watch</code>, and then add the four lines shown below to your app manifest.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>@plugins budget-watch @budget limit $40 </code></pre> </div> <p>If the app uses multiple plugins, budget-watch should be listed last so that it is the last one applied. When deployed, it attaches a budget alert scoped to just the resources of the app. If the cost of those resources exceeds the limit set, a shutdown is triggered. To restart the app, the limit can be increased or removed and the app redeployed. This resets the lambda concurrency, and the app will resume operation. You can see the code on <a href="https://github.com/architect/plugin-budget-watch">github.com/architect/plugin-budget-watch</a> for more details.</p> <h2> Implementation details (the messy parts) </h2> <p>We would love to see Amazon build this feature into the platform. Solving this problem from the outside exposes many rough edges in the billing and CloudFormation APIs. The three biggest challenges are:</p> <ol> <li>Enabling tags</li> <li>Slow billing updates</li> <li>Managing configuration drift</li> </ol> <h3> Enabling tags </h3> <p>An ideal solution would be deployed entirely through the app manifest using CloudFormation (AWS's infrastructure as code that Architect uses underneath). All that is needed to scope to an app is a single auto-generated tag (<code>aws:cloudformation:stack-name</code>). But before this tag can be used, someone needs to navigate deep into the AWS console to activate it. This only needs to be done once, but it breaks the ideal user experience of avoiding the console altogether. Some users may not be allowed to activate tags because of account limits set by their organization.</p> <h3> Billing updates </h3> <p>Amazon bills you by the millisecond but only lets you check three times a day. It's like touching a stove and finding out eight hours later that you got burned. You can set all kinds of alerts on all sorts of dimensions, but you can't do any better than 8-12 hours of granularity. Even if you set an alert for a limit you have already passed, the notification may still be delayed for half a day until the next billing update.</p> <h3> Drift detection </h3> <p>Deterministic deploys are a core feature of Architect. You get the same infrastructure every time you deploy the same app manifest. This plugin should not break that contract. Setting a budget limit and resetting it after it has triggered are all done from the app manifest. To shut down the app the plugin changes all concurrency by directly calling the lambda API. This causes a drift (out of band configuration changes to infrastructure) between your app and manifest. </p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--nKD42Dl0--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_66%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/senv4g5rq6my3abtecy9.gif" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--nKD42Dl0--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_66%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/senv4g5rq6my3abtecy9.gif" alt="girl drifting in a toy car" width="415" height="274"></a></p> <p>This drift needs to be reversed if the app is restarted. If you deploy the same CloudFormation template, it will not make any update because the template has not changed. AWS has "Drift Detection" that you can enable to monitor the out-of-band changes, but it requires clicking around the console to enable it. There is no way to turn drift detection on with CloudFormation, and there is no way to automatically reconcile that drift by having your template overwrite those configuration changes. Not only that, drift detection does not even monitor the relevant lambda configurations.</p> <p>The workaround for this drift reset is to use a CloudFormation Custom Resource as a reset mechanism. Custom resources are intended for provisioning infrastructure outside of AWS and connect them to your stack through CloudFormation. They have lifecycle hooks for create, update, and delete that run custom logic. After the budget-watch limit is triggered, it can be reset by increasing the limit in the manifest or by removing the limit. This triggers an update in the custom resource that resets the concurrency back to its original settings.</p> <h2> Other approaches considered </h2> <p>There are many ways to build a feature like this with AWS building blocks, but most suffer from the same limitations (i.e., 3x/day updates). Two promising approaches considered were cost anomaly detection w/SNS alerts and budget triggered actions. Cost anomaly detection was not used primarily because the alerts look for deviations in billing rather than absolute limits. What is the "expected" budget for the app I just deployed for the first time? </p> <p>Budget triggered actions seemed like the most promising solution provided by AWS. You set a budget with an alert that has automated actions attached. The challenge is that the actions you can specify are permissions, policy, and instance-based. These actions end up tightly coupled to implementation details of the app and must be updated as the app changes.</p> <h2> Limitations </h2> <p>The actual causes of large surprise bills are as varied as the many services that AWS offers. This solution cannot possibly catch every one. It focuses on the biggest source and applies the broadest intervention. Architect is a very flexible framework. It is possible (especially with custom plugins) to include infrastructure that will not be shut down by budget-watch. </p> <p>This plugin is still in Beta. We encourage people to try it out and give feedback. If you want to add the plugin to your Architect project you can follow the instruction in the GitHub repository (<a href="https://github.com/architect/plugin-budget-watch">architect/plugin-budget-watch</a>).</p> <h2> What about Begin users? </h2> <p><a href="https://begin.com">Begin.com</a> has a generous free tier, so users do not have to worry about costs. But for those on the paid tier, we will soon make this feature available to all users of Begin. We hope that AWS will build this into the platform in a more usable way. Until then, we hope to relieve some of the fear of unexpected bills. If you want to build scalable web apps with Begin <a href="https://begin.com/join">sign up</a> for a free account today.</p>