DEV Community: Userfront Devs The latest articles on DEV Community by Userfront Devs (@userfront_devs). https://dev.to/userfront_devs https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1405828%2F0688cb91-c5f0-4557-b13f-08fed8275b77.png DEV Community: Userfront Devs https://dev.to/userfront_devs en Security-charging Your NextJS 14 App with Userfront Authentication Userfront Devs Wed, 24 Jul 2024 19:21:26 +0000 https://dev.to/userfront/security-charging-your-nextjs-14-app-with-userfront-authentication-2knc https://dev.to/userfront/security-charging-your-nextjs-14-app-with-userfront-authentication-2knc <p>As we build increasingly complex applications with NextJS 14, it's crucial to implement authentication and authorization correctly. Developers know that Identity Management and Authentication (IAM) is a revenue driver. Users need easy security they can place confidence in, and companies need organizational architectures and compliance.</p> <p>Are you looking for a modern, easy-to-implement IAM that supports NextJS 14 application design and best practices? This article guides you through integrating Userfront authentication into your NextJS 14 app, focusing on security best practices.</p> <p>We'll start by covering the basics of Userfront integration, but our main goal is to dive deep into the implementation of a secure, production-ready authentication system. We explore:</p> <ol> <li>Client-side authentication flows using Userfront's components</li> <li>Secure routing and protected layouts in NextJS 14</li> <li>Implementing server-side verification for sensitive data access, ensuring authorization checks are performed close to the data source</li> </ol> <p>Throughout, we emphasize the separation of concerns between client and server, the importance of server-side validation, and the proper handling of JWTs.</p> <p>Let's begin by setting up Userfront in a NextJS 14 project, and then we'll progressively build out our secure authentication infrastructure.</p> <h2> Get started with Userfront for NextJS 14 </h2> <p>The Userfront Next SDK integrates seamlessly with NextJS, allowing developers to implement secure authentication quickly and efficiently. Userfront provides a comprehensive solution for adding authentication to your NextJS 14 application. It offers:</p> <ul> <li>A generous free tier with a user data source prepopulated</li> <li>Plug-and-play components</li> <li>A range of sign-on methods from emails to SSO</li> <li>Custom JWTs for the fields you want to capture</li> <li>Multi-tenancy</li> </ul> <p>Here are four essential resources to get you started with Userfront in your NextJS 14 project:</p> <ol> <li> <a href="https://www.npmjs.com/package/@userfront/next" rel="noopener noreferrer">@userfront/next</a> package on npm provides a set of components and hooks that make it easy to add authentication to your Next.js app.</li> <li> <a href="https://userfront.com/docs/quickstart?v=next" rel="noopener noreferrer">Quick Start guide</a> walks you through the basics of setting up Userfront in your project, including: <ul> <li>Installing the Userfront Next.js library</li> <li>Adding the Userfront provider to your layout</li> <li>Creating login, signup, and dashboard pages</li> </ul> </li> <li> <a href="https://userfront.com/docs/examples/next" rel="noopener noreferrer">Userfront Next.js Guide</a> is a more in-depth look at integrating Userfront with Next.js. This guide covers: <ul> <li>Installation and setup</li> <li>Using the UserfrontProvider</li> <li>Client-side components and hooks</li> <li>Server-side methods and authentication</li> </ul> </li> <li> <a href="https://github.com/userfront/examples/tree/main/next-14" rel="noopener noreferrer">Userfront NextJS 14 example</a> on GitHub is a fully functional authentication setup using Userfront in a NextJS 14 application.</li> </ol> <h2> Build on the Userfront NextJS 14 example </h2> <p>Now that we've covered the basics, let's dive into some best practices for using Userfront with NextJS 14. We'll focus on understanding NextJS 14's design principles and how to keep sensitive data secure to ensure that:</p> <ul> <li>Only requests with valid JWTs can access the protected data</li> <li>The server verifies the user's identity before returning any sensitive information</li> <li>The client-side component (<code>UserDataComponent</code>) can't access this data without a valid token</li> </ul> <h3> Set up the project </h3> <p>First, make sure you have a Next.js 14 project set up with Userfront installed. If you haven't done this yet, you can grab the example from GitHub by downloading the folder. For example, you can go to <a href="https://download-directory.github.io/" rel="noopener noreferrer">download-directory</a> and enter the NextJS project: <code>https://github.com/userfront/examples/tree/main/next-14</code>.</p> <p>Open the project up and install it with:<br> <code>npm install</code></p> <p>Run the example:<br> <code>npm run dev</code></p> <p>Next, we’ll add a header that changes based on the user login state, a secured router, and a dashboard page that fetches user data if the JWT is verified.</p> <h3> Create a Header component </h3> <p>Let's start by creating a header component that changes based on the user's authentication status:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// app/_components/Header.tsx</span> <span class="dl">"</span><span class="s2">use client</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="nx">Link</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">next/link</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">useUserfront</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@userfront/next/client</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">Header</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">isAuthenticated</span><span class="p">,</span> <span class="nx">logout</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">useUserfront</span><span class="p">();</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">header</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">p-4</span><span class="dl">"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">nav</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">flex justify-between items-center</span><span class="dl">"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">Link</span> <span class="nx">href</span><span class="o">=</span><span class="dl">"</span><span class="s2">/</span><span class="dl">"</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">text-lg font-bold</span><span class="dl">"</span><span class="o">&gt;</span><span class="nx">My</span> <span class="nx">App</span><span class="o">&lt;</span><span class="sr">/Link</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">div</span><span class="o">&gt;</span> <span class="p">{</span><span class="nx">isAuthenticated</span> <span class="p">?</span> <span class="p">(</span> <span class="o">&lt;&gt;</span> <span class="o">&lt;</span><span class="nx">Link</span> <span class="nx">href</span><span class="o">=</span><span class="dl">"</span><span class="s2">/dashboard</span><span class="dl">"</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">mr-4</span><span class="dl">"</span><span class="o">&gt;</span><span class="nx">Dashboard</span><span class="o">&lt;</span><span class="sr">/Link</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">button</span> <span class="nx">onClick</span><span class="o">=</span><span class="p">{()</span> <span class="o">=&gt;</span> <span class="nf">logout</span><span class="p">({</span> <span class="na">redirect</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/</span><span class="dl">'</span> <span class="p">})}</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">bg-blue-500 text-white px-4 py-2 rounded</span><span class="dl">"</span><span class="o">&gt;</span><span class="nx">Logout</span><span class="o">&lt;</span><span class="sr">/button</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/</span><span class="err">&gt; </span> <span class="p">)</span> <span class="p">:</span> <span class="p">(</span> <span class="o">&lt;&gt;</span> <span class="o">&lt;</span><span class="nx">Link</span> <span class="nx">href</span><span class="o">=</span><span class="dl">"</span><span class="s2">/login</span><span class="dl">"</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">mr-4</span><span class="dl">"</span><span class="o">&gt;</span><span class="nx">Login</span><span class="o">&lt;</span><span class="sr">/Link</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">Link</span> <span class="nx">href</span><span class="o">=</span><span class="dl">"</span><span class="s2">/signup</span><span class="dl">"</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">mr-4</span><span class="dl">"</span><span class="o">&gt;</span><span class="nx">Signup</span><span class="o">&lt;</span><span class="sr">/Link</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/</span><span class="err">&gt; </span> <span class="p">)}</span> <span class="o">&lt;</span><span class="sr">/div</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/nav</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/header</span><span class="err">&gt; </span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p>This header component uses the <code>useUserfront</code> hook to determine if the user is authenticated and displays appropriate navigation links.</p> <p>Then, we’ll update the app layout to include that header. Replace the contents of <code>app/layout.tsx</code> with the following code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="k">import</span> <span class="nx">type</span> <span class="p">{</span> <span class="nx">Metadata</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Inter</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/font/google</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="dl">"</span><span class="s2">./globals.css</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">UserfrontProvider</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@userfront/next/client</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="nx">Header</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./_components/Header</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">RootLayout</span><span class="p">({</span> <span class="nx">children</span> <span class="p">}:</span> <span class="p">{</span> <span class="nl">children</span><span class="p">:</span> <span class="nx">React</span><span class="p">.</span><span class="nx">ReactNode</span> <span class="p">})</span> <span class="p">{</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">html</span> <span class="nx">lang</span><span class="o">=</span><span class="dl">"</span><span class="s2">en</span><span class="dl">"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">body</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">flex justify-center</span><span class="dl">"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">div</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">w-full max-w-5xl px-4 pt-8</span><span class="dl">"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">UserfrontProvider</span> <span class="nx">tenantId</span><span class="o">=</span><span class="p">{</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NEXT_PUBLIC_USERFRONT_TENANT_ID</span><span class="o">!</span><span class="p">}</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">Header</span> <span class="o">/&gt;</span> <span class="p">{</span><span class="nx">children</span><span class="p">}</span> <span class="o">&lt;</span><span class="sr">/UserfrontProvider</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/div</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/body</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/html</span><span class="err">&gt; </span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h3> Secure routes with layout </h3> <p>Next, let's create a secure layout that protects our dashboard and other sensitive pages. Secure layouts provide a client-side redirect for unauthenticated users, but remember that true security should be implemented server-side.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// app/(secure)/layout.tsx</span> <span class="dl">"</span><span class="s2">use client</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">React</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">react</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">useRouter</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/navigation</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">useUserfront</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@userfront/next/client</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">SecureLayout</span><span class="p">({</span> <span class="nx">children</span> <span class="p">}:</span> <span class="p">{</span> <span class="nl">children</span><span class="p">:</span> <span class="nx">React</span><span class="p">.</span><span class="nx">ReactNode</span> <span class="p">})</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">router</span> <span class="o">=</span> <span class="nf">useRouter</span><span class="p">();</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">isAuthenticated</span><span class="p">,</span> <span class="nx">isLoading</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">useUserfront</span><span class="p">();</span> <span class="nx">React</span><span class="p">.</span><span class="nf">useEffect</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">isAuthenticated</span> <span class="o">||</span> <span class="nx">isLoading</span> <span class="o">||</span> <span class="o">!</span><span class="nx">router</span><span class="p">)</span> <span class="k">return</span><span class="p">;</span> <span class="nx">router</span><span class="p">.</span><span class="nf">push</span><span class="p">(</span><span class="dl">"</span><span class="s2">/login</span><span class="dl">"</span><span class="p">);</span> <span class="p">},</span> <span class="p">[</span><span class="nx">isAuthenticated</span><span class="p">,</span> <span class="nx">isLoading</span><span class="p">,</span> <span class="nx">router</span><span class="p">]);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">isAuthenticated</span> <span class="o">||</span> <span class="nx">isLoading</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="kc">null</span><span class="p">;</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">children</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p>This layout ensures that only authenticated users can access the pages within the <code>(secure)</code> folder.</p> <h3> Fetch Userfront data as server-side call </h3> <p>To fetch data on the server, we’ll call the <code>UserfrontClient</code> along with the Userfront <a href="https://userfront.com/test/dashboard/api-keys" rel="noopener noreferrer">Admin API key</a> and <a href="https://userfront.com/test/dashboard/tenants" rel="noopener noreferrer">Tenant ID</a>, which are found in the dashboard.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="dl">"</span><span class="s2">use server</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">UserfrontClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@userfront/next/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="nx">Image</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">next/image</span><span class="dl">"</span><span class="p">;</span> <span class="c1">// Initialize the Userfront client</span> <span class="kd">const</span> <span class="nx">Userfront</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">UserfrontClient</span><span class="p">({</span> <span class="na">apiKey</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">USERFRONT_API_KEY</span><span class="p">,</span> <span class="na">tenantId</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NEXT_PUBLIC_USERFRONT_TENANT_ID</span><span class="p">,</span> <span class="p">});</span> <span class="k">export</span> <span class="k">default</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">ServerPage</span><span class="p">()</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="c1">// Get the tenant information</span> <span class="kd">const</span> <span class="nx">tenant</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">Userfront</span><span class="p">.</span><span class="nf">getTenant</span><span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NEXT_PUBLIC_USERFRONT_TENANT_ID</span><span class="p">);</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">div</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">container</span><span class="dl">"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">h1</span><span class="o">&gt;</span><span class="nx">Server</span> <span class="nx">Example</span> <span class="kd">with</span> <span class="nx">Data</span> <span class="nx">Fetching</span><span class="o">&lt;</span><span class="sr">/h1</span><span class="err">&gt; </span> <span class="p">{</span><span class="nx">tenant</span><span class="p">.</span><span class="nx">image</span> <span class="o">&amp;&amp;</span> <span class="p">(</span> <span class="o">&lt;</span><span class="nx">div</span> <span class="nx">style</span><span class="o">=</span><span class="p">{{</span> <span class="na">marginBottom</span><span class="p">:</span> <span class="dl">'</span><span class="s1">20px</span><span class="dl">'</span> <span class="p">}}</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">Image</span> <span class="nx">src</span><span class="o">=</span><span class="p">{</span><span class="nx">tenant</span><span class="p">.</span><span class="nx">image</span><span class="p">}</span> <span class="nx">alt</span><span class="o">=</span><span class="dl">"</span><span class="s2">Tenant Image</span><span class="dl">"</span> <span class="nx">width</span><span class="o">=</span><span class="p">{</span><span class="mi">100</span><span class="p">}</span> <span class="nx">height</span><span class="o">=</span><span class="p">{</span><span class="mi">100</span><span class="p">}</span> <span class="sr">/</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/div</span><span class="err">&gt; </span> <span class="p">)}</span> <span class="o">&lt;</span><span class="nx">h2</span><span class="o">&gt;</span><span class="nx">Tenant</span> <span class="na">Information</span><span class="p">:</span><span class="o">&lt;</span><span class="sr">/h2</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">pre</span><span class="o">&gt;</span><span class="p">{</span><span class="nx">JSON</span><span class="p">.</span><span class="nf">stringify</span><span class="p">(</span><span class="nx">tenant</span><span class="p">,</span> <span class="kc">null</span><span class="p">,</span> <span class="mi">2</span><span class="p">)}</span><span class="o">&lt;</span><span class="sr">/pre</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/div</span><span class="err">&gt; </span> <span class="p">);</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">"</span><span class="s2">Error fetching tenant:</span><span class="dl">"</span><span class="p">,</span> <span class="nx">error</span><span class="p">);</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">div</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">h1</span><span class="o">&gt;</span><span class="nx">Server</span> <span class="nx">Example</span> <span class="kd">with</span> <span class="nx">Data</span> <span class="nx">Fetching</span><span class="o">&lt;</span><span class="sr">/h1</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">p</span><span class="o">&gt;</span><span class="nb">Error</span><span class="p">:</span> <span class="nx">Unable</span> <span class="nx">to</span> <span class="nx">fetch</span> <span class="nx">tenant</span> <span class="nx">information</span><span class="o">&lt;</span><span class="sr">/p</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/div</span><span class="err">&gt; </span> <span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>We’ll also add Cloudinary as an image in the root <code>next.config.mjs</code> file:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code> <span class="cm">/** @type {import('next').NextConfig} */</span> <span class="kd">const</span> <span class="nx">nextConfig</span> <span class="o">=</span> <span class="p">{</span> <span class="na">images</span><span class="p">:</span> <span class="p">{</span> <span class="na">domains</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">res.cloudinary.com</span><span class="dl">'</span><span class="p">],</span> <span class="p">},</span> <span class="p">};</span> <span class="k">export</span> <span class="k">default</span> <span class="nx">nextConfig</span><span class="p">;</span> </code></pre> </div> <p>Now if you run the app, login, and go to the Dashboard, the link <a href="http://localhost:3000/server" rel="noopener noreferrer">Server Example with Data Fetching</a> takes you to a page that displays administrative data about the tenancy.</p> <p>This is admin data. Dashboards usually display user data, but should do so only if the user’s JWT token has been verified. Next, we’ll create:</p> <ul> <li>A protected route that verifies the user before exposing the component</li> <li>A <code>UserDataComponent</code> that relies on that protected route</li> <li>An updated dashboard that displays the <code>UserDataComponent</code> </li> </ul> <h3> Implement a protected API route </h3> <p>This protected API route implements server-side JWT verification, which is crucial for securing server-side data access. We’ll need the jsonwebtoken package to verify the access token:<br> <code>npm install jsonwebtoken</code></p> <p>To securely handle sensitive user data, we'll create a new <code>app/api/protected-route/route.ts</code> file that is a protected API route when the JWT token is verified:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// app/api/protected-route/route.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">NextRequest</span><span class="p">,</span> <span class="nx">NextResponse</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">next/server</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">UserfrontClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@userfront/next/server</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="nx">jwt</span><span class="p">,</span> <span class="p">{</span> <span class="nx">JwtPayload</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">jsonwebtoken</span><span class="dl">'</span><span class="p">;</span> <span class="c1">// requires install of this package</span> <span class="kd">const</span> <span class="nx">userfront</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">UserfrontClient</span><span class="p">({</span> <span class="na">tenantId</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">NEXT_PUBLIC_USERFRONT_TENANT_ID</span><span class="o">!</span><span class="p">,</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">JWT_PUBLIC_KEY</span> <span class="o">=</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">USERFRONT_JWT_PUBLIC_KEY</span><span class="o">!</span><span class="p">;</span> <span class="kr">interface</span> <span class="nx">UserFrontJwtPayload</span> <span class="kd">extends</span> <span class="nx">JwtPayload</span> <span class="p">{</span> <span class="nx">userId</span><span class="p">?:</span> <span class="nx">string</span><span class="p">;</span> <span class="p">}</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">GET</span><span class="p">(</span><span class="nx">request</span><span class="p">:</span> <span class="nx">NextRequest</span><span class="p">)</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">authHeader</span> <span class="o">=</span> <span class="nx">request</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">authorization</span><span class="dl">'</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">authHeader</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">No authorization header</span><span class="dl">'</span> <span class="p">},</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">401</span> <span class="p">});</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">authHeader</span><span class="p">.</span><span class="nf">split</span><span class="p">(</span><span class="dl">'</span><span class="s1"> </span><span class="dl">'</span><span class="p">)[</span><span class="mi">1</span><span class="p">];</span> <span class="c1">// Verify the JWT</span> <span class="kd">const</span> <span class="nx">decoded</span> <span class="o">=</span> <span class="nx">jwt</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span><span class="nx">token</span><span class="p">,</span> <span class="nx">JWT_PUBLIC_KEY</span><span class="p">,</span> <span class="p">{</span> <span class="na">algorithms</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">RS256</span><span class="dl">'</span><span class="p">]</span> <span class="p">})</span> <span class="k">as</span> <span class="nx">UserFrontJwtPayload</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="k">typeof</span> <span class="nx">decoded</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">string</span><span class="dl">'</span> <span class="o">||</span> <span class="o">!</span><span class="nx">decoded</span><span class="p">.</span><span class="nx">userId</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Invalid token payload</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">userId</span> <span class="o">=</span> <span class="nx">decoded</span><span class="p">.</span><span class="nx">userId</span><span class="p">;</span> <span class="c1">// Fetch additional user data if needed</span> <span class="kd">const</span> <span class="nx">userData</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">userfront</span><span class="p">.</span><span class="nf">getUser</span><span class="p">(</span><span class="nx">userId</span><span class="p">);</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="nx">userData</span> <span class="p">});</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">'</span><span class="s1">Authentication error:</span><span class="dl">'</span><span class="p">,</span> <span class="nx">error</span><span class="p">);</span> <span class="k">return</span> <span class="nx">NextResponse</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Authentication failed</span><span class="dl">'</span> <span class="p">},</span> <span class="p">{</span> <span class="na">status</span><span class="p">:</span> <span class="mi">401</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Fetch sensitive user Data </h3> <p><code>UserDataComponent</code> demonstrates client-side API calls with authentication tokens, aligning with the 'HTTP APIs' approach. However, it relies on proper server-side implementation for actual security. For fetching sensitive user data, we'll create a separate component that makes an authenticated API call. Create a new <code>app/(secure)/dashboard/UserDataComponent.tsx</code> file with the following code:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// app/(secure)/dashboard/UserDataComponent.tsx</span> <span class="dl">'</span><span class="s1">use client</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">useState</span><span class="p">,</span> <span class="nx">useEffect</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">react</span><span class="dl">'</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">useUserfront</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@userfront/next/client</span><span class="dl">"</span><span class="p">;</span> <span class="kr">interface</span> <span class="nx">UserData</span> <span class="p">{</span> <span class="nl">userId</span><span class="p">:</span> <span class="nx">string</span><span class="p">;</span> <span class="nl">email</span><span class="p">:</span> <span class="nx">string</span><span class="p">;</span> <span class="nx">username</span><span class="p">?:</span> <span class="nx">string</span><span class="p">;</span> <span class="p">}</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">UserDataComponent</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">userData</span><span class="p">,</span> <span class="nx">setUserData</span><span class="p">]</span> <span class="o">=</span> <span class="nx">useState</span><span class="o">&lt;</span><span class="nx">UserData</span> <span class="o">|</span> <span class="kc">null</span><span class="o">&gt;</span><span class="p">(</span><span class="kc">null</span><span class="p">);</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">loading</span><span class="p">,</span> <span class="nx">setLoading</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="kc">true</span><span class="p">);</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">error</span><span class="p">,</span> <span class="nx">setError</span><span class="p">]</span> <span class="o">=</span> <span class="nx">useState</span><span class="o">&lt;</span><span class="nx">string</span> <span class="o">|</span> <span class="kc">null</span><span class="o">&gt;</span><span class="p">(</span><span class="kc">null</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">userfront</span> <span class="o">=</span> <span class="nf">useUserfront</span><span class="p">();</span> <span class="nf">useEffect</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">fetchUserData</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">accessToken</span> <span class="o">=</span> <span class="nx">userfront</span><span class="p">.</span><span class="nf">accessToken</span><span class="p">();</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">accessToken</span><span class="p">)</span> <span class="p">{</span> <span class="nf">setLoading</span><span class="p">(</span><span class="kc">false</span><span class="p">);</span> <span class="nf">setError</span><span class="p">(</span><span class="dl">'</span><span class="s1">Not authenticated</span><span class="dl">'</span><span class="p">);</span> <span class="k">return</span><span class="p">;</span> <span class="p">}</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">fetch</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/protected-route</span><span class="dl">'</span><span class="p">,</span> <span class="p">{</span> <span class="na">headers</span><span class="p">:</span> <span class="p">{</span> <span class="dl">'</span><span class="s1">Authorization</span><span class="dl">'</span><span class="p">:</span> <span class="s2">`Bearer </span><span class="p">${</span><span class="nx">accessToken</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">},</span> <span class="p">});</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">response</span><span class="p">.</span><span class="nx">ok</span><span class="p">)</span> <span class="p">{</span> <span class="k">throw</span> <span class="k">new</span> <span class="nc">Error</span><span class="p">(</span><span class="s2">`HTTP error! status: </span><span class="p">${</span><span class="nx">response</span><span class="p">.</span><span class="nx">status</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">data</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">response</span><span class="p">.</span><span class="nf">json</span><span class="p">();</span> <span class="nf">setUserData</span><span class="p">(</span><span class="nx">data</span><span class="p">.</span><span class="nx">userData</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">err</span><span class="p">)</span> <span class="p">{</span> <span class="nf">setError</span><span class="p">(</span><span class="s2">`Error fetching user data: </span><span class="p">${</span><span class="nx">err</span> <span class="k">instanceof</span> <span class="nb">Error</span> <span class="p">?</span> <span class="nx">err</span><span class="p">.</span><span class="nx">message</span> <span class="p">:</span> <span class="nc">String</span><span class="p">(</span><span class="nx">err</span><span class="p">)}</span><span class="s2">`</span><span class="p">);</span> <span class="p">}</span> <span class="k">finally</span> <span class="p">{</span> <span class="nf">setLoading</span><span class="p">(</span><span class="kc">false</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="nf">fetchUserData</span><span class="p">();</span> <span class="p">},</span> <span class="p">[</span><span class="nx">userfront</span><span class="p">]);</span> <span class="k">if </span><span class="p">(</span><span class="nx">loading</span><span class="p">)</span> <span class="k">return</span> <span class="o">&lt;</span><span class="nx">div</span><span class="o">&gt;</span><span class="nx">Loading</span> <span class="nx">additional</span> <span class="nx">user</span> <span class="nx">data</span><span class="p">...</span><span class="o">&lt;</span><span class="sr">/div&gt;</span><span class="err">; </span> <span class="k">if </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="k">return</span> <span class="o">&lt;</span><span class="nx">div</span><span class="o">&gt;</span><span class="nb">Error</span> <span class="nx">loading</span> <span class="nx">additional</span> <span class="nx">data</span><span class="p">:</span> <span class="p">{</span><span class="nx">error</span><span class="p">}</span><span class="o">&lt;</span><span class="sr">/div&gt;</span><span class="err">; </span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">userData</span><span class="p">)</span> <span class="k">return</span> <span class="o">&lt;</span><span class="nx">div</span><span class="o">&gt;</span><span class="nx">No</span> <span class="nx">additional</span> <span class="nx">user</span> <span class="nx">data</span> <span class="nx">available</span><span class="o">&lt;</span><span class="sr">/div&gt;</span><span class="err">; </span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">div</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">mt-4</span><span class="dl">"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">h2</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">text-xl font-semibold</span><span class="dl">"</span><span class="o">&gt;</span><span class="nx">Additional</span> <span class="nx">User</span> <span class="nx">Information</span><span class="o">&lt;</span><span class="sr">/h2</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">p</span><span class="o">&gt;</span><span class="nx">User</span> <span class="nx">ID</span><span class="p">:</span> <span class="p">{</span><span class="nx">userData</span><span class="p">.</span><span class="nx">userId</span><span class="p">}</span><span class="o">&lt;</span><span class="sr">/p</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">p</span><span class="o">&gt;</span><span class="nx">Username</span><span class="p">:</span> <span class="p">{</span><span class="nx">userData</span><span class="p">.</span><span class="nx">username</span><span class="p">}</span><span class="o">&lt;</span><span class="sr">/p</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/div</span><span class="err">&gt; </span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h3> Update the dashboard with the user data component </h3> <p>Now, let's update the dashboard page to display user information. This dashboard component uses client-side data from Userfront, but doesn't inherently provide security. It should be used in conjunction with server-side protections.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="c1">// app/(secure)/dashboard/page.tsx</span> <span class="dl">"</span><span class="s2">use client</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="o">*</span> <span class="k">as</span> <span class="nx">React</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">react</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">useUserfront</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@userfront/next/client</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="nx">UserDataComponent</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./UserDataComponent</span><span class="dl">'</span><span class="p">;</span> <span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">DashboardPage</span><span class="p">()</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">user</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">useUserfront</span><span class="p">();</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">div</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">container mx-auto p-4</span><span class="dl">"</span><span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">h1</span> <span class="nx">className</span><span class="o">=</span><span class="dl">"</span><span class="s2">text-2xl font-bold mb-4</span><span class="dl">"</span><span class="o">&gt;</span><span class="nx">Dashboard</span><span class="o">&lt;</span><span class="sr">/h1</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">p</span><span class="o">&gt;</span><span class="nx">Hello</span><span class="p">,</span> <span class="p">{</span><span class="nx">user</span><span class="p">.</span><span class="nx">email</span><span class="p">}</span><span class="o">&lt;</span><span class="sr">/p</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="nx">UserDataComponent</span> <span class="o">/&gt;</span> <span class="o">&lt;</span><span class="nx">LogoutButton</span> <span class="o">/&gt;</span> <span class="o">&lt;</span><span class="nx">Link</span> <span class="nx">href</span><span class="o">=</span><span class="dl">"</span><span class="s2">/server</span><span class="dl">"</span><span class="o">&gt;</span><span class="nx">Server</span> <span class="nx">Example</span> <span class="kd">with</span> <span class="nx">Async</span> <span class="nx">Data</span> <span class="nx">Fetching</span> <span class="o">&amp;</span><span class="err">#</span><span class="mi">8594</span><span class="p">;</span><span class="o">&lt;</span><span class="sr">/Link</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/div</span><span class="err">&gt; </span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <h3> Security-charged component </h3> <p>Now you have server-side JWT verification in the protected API route that provides the necessary security for the <code>UserDataComponent</code>. Here's why:</p> <ol> <li> <strong>Token Verification:</strong> The API route verifies the JWT using the Userfront JWT public key, ensuring the token is valid and hasn't been tampered with.</li> <li> <strong>User Authentication:</strong> After verifying the token, it extracts the userId from the decoded token payload, confirming the user's identity.</li> <li> <strong>Authorization:</strong> While not explicitly shown in our example, the <code>userfront.getUser(userId)</code> call could be used to fetch user-specific data.</li> <li> <strong>Data Protection:</strong> Only after successful verification and potential authorization does the route return user data.</li> </ol> <p>However, it's worth noting:</p> <ol> <li>The security of this system relies on proper management of the JWT public key and other environment variables.</li> <li>Additional authorization checks might be necessary depending on the specific requirements of your application (e.g., checking user roles or permissions).</li> <li>While this setup provides good security, always remember that security is a multi-layered concern. This should be part of a comprehensive security strategy including secure coding practices, regular audits, and following the principle of least privilege.</li> </ol> <h2> Conclusion </h2> <p>By following these steps and best practices, you can create a secure, authenticated Next.js 14 application using Userfront. Remember to always verify JWTs on the server-side before granting access to sensitive data or protected routes.</p> <p>Some key takeaways:</p> <ol> <li>Use the <code>UserfrontProvider</code> to wrap your application and provide authentication context.</li> <li>Implement protected layouts to secure entire sections of your app.</li> <li>Always verify JWTs on the server-side before returning sensitive data.</li> <li>Use tools like environment variables to store sensitive information like API keys and JWT public keys and exclude them from check-ins.</li> <li>Take advantage of Next.js 14's built-in API routes for server-side operations.</li> </ol> <p>By understanding and implementing these concepts, you'll be well on your way to creating secure, scalable Next.js applications with Userfront authentication.</p> nextjs authorization security webdev When has rolling your own auth gone wrong? Userfront Devs Mon, 01 Jul 2024 15:20:45 +0000 https://dev.to/userfront/when-has-rolling-your-own-auth-gone-wrong-3lak https://dev.to/userfront/when-has-rolling-your-own-auth-gone-wrong-3lak <p>This week we're thinking about what happens when rolling your own auth snowballs into a giant headache. Tell us your own story in the comments!</p> <p>For a lot of us, this probably feels familiar: everything starts out simple. Add a little home-grown password-based authentication into your app and it seems great - everything just <em>works!</em> But then your app grows, your userbase grows, and your needs get more complicated: suddenly that simple DIY auth solution doesn't do everything you need. Where do you go from there? Do you keep building on top on your existing auth, or do you have to start from scratch with a third-party solution? Are the sunk costs too high to change course, or is the trade-off worth it? And what do you do with all those existing users?</p> <p>As devs we've been there ourselves. Check out this cautionary tale from Steve Cattaneo, Userfront's Head of Engineering:</p> <p><em>Once upon a time, Steve worked at a company that was a Rails shop.</em> Their first product leveraged out-of-the-box Rails password authentication. When they built their second product, for speed to market reasons, much of the boilerplate from the first product was copied into the second product—including the authentication. There was a lot to do and not much time to do it.</p> <p>Fast forward a few years and Steve’s team built their third product. That, too, included the boilerplate password auth. It was, after all, a simple, straightforward solution that worked.</p> <p>...then a customer asked for Google authentication, and that's when things started to get complicated.</p> <p>Steve's team assigned the work to one of the engineers: create an OAuth 2 module. Then migrate users: transition the username-password user to the username backed by a Google identity. He figured it out. He wired it up. And they rolled it out.</p> <p>Two or three weeks later, that engineer went on a much-deserved vacation. On that Friday — of course — the customer reported issues. Users were unable to log in. Without the engineer who had built the system, they spent the day looking at the code, looking at the database... but couldn't figure it out. The core data pipeline product was fine, but users couldn’t access their dashboard for three days—not counting the weekend.</p> <p>Eventually they gave their customer a status update: <strong>“We’ll have to get back to you.”</strong></p> <p><em>(read the rest of the story &amp; find out what happened to Steve's team <a href="https://userfront.com/blog/steve-cattaneo-knows-what-its-like-to-roll-your-own-iam">here!</a>)</em></p> discuss security authentication Getting started with Passwordless Authentication Userfront Devs Fri, 28 Jun 2024 16:02:44 +0000 https://dev.to/userfront/getting-started-with-passwordless-authentication-2ao4 https://dev.to/userfront/getting-started-with-passwordless-authentication-2ao4 <p>Passwordless authentication is an alternative to traditional password-based authentication that is gaining traction among organizations aiming to bolster their security infrastructure while enhancing user experience. This article explores the concept of passwordless authentication, its benefits for organizations, various methods, and how to implement passwordless authentication with Userfront.</p> <h2> Definition of Passwordless Authentication </h2> <p><strong>Passwordless authentication</strong> refers to the verification of a user's identity without requiring the user to enter a password. This method leverages other forms of identification like single-use codes or security keys, providing a more secure and user-friendly login experience. By eliminating the need for passwords, this authentication method mitigates common password-related security risks.</p> <h2> Benefits of Passwordless Authentication for Organizations </h2> <p>The primary benefits of passwordless authentication boil down to three areas: security, user experience, and operational efficiency.</p> <h3> Security: </h3> <ul> <li> <strong>Mitigation of Weak or Reused Password Risks:</strong> Traditional password-based systems often suffer from weak or reused passwords, making them easy targets for cyber attackers. Passwordless Authentication eliminates this risk, offering a more secure alternative.</li> <li> <strong>Reduced Phishing Attacks:</strong> Phishing attempts often target password credentials. By eliminating passwords, the chances of successful phishing attacks are significantly reduced.</li> </ul> <h3> User Experience: </h3> <ul> <li> <strong>Simplified Login Process:</strong> Passwordless Authentication simplifies the login process by reducing the steps required to verify a user’s identity.</li> <li> <strong>Elimination of Password Memorization and Resets:</strong> Users no longer need to remember or reset passwords, which enhances the overall user experience and reduces frustration.</li> </ul> <h2> Operational Efficiency: </h2> <ul> <li> <strong>Reduced Password-related Support:</strong> Organizations often dedicate resources to handle password resets and related support issues. Passwordless authentication lowers the demand for such support.</li> <li> <strong>Lower Operational Costs:</strong> By reducing the need for password-related support, organizations can lower operational costs and reallocate resources to other critical areas.</li> </ul> <h2> Types of Passwordless Authentication </h2> <ul> <li> <strong>Verification Codes:</strong> Users can opt for a verification code (sometimes called a time-based one-time password or TOTP) sent to their email or SMS address. They then enter this one-time verification code instead of a password.</li> <li> <strong>Magic Links:</strong> Much like a verification code, except instead of a code, the user receives a link that they click on to authenticate. Magic links usually have an expiration date and can only be used once.</li> <li> <strong>TOTP Applications:</strong> This authentication method allows users to use a TOTP application on their smartphone to verify their identity. TOTP authentication is primarily used as a second factor in MFA signup flows because users must authenticate with the TOTP application through other factors.</li> <li> <strong>Security Keys:</strong> Security keys are physical devices that store cryptographic keys to authenticate users. These keys can be connected via USB, Bluetooth, NFC, or even embedded within devices.</li> <li> <strong>Biometrics:</strong> Biometric authentication utilizes unique biological traits such as fingerprints or facial recognition to verify a user’s identity.</li> <li> <strong>Single Sign On:</strong> SSO could be viewed as a form of passwordless authentication because once a user is verified with an SSO provider, they don’t need to enter an additional password to log in to additional applications.</li> </ul> <h2> Implementing Passwordless Authentication with Userfront </h2> <p>Userfront supports the following methods of passwordless authentication:</p> <ul> <li>Magic links</li> <li>Email verification</li> <li>SMS verification</li> <li>TOTP applications</li> <li>SSO</li> </ul> <p>Here is how you can enable passwordless authentication methods in minutes:</p> <ol> <li>In your Userfront account, navigate to <a href="https://userfront.com/dashboard/authentication">your dashboard</a>.</li> <li>Under “First factors,” select the methods of authentication you would like to allow. While you can choose as many methods as you’d like, we recommend just a few to keep it simple.</li> <li>Email verification works with Userfront right out of the box. Just click the toggle, and users can log in using a code sent by Userfront.</li> <li>Similarly, email magic links also work out of the box and do not need to be configured. If you prefer to build your own magic link experience, <a href="https://userfront.com/docs/js#login-via-link-method">follow these instructions</a>.</li> <li>To set up SSO, you will need to follow the steps for each SSO provider.</li> <li>To set up TOTP, <a href="https://userfront.com/docs/api-client#set-up-totp-authenticator">follow these instructions</a>.‍</li> </ol> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp4eystki23vltbk3kkv8.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fp4eystki23vltbk3kkv8.png" alt="Image description" width="800" height="885"></a></p> <p>Passwordless authentication is a solid solution for organizations aiming to enhance their security and user experience. With platforms like Userfront, implementing passwordless authentication is a straightforward process.‍</p> <p><em>Originally posted <a href="https://userfront.com/blog/passwordless">here</a> - sign up with Userfront &amp; <a href="https://userfront.com/">get started today</a>.</em></p> webdev authentication passwordless learning