Lecture 06 - Authentication

posted over 1 year ago ⋄ 9 min read

Lecture 06 - Authentication#

Lecture 06 - Authentication

News and Housekeeping#

Check-in 1 is due today. I have some office hours available this evening, please come talk to me about what you’re building or planning on building.
Check-in 2 will be optional, and can be used to replace a missing attendance or the initial check-in. You already get 2 free absences, but if you have more than that this is one way to raise that score.

Feedback and Q&A Forms#

Here is a form for the Q&A session; if I see responses here that are relevant to the next lecture or are frequently asked for, I will do my best to include them in that lecture.
Here is a form for feedback; I will do my best to apply what I can from here to my next lectures. I know I’m getting a biased response talking to people after class, so please help me be less biased!

Resources and AAA#

Authentication is at the core of pretty much any application. You can’t have unique users if they can’t identify themselves, right? Authentication is a smaller part of the AAA framework of security (which actually originates from network security, but is applicable here), where Authorization and Accounting also should play a role in your app. Let’s talk about what those ideas are, and what they mean within the context of our app.

I want to start off this lecture with a word of caution:

Authentication is complicated, and authentication-related information is valuable. The former means that it’s easy to miss something, or mess up in such a way that things go wrong. The latter means that the information stored for authentication is a valuable target for those who would abuse things going wrong.

Please don’t rush building this, try other possibilities (like OAuth) where possible, and if that’s not possible, let someone else help you do it right (like Supabase, or Auth0, or Clerk).

Resources#

I’m going to talk a lot about “resources” in this lecture. This is an abstract term for “things that users can access.” That might mean REST endpoints, certain pages, and really anything else that may have controls attached.

Authentication#

Authentication is your ability to identify a user based on the request that they are making. Some endpoints may only make sense in relation to a current user, for example an endpoint that shows the currently logged in user, or lists resources owned by that user.

Authorization#

Authorization is your ability to restrict resources to specific users. Authorization issues are much more common than authentication issues, especially as you add more and more resources with more complex access relationships.

Accounting#

Accounting (or auditing) is information that you store that allows you to see a sequence of events that users are taking. One example is an audit log, where you keep a history of any administrative actions taken, or where you can show what activities users are doing. This is useful when something goes wrong in authorization; you can still use authentication to establish a list of resources that were improperly accessed.

Normally, an access log with a user ID will be sufficient, but this may vary by your use case.

Demo: Authenticating with Clerk#

I’m going to update my site to allow people to save and edit draft posts, as well as to view their own draft posts, but not the posts of the others. To do this, I’m moving the detail view to something like localhost:3000/hhenrichsen/my-cool-post.

For the purposes of this demo, I already have an application created at https://clerk.com. I’m going to add the dependency next:

1
cd apps/web
2
pnpm i -S @clerk/nextjs
3
cd -

And the same for my api:

1
cd packages/api
2
pnpm i -S @clerk/nextjs
3
cd -

My next step is to add the ClerkProvider to my root layout so that I can pull authentication information in my server components.

apps/web/app/layout.tsx

1
import { ClerkProvider } from "@clerk/nextjs";
2

3
export default function PostsLayout({
4
  children,
5
}: {
6
  children: React.ReactNode;
7
}): JSX.Element {
8
  return (
9
    <ClerkProvider>
10
      <html lang="en">
11
        <body>{children}</body>
12
      </html>
13
    </ClerkProvider>
14
  );
15
}

I’m also going to set up some authentication middleware:

apps/web/middleware.ts

1
import { authMiddleware } from "@clerk/nextjs";
2

3
export default authMiddleware({
4
  publicRoutes: ["/", "/posts/(.*)/(.*)"],
5
});
6

7
export const config = {
8
  matcher: ["/((?!.+\\.[\\w]+$|_next).*)", "/", "/(api|trpc)(.*)"],
9
};

And set up some context for tRPC:

packages/api/src/context.ts

1
import {
2
  getAuth,
3
  SignedInAuthObject,
4
  SignedOutAuthObject,
5
} from "@clerk/nextjs/server";
6
import * as trpc from "@trpc/server";
7
import * as trpcNext from "@trpc/server/adapters/next";
8

9
interface AuthContext {
10
  auth: SignedInAuthObject | SignedOutAuthObject;
11
}
12

13
export const createContextInner = async ({ auth }: AuthContext) => {
14
  return {
15
    auth,
16
  };
17
};
18

19
export const createContext = async (
20
  opts: trpcNext.CreateNextContextOptions
21
) => {
22
  return await createContextInner({ auth: getAuth(opts.req) });
23
};
24

25
export type Context = trpc.inferAsyncReturnType<typeof createContext>;

Update tRPC to use the context as well as new middleware:

packages/api/src/trpc.ts

1
import { initTRPC, TRPCError } from "@trpc/server";
2
import { Context } from "./context";
3

4
const t = initTRPC.context<Context>().create();
5

6
export const router = t.router;
7
export const publicProcedure = t.procedure;
8

9
const isAuthed = t.middleware(({ ctx, next }) => {
10
  if (!ctx.auth.userId) {
11
    throw new TRPCError({
12
      code: "UNAUTHORIZED",
13
    });
14
  }
15
  return next({
16
    ctx: {
17
      auth: ctx.auth,
18
    },
19
  });
20
});
21

22
export const authedProcedure = t.procedure.use(isAuthed);

And update my next.js tRPC route to supply the context:

apps/web/pages/api/trpc/[trpc].ts

1
import { getAuth } from "@clerk/nextjs/server";
2
import * as trpcNext from "@trpc/server/adapters/next";
3
import { appRouter } from "@my-app/api/src/index";
4
import { connect } from "@my-app/mongo";
5

6
// export API handler
7
// @see https://trpc.io/docs/server/adapters
8
export default trpcNext.createNextApiHandler({
9
  router: appRouter,
10
  createContext: async (opts: trpcNext.CreateNextContextOptions) => {
11
    await connect();
12
    const auth = getAuth(opts.req);
13
    return {
14
      auth,
15
    };
16
  },
17
});

Lastly, I’m going to add some URLs we can hit to sign in and sign out, then we can work on adding some features.

apps/web/app/auth/sign-in/[[...sign-in]]/page.tsx

1
import { SignIn } from "@clerk/nextjs";
2

3
export default function SignInPage() {
4
  return <SignIn />;
5
}

apps/web/app/auth/sign-up/[[...sign-up]]/page.tsx

1
import { SignUp } from "@clerk/nextjs";
2

3
export default function SignUpPage() {
4
  return <SignUp />;
5
}

Now I’m going to adjust my schema to account for users and their info: packages/db/prisma/schema.prisma

1
datasource db {
2
  provider = "postgresql"
3
  url      = env("DATABASE_URL")
4
}
5

6
generator client {
7
  provider = "prisma-client-js"
8
  output   = "../lib/generated/client"
9
}
10

11
model User {
12
  id    String @id
13
  slug  String @unique
14
  name  String
15
  likes Like[]
16
  Post  Post[]
17

18
  @@index([slug])
19
}
20

21
model Like {
22
  id     String   @id @default(cuid())
23
  postId String
24
  post   Post     @relation(fields: [postId], references: [id])
25
  userId String
26
  user   User     @relation(fields: [userId], references: [id])
27
  date   DateTime @default(now())
28

29
  @@index([postId])
30
  @@index([userId])
31
}
32

33
model Post {
34
  id        String    @id @default(cuid())
35
  slug      String
36
  title     String
37
  content   String
38
  likes     Like[]
39
  draft     Boolean   @default(false)
40
  deleted   Boolean   @default(false)
41
  authorId  String
42
  author    User      @relation(fields: [authorId], references: [id])
43
  created   DateTime? @default(now())
44
  published DateTime?
45
  edited    DateTime? @updatedAt
46

47
  @@unique([slug, authorId])
48
  @@index([slug])
49
  @@index([authorId])
50
}

This is probably a bit more featureful than I need, but it’ll let me set up some interesting tRPC queries at least. Now I’m going to amend my previous layout to add a bit more information about the logged in user (or absence of one):

apps/web/app/layout.tsx

1
import Link from "next/link";
2
import { ClerkProvider, UserButton } from "@clerk/nextjs";
3
import { currentUser } from "@clerk/nextjs/server";
4

5
export default async function RootLayout({
6
  children,
7
}: {
8
  children: React.ReactNode;
9
}): Promise<JSX.Element> {
10
  const userAuth = await currentUser();
11

12
  const authButton = userAuth ? (
13
    <UserButton />
14
  ) : (
15
    <Link
16
      href="/auth/sign-in"
17
      style={{ textDecoration: "none", color: "black" }}
18
    >
19
      Sign In
20
    </Link>
21
  );
22

23
  return (
24
    <ClerkProvider>
25
      <html lang="en">
26
        <body style={{ margin: 0 }}>
27
          <header
28
            style={{
29
              justifyContent: "space-between",
30
              display: "flex",
31
              alignItems: "center",
32
              flexDirection: "row",
33
              backgroundColor: "lightgray",
34
              position: "sticky",
35
            }}
36
          >
37
            <Link href="/" style={{ textDecoration: "none" }}>
38
              <h1
39
                style={{
40
                  margin: 0,
41
                  padding: 8,
42
                  color: "black",
43
                  fontFamily: "sans-serif",
44
                }}
45
              >
46
                Blog Site
47
              </h1>
48
            </Link>
49
            <div style={{ padding: 8 }}>{authButton}</div>
50
          </header>
51
          <div id="content">{children}</div>
52
        </body>
53
      </html>
54
    </ClerkProvider>
55
  );
56
}

And re-add the post listing, but on the server this time:

apps/web/app/page.tsx

1
import Link from "next/link";
2
import { prisma } from "@my-app/db/lib/prisma";
3

4
export default async function Home(): Promise<JSX.Element> {
5
  const posts = await prisma.post.findMany({
6
    where: { draft: false },
7
    orderBy: { published: "desc" },
8
    include: { author: true },
9
  });
10

11
  return (
12
    <div>
13
      {posts.map((post) => (
14
        <div key={post.id}>
15
          <Link href={`posts/${post.author.slug}/${post.slug}`}>
16
            <h2>{post.title}</h2>
17
          </Link>
18
          <p>
19
            <i>By {post.author.name}</i>
20
          </p>
21
        </div>
22
      ))}
23
    </div>
24
  );
25
}

Now let’s implement that post page:

apps/web/app/posts/[user]/[post]/page.tsx

1
import { notFound } from "next/navigation";
2
import { auth } from "@clerk/nextjs";
3
import { prisma } from "@my-app/db/lib/prisma";
4

5
export default async function CreatePost({
6
  params,
7
}: {
8
  params: { user: string; post: string };
9
}): Promise<JSX.Element> {
10
  const { user: userSlug, post: postSlug } = params;
11
  const { userId: authUserId } = auth();
12

13
  const { id: authorId } = (await prisma.user.findUnique({
14
    where: { slug: userSlug },
15
    select: { id: true },
16
  })) ?? { id: null };
17

18
  if (!authorId) {
19
    return notFound();
20
  }
21

22
  const post = await prisma.post.findUnique({
23
    where: {
24
      slug_authorId: {
25
        slug: postSlug,
26
        authorId,
27
      },
28
    },
29
    include: {
30
      author: true,
31
      _count: {
32
        select: { likes: true },
33
      },
34
    },
35
  });
36

37
  if (!post) {
38
    return notFound();
39
  }
40

41
  if (post.draft && (!authUserId || authUserId !== post.authorId)) {
42
    return notFound();
43
  }
44

45
  return (
46
    <>
47
      <h1>{post.title}</h1>
48
      <p>
49
        <i>By {post.author.name}</i>
50
      </p>
51
      <p>
52
        <i>{post._count.likes} Likes</i>
53
      </p>
54
      <p>{post.content}</p>
55
    </>
56
  );
57
}

Now let’s write some tRPC queries:

packages/api/src/index.ts

1
import * as z from "zod";
2
import type { Post } from "@my-app/db/lib/generated/client";
3
import { prisma } from "@my-app/db/lib/prisma";
4
import { comment } from "@my-app/mongo";
5
import type { Comment } from "@my-app/mongo/models/comment";
6
import { authedProcedure, publicProcedure, router } from "./trpc";
7

8
export const appRouter = router({
9
  postList: publicProcedure.query(
10
    async (opts): Promise<(Post & { comments: readonly Comment[] })[]> => {
11
      const posts = await prisma.post.findMany({
12
        where: {
13
          OR: [
14
            { draft: false },
15
            { authorId: opts.ctx.auth.userId ?? undefined },
16
          ],
17
          AND: [{ deleted: false }],
18
        },
19
        orderBy: {
20
          published: "desc",
21
        },
22
      });
23
      return Promise.all(
24
        posts.map(async (post) => {
25
          const postId = post.id;
26
          const comments = await comment.find({ post: postId }).exec();
27
          return { ...post, comments };
28
        })
29
      );
30
    }
31
  ),
32
  postDetail: publicProcedure.input(z.string()).mutation(async (opts) => {
33
    const postId = opts.input;
34
    const post = await prisma.post.findUnique({
35
      where: {
36
        id: postId,
37
        OR: [{ draft: false }, { authorId: opts.ctx.auth.userId ?? undefined }],
38
        AND: [{ deleted: false }],
39
      },
40
    });
41
    return post;
42
  }),
43
  addUserInfo: authedProcedure
44
    .input(
45
      z.object({
46
        slug: z.string(),
47
        name: z.string(),
48
      })
49
    )
50
    .mutation(async (opts) => {
51
      prisma.user.create({
52
        data: {
53
          id: opts.ctx.auth.userId,
54
          slug: opts.input.slug,
55
          name: opts.input.name,
56
        },
57
      });
58
    }),
59
  addPost: authedProcedure
60
    .input(
61
      z.object({
62
        title: z.string(),
63
        content: z.string(),
64
        draft: z.boolean().optional(),
65
      })
66
    )
67
    .mutation(async (opts) => {
68
      const { title, content } = opts.input;
69
      const post = await prisma.post.create({
70
        data: {
71
          title,
72
          content,
73
          authorId: opts.ctx.auth.userId,
74
          slug: title.toLowerCase().replace(/ /g, "-"),
75
          draft: opts.input.draft ?? false,
76
        },
77
      });
78
      return post;
79
    }),
80

81
  updatePost: authedProcedure
82
    .input(
83
      z.object({
84
        id: z.string(),
85
        title: z.string().optional(),
86
        content: z.string().optional(),
87
        draft: z.boolean().optional(),
88
      })
89
    )
90
    .mutation(async (opts) => {
91
      const { id, title, content, draft } = opts.input;
92

93
      const post = await prisma.post.update({
94
        where: { id, authorId: opts.ctx.auth.userId },
95
        data: {
96
          title,
97
          content,
98
          draft,
99
          edited: new Date(),
100
        },
101
      });
102
      return post;
103
    }),
104
  likePost: authedProcedure.input(z.string()).mutation(async (opts) => {
105
    const postId = opts.input;
106
    await prisma.like.create({
107
      data: {
108
        userId: opts.ctx.auth.userId,
109
        postId,
110
      },
111
    });
112
  }),
113
});
114

115
export type AppRouter = typeof appRouter;