We'll learn how to add authentication to a new AdonisJS 6 application using the session guard. In these 15 minutes, you'll learn how to register a user, logout a user, verify a user's credentials and log them in, and more.
This is a great walkthrough on session based auth. One of the things I'm struggling with is using Ally to authenticate via Google and then convert that into an authorized session. I have the Google auth flow working as expected. I just don't know how to use that data to flow into a user session. Have you seen any resources on this?
Thank you, Mark!! We haven't discussed social authentication with AdonisJS 6 in any of our lessons quite yet. But, once you get the user details from Google, you'll want to determine if you have a matching user already in your database, and if not, create that user. Once you've either found the matching user or created the new user, you can log them in using AdonisJS Auth.
router.get('/google/callback', async ({ ally, auth }) => { const google = ally.use('google') // ... validity checks const googleUser = await google.user() const appUser = await User.updateOrCreate({ // attempt to find a user with the matched Google Id googleId: googleUser.id }, { // no match found? merge googleId with this data and create the user // add any other data your user needs here email: googleUser.email, token: googleUser.token.token, refreshToken: googleUser.token.refreshToken }) // once we have the user, log them in await auth.use('web').login(user)})
Hello, first thing first thanks for all the work you do for the AdonisJS community. I have an issue with part "How to perform user registration", it create my user into my database but it doesn't login my user. I checked the code from the github repo and there I can't found any diff.
Are you able to share a link to the repository or a reproduction of it? Based on the two snippets, all looks good, but the issue could be in the user model, config, or middleware.
It might be something related to the UUID implementation. I haven't personally used them in AdonisJS so I'm not overly familiar with everything needed to get them working, but I do believe you need to inform AdonisJS you're self assigning the primary key via the model.
export default class User extends BaseModel { static selfAssignPrimaryKey = true // ...}
Additionally, though this wouldn't cause your issue, both the auth middleware and the auth.check() method calls the auth.authenticate() method, so you only need one or the other.
The auth middleware is great when you need the user to be authenticated to access the route. It will throw an error if the user is not authenticated.
The auth.check() call is great when the user can be authenticated but doesn't need to be to access the route.
When it comes to setting up authentication with Adonis but in the case of only using Adonis as your BE I am assuming it's the same steps but skipping the Inertia steps such as the GETs for the views? Also out of curiosity if you are using a client-side react app with Session Guard I am assuming you are doing no validation in terms of client-side validation for auth but instead relying on the response back from Adonis via an API call and letting the server manage the auth session?
Yeah, if you're using session authentication using AdonisJS as an API, so long as the two apps share the same domain, the approach would still be the same just without the front-end routes & pages. Depending on your set up you may need to update the session cookie's domain config to allow subdomains.
In terms of validation, that's up to your discretion. You'll always want to perform server-side validation for data integrity's sake since client-side validation can be easily circumvented. Client-side validation is generally provided to improve user experience since it is a quicker way to provide feedback. When working with reactive client-side frameworks, it is generally considered good practice to validate on both the client & server side.
One other question I thought about as well is CSRF token validation specific to Inertia/server-side rendered frameworks? I haven't come across that before while working mostly client side while submitting data.
No, CSRF is a broad reaching vulnerability across the web and is not specific to inertia nor server-side rendered applications. The goal of these attacks is to hijack a state changing request, causing an authenticated user to perform an action they did not want nor intend to happen.
I'm not getting that exact error, but I see a couple of issues that'll cause things not to work correctly.
First, for your form errors, you want to use $messages not $message
<label> <span> Full Name </span> <input type="text" name="fullName" value="{{ old('fullName') || '' }}" /> @inputError('fullName') {{ $messages.join(', ') }} {{-- 👈 use $messages --}} @end</label>
Copied!
Second, your full name input has the name fullName with a capital N while your validator has fullname, these need to match 1:1. With those mismatched and the field required by your validator, you'll always get a validation error on submission.
Hope this helps! If, after these fixes, you're still getting the state error, please let me know which page and operation you're performing that's causing that error.
Do you have some about "multi-tenant architecture" adonis v6 login-logout-me ?
right now , i don't find anything about that... :(
More specifilly about "isolate tenants" (by schemma) in postgres, im using an admin (default auth), but i want find a way that allow to each tenant use "their own" login .
