AdonisJS 6 Session Authentication in 15 Minutes

In this lesson, we'll learn how to add authentication to a new AdonisJS 6 application using the session guard. In these 15 minutes, you'll learn how to register a user, logout a user, verify a user's credentials and log them in, and more.

Published
Apr 18
Duration
15m 18s

Developer, dog lover, and burrito eater. Currently teaching AdonisJS, a fully featured NodeJS framework, and running Adocasts where I post new lessons weekly. Professionally, I work with JavaScript, .Net C#, and SQL Server.

Adocasts

Burlington, KY

Join The Discussion! (14 Comments)

Please sign in or sign up for free to join in on the dicussion.

  1. Commented 7 months ago

    This is a great walkthrough on session based auth. One of the things I'm struggling with is using Ally to authenticate via Google and then convert that into an authorized session. I have the Google auth flow working as expected. I just don't know how to use that data to flow into a user session. Have you seen any resources on this?

    1

    Please sign in or sign up for free to reply

    1. Commented 7 months ago

      Thank you, Mark!! We haven't discussed social authentication with AdonisJS 6 in any of our lessons quite yet. But, once you get the user details from Google, you'll want to determine if you have a matching user already in your database, and if not, create that user. Once you've either found the matching user or created the new user, you can log them in using AdonisJS Auth.

      router.get('/google/callback', async ({ ally, auth }) => {
        const google = ally.use('google')
      
        // ... validity checks
      
        const googleUser = await google.user()
      
        const appUser = await User.updateOrCreate({
          // attempt to find a user with the matched Google Id
          googleId: googleUser.id
        }, {
          // no match found? merge googleId with this data and create the user
          // add any other data your user needs here
          email: googleUser.email,
          token: googleUser.token.token,
          refreshToken: googleUser.token.refreshToken
        })
      
        // once we have the user, log them in
        await auth.use('web').login(user)
      })
      Copied!

      Hope this helps!

      1

      Please sign in or sign up for free to reply

  2. Commented 1 month ago

    Hello, first thing first thanks for all the work you do for the AdonisJS community.
    I have an issue with part "How to perform user registration", it create my user into my database but it doesn't login my user. I checked the code from the github repo and there I can't found any diff.

    Any idea ?

    // register_controller.ts
    await auth.use('web').login(user)
    
    // routes.ts
    router
      .get('/', async ({ auth, view }) => {
        await auth.check()
        return view.render('pages/index')
      })
      .as('index')
    Copied!
    1

    Please sign in or sign up for free to reply

    1. Commented 1 month ago

      Hi Alan! Thank you for watching!

      Are you able to share a link to the repository or a reproduction of it? Based on the two snippets, all looks good, but the issue could be in the user model, config, or middleware.

      0

      Please sign in or sign up for free to reply

      1. Commented 1 month ago

        Hi,
        I cannot share my project in a repo because it's a enterprise project but i can try to share some screenshots (due to max characters in comments)

        Here's a Imgur post with all the screenshots : https://imgur.com/a/rYIUWJx

        All the other stuff like auth middlewares are the default ones.

        0

        Please sign in or sign up for free to reply

        1. Commented 1 month ago

          It might be something related to the UUID implementation. I haven't personally used them in AdonisJS so I'm not overly familiar with everything needed to get them working, but I do believe you need to inform AdonisJS you're self assigning the primary key via the model.

          export default class User extends BaseModel {
            static selfAssignPrimaryKey = true
            // ...
          }
          Copied!

          You can try digging into the node_modules to console log/breakpoint where AdonisJS is attempting to authenticate the user to see if:

          1. Is it finding the userId from the session okay

          2. Is it able to find the user via that id

          Additionally, though this wouldn't cause your issue, both the auth middleware and the auth.check() method calls the auth.authenticate() method, so you only need one or the other.

          • The auth middleware is great when you need the user to be authenticated to access the route. It will throw an error if the user is not authenticated.

          • The auth.check() call is great when the user can be authenticated but doesn't need to be to access the route.

          Hope this helps!

          1

          Please sign in or sign up for free to reply

          1. Commented 1 month ago

            Indeed it was this line of code static selfAssignPrimaryKey = true that was missing, now it work properly!
            Thanks a lot for your time!

            1

            Please sign in or sign up for free to reply

            1. Commented 1 month ago

              Awesome, I'm glad to hear everything is working a-okay now! 😊
              Anytime, happy to help!

              0

              Please sign in or sign up for free to reply

  3. Commented 1 month ago

    When it comes to setting up authentication with Adonis but in the case of only using Adonis as your BE I am assuming it's the same steps but skipping the Inertia steps such as the GETs for the views? Also out of curiosity if you are using a client-side react app with Session Guard I am assuming you are doing no validation in terms of client-side validation for auth but instead relying on the response back from Adonis via an API call and letting the server manage the auth session?

    1

    Please sign in or sign up for free to reply

    1. Commented 1 month ago

      Yeah, if you're using session authentication using AdonisJS as an API, so long as the two apps share the same domain, the approach would still be the same just without the front-end routes & pages. Depending on your set up you may need to update the session cookie's domain config to allow subdomains.

      In terms of validation, that's up to your discretion. You'll always want to perform server-side validation for data integrity's sake since client-side validation can be easily circumvented. Client-side validation is generally provided to improve user experience since it is a quicker way to provide feedback. When working with reactive client-side frameworks, it is generally considered good practice to validate on both the client & server side.

      1

      Please sign in or sign up for free to reply

      1. Commented 1 month ago

        Awesome thanks for your explanation 😀

        0

        Please sign in or sign up for free to reply

        1. Commented 29 days ago

          Anytime!! 😊

          0

          Please sign in or sign up for free to reply

  4. Commented 1 month ago

    One other question I thought about as well is CSRF token validation specific to Inertia/server-side rendered frameworks? I haven't come across that before while working mostly client side while submitting data.

    1

    Please sign in or sign up for free to reply

    1. Commented 29 days ago

      No, CSRF is a broad reaching vulnerability across the web and is not specific to inertia nor server-side rendered applications. The goal of these attacks is to hijack a state changing request, causing an authenticated user to perform an action they did not want nor intend to happen.

      You can go more in-depth on CSRF by reading through OWASP's guide.

      1

      Please sign in or sign up for free to reply