How to use next-auth api endpoints (signin/signout) from a mobile app #1110
Comments
|
Hi there! So I'm not sure if I understand, but you would like to sign in to a native mobile app with next-auth? I'm not entirely sure if it's possible. At the very least you will need a web app, as the signin page will send you html if you do a GET request, or will check for cookies if you send a POST request. I'm not aware that cookies are a thing outside of web apps, but please do link me to some sources if I'm wrong. Or maybe even your mobile app, to get a picture of how you would integrate. |
|
Yes, I want to sign-in using a native mobile app, to utilize the full power of Nextjs, since it has API routes also. Secondly, we can handle cookies on mobile apps, but that comes with a lot of overhead so therefore we use jwt tokens, which by far is easy to implement. Let me explain, what I am trying to ask or may a feature request! Now my web application is doing good and now I want to roll out native mobile apps, then how I am supposed to integrate I like the simplicity of One thing more I cannot find the use of From Next docs:
|
balazsorban44
added
the
help-needed
|
Any updates on this? |
|
still wondering for any help regarding this issue?? |
|
yeah, looking into the code, the real issue is that is thought just for web-app, and not as micro-service-oriented. Next-auth should be able to send JSON-only on request, like the response of csrfToken, instead of embedding web-flow logic in the routes (I like the code, but this is really an anti-pattern consider Next is a serverless platform) |
|
Hi there! It looks like this issue hasn't had any activity for a while. It will be closed if no further activity occurs. If you think your issue is still relevant, feel free to comment on it to keep it open. (Read more at #912) Thanks! |
|
Maybe then I would never use next-auth for authentication ever, it defeats the purpose of API routes. Better would be to code auth on own, else the application will be bottlenecked only to web-app. |
|
I think there really should be a way to allow authentication from a mobile app (through REST endpoints with JSON response). This would allow to completely reuse on a mobile app (and why not, from a create-react-app based app) all the server side implementation of a web app; It's quite common the need of a web and mobile app based on the same backend, but in this way the authentication logics are not reusable at all |
|
I'm glad that people are interested in this, but currently I don't have the bandwidth to think about this. Instead of telling how awesome it would be, I would appreciate if we converge to meaningful discussion here, maybe someone who needs this functionality could look at the source code to come up with ideas? It's all available. FWIW, I do think we should refractor the core in a way that #1535 could be resolved. I don't know if that would help here though. Basically handlers would return objects like: interface HandlerResponse {
headers: Headers,
cookies: Record<string, {
value: string
expires: Date
//...
}
body: JSON
}and all header and cookie setting (so the WEB stuff?) would be contained within a single file ( This might also be useful if we want to expand to other frameworks (see #2294) |
|
Is there any update on this? I’m facing the exact same problem. I have a next app with authentification made by nextauth. Now I want to create a flutter app an fetch my nexts api routes. Now i have no idea how to talk to my nextauth signin/signup. Does anyone has an idea on how to do that? |
|
No updates. #2294 might be relevant, but my focus is elsewhere right now. |
|
This should be a priority for the project, really needed. |
|
@mataide Please only provide useful feedback to the conversation. 😃 If it was needed, the discussion around probably would be much bigger (and more meaningful, as reading back, only a few comments are actually focusing on helping), and more people would be standing in line to help out with the implementation. Feel free to open a PR if you have a good idea! General advice, remember the purpose of open source! 🙏 |
|
I'm working on a proof of concept for this. With a fairly minor change to next auth and using react native expo (also with a minor change) i've got the majority of the flow working. I'll try bundling it all up into a single demo repo. |
|
any updates for this, it should be something that is implemented on day one |
|
Any updates? This feature is fundamental! |
|
I neeeeeed this 🙏 |
|
i'm waiting. |
|
I had a similar need because I wanted to run my requests through my Insomnia client. I looked at the network tab and just reverse engineered the requests. Instruction assumptions:
Instructions for logging with credentials outside of application
{
"csrfToken": "cf3c89881118f3dcecbbd0616be6481475d3c23de3f5ae7a9a1bdfa59739bc78"
}
Values example
Insomnia example of encoding
What you post needs to map to how your
ResultEnd result will be a cookie that exists under
Depending on your environment / client / provider, you might have more work to do, but this should be possible for most folks.
session {
user: { name: 'test', email: '[email protected]' },
expires: '2023-02-10T16:08:16.467Z'
}Finally, a friendly reminder that your browser's network tab is your friend. Rather than complaining in the thread / asking for @balazsorban44 to refactor, take some time to see if you can find a workaround. Appreciate all the work you've done here, @balazsorban44 |
|
I want to verify the user's session in an edge function. I'm using a db strategy so I need to query an endpoint that checks the db for me. I get the session cookie in the request object but I can't figure out how to authenticate it against the 'localhost:3000/api/auth/session' Using postman I get an empty object in response, so I know it's reaching the endpoint. It's just not giving me any information. |
|
I spent couple hours debugging this. I was doing what @olingern suggested. But there was something missing. For whatever reason the The one in the body is incomplete, it's missing a part that includes a bar and then a string Once I started using the csrfToken from the cookie it worked. The reason why it works in insomnia for @olingern is because insomnia send the cookie in the request. So the steps are:
|
|
it doesn't work on my case, i follow both @rickitan and @olingern solution but didn't get the session-token back. I use custom config credentials. And i follow the field nicely but didn't work. And it return this value : { |
You have to check in the cookies for the session token. |
Would it work for signing in with providers other than username / password, with github for example? |
|
just switch to supabase or appwrite, easiest way to get everything you need. Next Auth is free and open source, can't always get what you want. |
|
It works for me. I hope it helps you. Auth Config /**
* Options for NextAuth.js used to configure adapters, providers, callbacks, etc.
*
* @see https://next-auth.js.org/configuration/options
*/
export const authOptions: NextAuthOptions = {
session: {
strategy: "jwt",
},
callbacks: {
session({ session, token }) {
if (session.user) {
// eslint-disable-next-line @typescript-eslint/no-non-null-assertion
session.user.id = token.sub!;
}
return session;
},
},
adapter: PrismaAdapter(db) as Adapter,
providers: [
CredentialsProvider({
id: 'credentials',
name: "Credentials",
credentials: {
email: { type: "email" },
password: { type: "password" },
},
authorize: authorize(db),
}),
/**
* ...add more providers here.
*
* Most other providers require a bit more work than the Discord provider. For example, the
* GitHub provider requires you to add the `refresh_token_expires_in` field to the Account
* model. Refer to the NextAuth.js docs for the provider you want to use. Example:
*
* @see https://next-auth.js.org/providers/github
*/
],
};Vue APP const form = reactive({
username: null,
password: null,
})
const onSubmit = async () => {
console.log('submit!')
console.log(form.password, form.username)
if (!form.username || !form.password) {
ElMessage.error('Please input username and password!')
return
}
const csrfRequest: {
csrfToken: string
} = await fetch(`/api/auth/csrf`).then((res) => res.json())
const body = Object.entries({
csrfToken: csrfRequest.csrfToken,
email: encodeURIComponent('[email protected]'),
password: encodeURIComponent('123'),
callbackUrl: encodeURIComponent('/'),
redirect: false,
json: true,
})
.map(([key, value]) => `${key}=${value}`)
.join('&')
try {
const loginRes = await fetch(`/api/auth/callback/credentials?`, {
headers: {
'content-type': 'application/x-www-form-urlencoded',
},
body,
method: 'POST',
credentials: 'include',
})
if (loginRes.status === 200) {
const userInfo: {
user: {
email: string
id: string
}
expires: string
} = await fetch(`/api/auth/session`).then((res) => res.json())
if (userInfo.user.email !== form.username) {
ElMessage.error('Login failed! Please check your username and password!')
return
}
localStorage.setItem('userInfo', JSON.stringify(userInfo))
ElMessage.success('Login success!')
} else {
ElMessage.error('Login failed! ' + loginRes.statusText)
}
} catch (error) {
console.error(error)
ElMessage.error('Login failed!')
}
} |
@zsnmwy while this works for a simple case, with simple email/password login, this doesn't seem to work for cases like two factor authentication, where you wait for confirmation, or even simpler, when accounts do not log in. The problem is that nextjs keeps returning the whole HTML page for |
|
@Dragosp33 Thanks for your feedback. I'm not checking in the 2fa. The simple login method is enough for my project. If you have any good techniques, please let me know. |
|
@zsnmwy I'm currently still working on that, but it feels more like a "hack" rather than a solution, as the next auth API endpoint for signing in returns a HTML page as response, so what could be done is displaying the code or message in the HTML page returned by the auth endpoint, and get that message by the element id from the page and handling it in the external app. Otherwise I don't see a solution for this situation |
|
Can i know how to login via flutter app by using next auth credentials. I can't find a solution |
|
With react native and axios it works fine private async getCsrfToken(): Promise<string> {
const { data: csrfRequest } = await this.api.get("/auth/csrf");
return csrfRequest.csrfToken;
}
private async performLogin(credentials: LoginCredentials, csrfToken: string): Promise<AxiosResponse> {
const body = this.createLoginBody(credentials, csrfToken);
return this.api.post("/auth/callback/credentials", body, {
headers: {
"Content-Type": "application/x-www-form-urlencoded",
},
withCredentials: true,
});
}
private createLoginBody(credentials: LoginCredentials, csrfToken: string): string {
return Object.entries({
csrfToken,
email: encodeURIComponent(credentials.email),
password: encodeURIComponent(credentials.password),
callbackUrl: encodeURIComponent("/"),
redirect: false,
json: true,
})
.map(([key, value]) => `${key}=${value}`)
.join("&");
}
private async getUserInfo(): Promise<UserInfo> {
const { data: userInfo } = await this.api.get<UserInfo>("/auth/session");
return userInfo;
}
async login(credentials: LoginCredentials): Promise<AuthResponse | undefined> {
const csrfToken = await this.getCsrfToken();
const loginResponse = await this.performLogin(credentials, csrfToken);
if (loginResponse.status === 200) {
const userInfo = await this.getUserInfo();
return this.handleSuccessfulLogin(userInfo, credentials.email);
}
}However, I noticed that when running my Next.js locally, the authentication doesn't work. But it works in production. It could be something in my project's configurations. |
|
Hi @maldee |
|
I send the cookie to the app through deep links. You can capture the cookie using query parameters and use it in the HTTP requests. |
It's actually not just "using the one from the cookie" the one from the cookie is probably one that was set earlier. The body of the request is expecting the first half of the CSRF matching the cookie, before the "%7C" (encoded separator), which is what the body returns (but for a new cookie which you should ignore if you already have one set). |
and others
Your question
How to use
next-authAPI endpoints (signin/signout) from a mobile app, to make the user signin/signout so as to consume the API created in NextJS from mobile apps?What are you trying to do
I have a doubt/question?
next-authAPI endpoints (signin/signout) from a mobile app, to make the user signin/signout so as to consume the API created in NextJS from mobile apps?Any help would be highly appreciated…
Reproduction
Feedback
Documentation refers to searching through online documentation, code comments and issue history. The example project refers to next-auth-example.
The text was updated successfully, but these errors were encountered: