Simple username/password authentication, which method should I use?

[zwl1619]

There are 5 authentication providers here: https://redwoodjs.com/docs/authentication
I want to use simple username/password authentication, and save users in my database.
Which one should I use?

[cannikin]

None of these will save users in your database automatically, you'll need to set that up yourself.

I have a project that uses Netlify Identity for my login and here's how I go about creating a local user in my DB when someone signs in the first time:

// api/src/lib/auth.js

import { AuthenticationError } from '@redwoodjs/api'

import { db } from './db'

export const getCurrentUser = async ({ name, email }) => {
  const user = (await db.user.findOne({ where: { email } })) || (await createUser(name, email))
  return user
}

const createUser = (name, email) => {
  return db.user.create({ data: { name, email } })
}

export const requireAuth = () => {
  if (!context.currentUser) {
    throw new AuthenticationError("You don't have permission to do that.")
  }
}

So I'm getting the name and email out of the JWT that is getting passed to getCurrentUser and trying to lookup a user in my local database using that email address. If it isn't found then I create a new user with the name and email and return that user.

[mojombo]

@cannikin that would make a nice cookbook recipe doc, I imagine a lot of people wanting to do that exact thing.

[zwl1619]

in #214 , @DanielKehoe said:

I'm concerned about the financial cost of using Netlify Identity. It's free to add Identity to the Netlify free "Starter" level with a limit of 1000 active users. At the “Pro” level, which costs $45/mo, adding Identity costs $99/month, with a limit of 5,000 active users. Apparently “active users” is the number of users who log into your site during a month. Consider the use case of a gated content website ("sign up with your email address for access to a free tutorial"). Without devolving into a discussion of what is fair pricing or sustainable for various use cases such as SaaS, the model itself (with cost of hosting tied directly to the number of users) would inhibit use of Redwood for some use cases. For sake of comparison, adding Devise to Rails for authentication costs nothing. I hope there's a way to add authentication and authorization to Redwood without restricting the use case to be less than universal.

So , @cannikin Will that save users in Netlify Identity? Will it come with costs?

And, will there be an authentication system that does not rely on third parties?

[cannikin]

Nope, if you use the Identity widget then a signup means the user goes into Netlify and counts against that 1000 users in the free tier. I believe we have on the roadmap rolling your own authentication using your own database and a GraphQL call, but that will have the same simple `useAuth()` hook. If you didn’t care about `useAuth()` you could create your own right now on the web side pretty easily—make a GraphQL query for looking up a user by username and password (hashed password would be more secure) and then put the resulting user in state. The API side would be a little trickier...you’d need to have some way to include an identifier for the user on every call to GraphQL so you could look up the user making the request. Not trivial, but possible.

[zwl1619]

@cannikin Could this feature be given the highest priority?

[thedavidprice]

@zwl1619 maybe Auth0 or Firebase Auth is better for your needs? Auth0 offers 7,000 accounts free. For Firebase, there's more setup, but from what I understand there's no cost for web Auth: https://firebase.google.com/pricing

If you're interested in rolling your own authentication using the current Redwood Auth, here's a forum thread that covers a lot of what you'd need to do: https://community.redwoodjs.com/t/custom-github-jwt-auth-with-redwood-auth-advice-needed/610

Note: there have been a few updates and changes to the Redwood Auth package since this discussion, so do refer to the docs

Hope that helps!

[zwl1619]

I have read the docs of Redwood Auth and the forum thread above.
Auth0 or Firebase or other third parties is inconvenient or can't be accessed in my country, so I need an independent auth system, which doesn't rely on third parties. And there are many people in my country, it is easy over 7000 accounts.

[thedavidprice]

Auth0 or Firebase or other third parties is inconvenient or can't be accessed in my country

^^ this is really helpful for us to know @zwl1619

Did you take a look at the thread for configuring your own auth? If so, does it seem possible for you?

[FiveBoroughs]

Another option that I have been considering myself, is adding a 3rd party auth provider like netlify, auth0 and firebase but open source and self-hosted.

A few examples :

• https://github.com/FusionAuth/fusionauth-example-react
• https://github.com/ory/hydra
• https://github.com/keycloak/keycloak

The added workload on Redwood, is simply adding a new provider, generator and doc.
While the work of setting up the authentication server, database and maintaining it is on the developer.

[dthyresson]

There is a good change that once Supabase auth support is in, by setting Prisma to use their Postgres and then using their AuthClient (which is username/password and based on GoTrue) this can give people username/password database auth.

See: #1057 and #1033

Will need a decent UI for the login and sign up forms to be more of an out-of-box solution, but people can still implement their own forms as needed.