[WIP] Adds a very basic POC for http-only cookies #146
Conversation
| import { auth } from '../../utils/initSupabase' | ||
| import Router from 'next/router' | ||
|
|
||
| export default function handler(req, res) { |
There was a problem hiding this comment.
This server route should "receive" the auth redirects from GoTrue and save an http-only cookie
| import { auth } from '../../utils/initSupabase' | ||
|
|
||
| // Example of how to verify and get user data server-side. | ||
| const getUser = async (req, res) => { |
There was a problem hiding this comment.
This route should be able to pluck the session data from the cookie
| async function handleEmailSignIn() { | ||
| let { error, user } = await auth.signIn( | ||
| { email, password }, | ||
| { redirectTo: 'http://localhost:3000/api/auth' } |
There was a problem hiding this comment.
Here we are logging in, but telling the GoTrue server to send our authenticated requests to our server-side route so that it can set an HTTP cookie
There was a problem hiding this comment.
@kangmingtay @awalias is this setting working? I'm not sure if the requests are being redirected after creating the user
There was a problem hiding this comment.
yup it is working, the logs in the docker container should show the redirect url used. You'll also need to whitelist http://localhost:3000 in the docker-compose file inside the autoconfirm container by setting GOTRUE_URI_ALLOW_LIST: http://localhost:3000 inside the environment
| @@ -1,6 +1,21 @@ | |||
| # docker-compose.yml | |||
| version: '3' | |||
| services: | |||
| kong: | |||
There was a problem hiding this comment.
Needed to add kong for CORS support
Sidenote: is this another regression? Previously my react example was working without kong
|
|
||
| // Example of how to verify and get user data server-side. | ||
| const getUser = async (req, res) => { | ||
| const { user, error } = await auth.api.getUserByCookie(req) |
There was a problem hiding this comment.
Currently this sends an API request to gotrue server every time it's called. I need to check how auth0 does this. What auth0 method do we use to check for authenticated user?
There was a problem hiding this comment.
auth0 uses a method called getSession which gets the user's session from the request to check if the user is authenticated.
|
Closing in favour of #211 |
No description provided.