-
-
Notifications
You must be signed in to change notification settings - Fork 3.6k
/
index.ts
310 lines (292 loc) · 11.4 KB
/
index.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
/**
*
*
* :::warning
* `@auth/sveltekit` is currently experimental. The API _will_ change in the future.
* :::
*
* SvelteKit Auth is the official SvelteKit integration for Auth.js.
* It provides a simple way to add authentication to your SvelteKit app in a few lines of code.
*
*
* ## Installation
*
* ```bash npm2yarn2pnpm
* npm install @auth/core @auth/sveltekit
* ```
*
* ## Usage
*
* ```ts title="src/hooks.server.ts"
* import { SvelteKitAuth } from "@auth/sveltekit"
* import GitHub from "@auth/core/providers/github"
* import { GITHUB_ID, GITHUB_SECRET } from "$env/static/private"
*
* export const handle = SvelteKitAuth({
* providers: [GitHub({ clientId: GITHUB_ID, clientSecret: GITHUB_SECRET })],
* })
* ```
*
* or to use sveltekit platform environment variables for platforms like Cloudflare
*
* ```ts title="src/hooks.server.ts"
* import { SvelteKitAuth } from "@auth/sveltekit"
* import GitHub from "@auth/core/providers/github"
* import type { Handle } from "@sveltejs/kit";
*
* export const handle = SvelteKitAuth(async (event) => {
* const authOptions = {
* providers: [GitHub({ clientId: event.platform.env.GITHUB_ID, clientSecret: event.platform.env.GITHUB_SECRET })]
* secret: event.platform.env.AUTH_SECRET,
* trustHost: true
* }
* return authOptions
* }) satisfies Handle;
* ```
*
* Don't forget to set the `AUTH_SECRET` [environment variable](https://kit.svelte.dev/docs/modules#$env-dynamic-private). This should be a minimum of 32 characters, random string. On UNIX systems you can use `openssl rand -hex 32` or check out `https://generate-secret.vercel.app/32`.
*
* When deploying your app outside Vercel, set the `AUTH_TRUST_HOST` variable to `true` for other hosting providers like Cloudflare Pages or Netlify.
*
* The callback URL used by the [providers](https://authjs.dev/reference/core/modules/providers) must be set to the following, unless you override {@link SvelteKitAuthConfig.prefix}:
* ```
* [origin]/auth/callback/[provider]
* ```
*
* ## Signing in and signing out
*
* The data for the current session in this example was made available through the `$page` store which can be set through the root `+page.server.ts` file.
* It is not necessary to store the data there, however, this makes it globally accessible throughout your application simplifying state management.
*
* ```ts
* <script>
* import { signIn, signOut } from "@auth/sveltekit/client"
* import { page } from "$app/stores"
* </script>
*
* <h1>SvelteKit Auth Example</h1>
* <p>
* {#if $page.data.session}
* {#if $page.data.session.user?.image}
* <span
* style="background-image: url('{$page.data.session.user.image}')"
* class="avatar"
* />
* {/if}
* <span class="signedInText">
* <small>Signed in as</small><br />
* <strong>{$page.data.session.user?.name ?? "User"}</strong>
* </span>
* <button on:click={() => signOut()} class="button">Sign out</button>
* {:else}
* <span class="notSignedInText">You are not signed in</span>
* <button on:click={() => signIn("github")}>Sign In with GitHub</button>
* {/if}
* </p>
* ```
*
* ## Managing the session
*
* The above example checks for a session available in `$page.data.session`, however that needs to be set by us somewhere.
* If you want this data to be available to all your routes you can add this to `src/routes/+layout.server.ts`.
* The following code sets the session data in the `$page` store to be available to all routes.
*
* ```ts
* import type { LayoutServerLoad } from './$types';
*
* export const load: LayoutServerLoad = async (event) => {
* return {
* session: await event.locals.getSession()
* };
* };
* ```
*
* What you return in the function `LayoutServerLoad` will be available inside the `$page` store, in the `data` property: `$page.data`.
* In this case we return an object with the 'session' property which is what we are accessing in the other code paths.
*
* ## Handling authorization
*
* In SvelteKit there are a few ways you could protect routes from unauthenticated users.
*
* ### Per component
*
* The simplest case is protecting a single page, in which case you should put the logic in the `+page.server.ts` file.
* Notice in this case that you could also await event.parent and grab the session from there, however this implementation works even if you haven't done the above in your root `+layout.server.ts`
*
* ```ts
* import { redirect } from '@sveltejs/kit';
* import type { PageServerLoad } from './$types';
*
* export const load: PageServerLoad = async (event) => {
* const session = await event.locals.getSession();
* if (!session?.user) throw redirect(303, '/auth');
* return {};
* };
* ```
*
* :::danger
* Make sure to ALWAYS grab the session information from the parent instead of using the store in the case of a `PageLoad`.
* Not doing so can lead to users being able to incorrectly access protected information in the case the `+layout.server.ts` does not run for that page load.
* This code sample already implements the correct method by using `const { session } = await parent();`
* :::
*
* You should NOT put authorization logic in a `+layout.server.ts` as the logic is not guaranteed to propagate to leafs in the tree.
* Prefer to manually protect each route through the `+page.server.ts` file to avoid mistakes.
* It is possible to force the layout file to run the load function on all routes, however that relies certain behaviours that can change and are not easily checked.
* For more information about these caveats make sure to read this issue in the SvelteKit repository: https://github.com/sveltejs/kit/issues/6315
*
* ### Per path
*
* Another method that's possible for handling authorization is by restricting certain URIs from being available.
* For many projects this is better because:
* - This automatically protects actions and api routes in those URIs
* - No code duplication between components
* - Very easy to modify
*
* The way to handle authorization through the URI is to override your handle hook.
* The handle hook, available in `hooks.server.ts`, is a function that receives ALL requests sent to your SvelteKit webapp.
* You may intercept them inside the handle hook, add and modify things in the request, block requests, etc.
* Some readers may notice we are already using this handle hook for SvelteKitAuth which returns a handle itself, so we are going to use SvelteKit's sequence to provide middleware-like functions that set the handle hook.
*
* ```ts
* import { SvelteKitAuth } from '@auth/sveltekit';
* import GitHub from '@auth/core/providers/github';
* import { GITHUB_ID, GITHUB_SECRET } from '$env/static/private';
* import { redirect, type Handle } from '@sveltejs/kit';
* import { sequence } from '@sveltejs/kit/hooks';
*
* async function authorization({ event, resolve }) {
* // Protect any routes under /authenticated
* if (event.url.pathname.startsWith('/authenticated')) {
* const session = await event.locals.getSession();
* if (!session) {
* throw redirect(303, '/auth');
* }
* }
*
* // If the request is still here, just proceed as normally
* return resolve(event);
* }
*
* // First handle authentication, then authorization
* // Each function acts as a middleware, receiving the request handle
* // And returning a handle which gets passed to the next function
* export const handle: Handle = sequence(
* SvelteKitAuth({
* providers: [GitHub({ clientId: GITHUB_ID, clientSecret: GITHUB_SECRET })]
* }),
* authorization
* );
* ```
*
* :::info
* Learn more about SvelteKit's handle hooks and sequence [here](https://kit.svelte.dev/docs/modules#sveltejs-kit-hooks-sequence).
* :::
*
* Now any routes under `/authenticated` will be transparently protected by the handle hook.
* You may add more middleware-like functions to the sequence and also implement more complex authorization business logic inside this file.
* This can also be used along with the component-based approach in case you need a specific page to be protected and doing it by URI could be faulty.
*
* ## Notes
*
* :::info
* Learn more about `@auth/sveltekit` [here](https://vercel.com/blog/announcing-sveltekit-auth).
* :::
*
* :::info
* PRs to improve this documentation are welcome! See [this file](https://github.com/nextauthjs/next-auth/blob/main/packages/frameworks-sveltekit/src/lib/index.ts).
* :::
*
* @module index
*/
/// <reference types="@sveltejs/kit" />
import type { Handle, RequestEvent } from "@sveltejs/kit"
import { dev } from "$app/environment"
import { base } from "$app/paths"
import { env } from "$env/dynamic/private"
import { Auth } from "@auth/core"
import type { AuthAction, AuthConfig, Session } from "@auth/core/types"
export async function getSession(
req: Request,
config: SvelteKitAuthConfig
): ReturnType<App.Locals["getSession"]> {
config.secret ??= env.AUTH_SECRET
config.trustHost ??= true
const prefix = config.prefix ?? `${base}/auth`
const url = new URL(prefix + "/session", req.url)
const request = new Request(url, { headers: req.headers })
const response = await Auth(request, config)
const { status = 200 } = response
const data = await response.json()
if (!data || !Object.keys(data).length) return null
if (status === 200) return data
throw new Error(data.message)
}
/** Configure the {@link SvelteKitAuth} method. */
export interface SvelteKitAuthConfig extends AuthConfig {
/**
* Defines the base path for the auth routes.
* If you change the default value,
* you must also update the callback URL used by the [providers](https://authjs.dev/reference/core/providers).
*
* @default `${base}/auth` - `base` is the base path of your SvelteKit app, configured in `svelte.config.js`.
*/
prefix?: string
}
const actions: AuthAction[] = [
"providers",
"session",
"csrf",
"signin",
"signout",
"callback",
"verify-request",
"error",
]
type DynamicSvelteKitAuthConfig = (event: RequestEvent) => PromiseLike<SvelteKitAuthConfig>
function AuthHandle(svelteKitAuthOptions: SvelteKitAuthConfig | DynamicSvelteKitAuthConfig): Handle {
return async function ({ event, resolve }) {
const authOptions =
typeof svelteKitAuthOptions === "object"
? svelteKitAuthOptions
: await svelteKitAuthOptions(event)
const { prefix = `${base}/auth` } = authOptions
const { url, request } = event
event.locals.getSession ??= () => getSession(request, authOptions)
const action = url.pathname
.slice(prefix.length + 1)
.split("/")[0] as AuthAction
if (!actions.includes(action) || !url.pathname.startsWith(prefix + "/")) {
return resolve(event)
}
return Auth(request, authOptions)
}
}
/**
* The main entry point to `@auth/sveltekit`
* @see https://sveltekit.authjs.dev
*/
export function SvelteKitAuth(options: SvelteKitAuthConfig | DynamicSvelteKitAuthConfig): Handle {
if (typeof options === "object") {
options.secret ??= env.AUTH_SECRET
options.trustHost ??= !!(env.AUTH_TRUST_HOST ?? env.VERCEL ?? dev)
options.prefix ??= `${base}/auth`
}
return AuthHandle(options)
}
declare global {
// eslint-disable-next-line @typescript-eslint/no-namespace
namespace App {
interface Locals {
getSession(): Promise<Session | null>
}
interface PageData {
session: Session | null
}
}
}
declare module "$env/dynamic/private" {
export const AUTH_SECRET: string
export const AUTH_TRUST_HOST: string
export const VERCEL: string
}