Auth

Next-auth

This project uses Nextauth for Authentication

Why nextauth?

nextauth is the most popular Auth library for nextjs by far.

https://npmtrends.com/@clerk/clerk-react-vs-next-auth-vs-supabase (opens in a new tab)

It allows you to keep all your user data in one place, in your own database.

This is compared to hosted solutions Auth0 or Clerk Dev where Your user data is kept in a separate database than all your regular database data. This leads to obvious complexity and potential breaking points in your app.

Having all your user and auth data in one database, next to all your other data presents a much better, more robust and seamless developer experience.

You also own your data and database compared to outsourcing to a third party company which can go out of business or be the target of a cyber attack.

Passwordless?

Nextauth discourges using password and does not even support password auth. The industry moving towards passwordless auth with technologies on the horizan such Webauthn.

To make this project future proof and work well with nextauth, password auth is not supported.

Webauthn

https://webauthn.guide (opens in a new tab)

https://duo.com/blog/the-passwordless-future-is-here-are-you-ready (opens in a new tab)

Passwords are ok for small internal apps.

https://nextjs.org/learn/dashboard-app/adding-authentication (opens in a new tab)

This implementation in the Nextjs tutorial is an overly simplistic setup and should not be used in public facing apps. Its ignoring throttling and many other security features that are needed when implementing password auth.

If password auth is absolutely required, lucia-auth would be a solid choice. https://lucia-auth.com (opens in a new tab)

Google Login

This project also utilizes google oauth login and signup.

https://next-auth.js.org/providers/google (opens in a new tab)

https://authjs.dev/guides/providers/custom-provider (opens in a new tab)

Mailtrap

If you would like to use a hosted email provider in dev check out mailtrap. To setup mailtrap or another smpt server substitute the credentials in the nodemailer transporter and use the transporter to send emails in sendEmail.ts file.

JWT vs Session

This project uses session storage for auth instead of JWT. Session auth is more robust and ensure a single source of truth for auth state which is important for working with a multi tenant app.

https://stytch.com/blog/jwts-vs-sessions-which-is-right-for-you/ (opens in a new tab)