If you want to finish your projects, do not watch KZbin influencers 😅, you'll never finish

NextAuth was pretty horrible when I tried setting it up. Had it running for a couple of weeks before ripping it out because it just didn't work correctly. It couldn't handle refresh tokens correctly, and it was really messy catching expired sessions across client components, server components, server actions, and an external rest API. Wayyyy too abstracted and the docs were pretty awful for anything but the most trivial of set ups. I ended up moving auth completely to the restapi backend, which used zitadel of identity management via oauth and express session to set cookies. Next just needs to redirect to login if the backend sends 401 or there's no cookie set. Easy.

Today I had a chat with the creator of authjs in their discord and he told me that if I wanted real-time authorization management I should go with a "db session" strategy for my credentials provider. When I asked him where the documentation is on that he told me "no, we don't recommend it. if you need it, we think you should implement it with care and consideration, having the right knowledge to do so. People often don't realize that it's more than just the code. bot protection, pw management/rotation, etc. That said, it's fully possible to do it, in like 20 lines of code, if you know what you are doing " . And then he proceeded to gloat about how flexible authjs is. So tldr: "authjs can do it but he won't write any documentation because he's against certain ways of authentication". So weird.

Next-auth's credentials setup is pain in the a**.

Lucia is great, and the accompanying "Copenhagen book" is a good reference for implementing auth. I actually removed Lucia itself and implemented my own flows based on it, for more flexibility. Also, my opinion on SSO, Soc-2 etc. is that that's only relevant when working with enterprise customers. That's when you should consider a 3rd party service.

This was extremely helpful for my use case. My application required Credentials based login, and then a feature where a user could sync multiple Google accounts to their profile. This made auth strategies with NextAuth a mess, or at least non-intuitive since I'm not an expert on auth implementations. Lucia seems to be exactly what I needed. Your video could not have been timed better, I was literally assigned this the day before you published this video lol. Thank you for your straight forward content!

I've been using lucia for almost 3 months now and I really like it, it helped me understand how auth really works. But now that I understand, I don't see too much value on lucia: it's just creating and managing sessions on your db which isn't hard at all. At this point it might be better to just own the whole flow and be fully flexible. I see value in Arctic/Oslo though.

I had spend 2 days to implement email pass in next auth, At that point I just realised why I’m wasting my time

after 1 month next-auth setup, i give up, planning to move to lucia as well. next-auth is the most painful js lib i have ever use.

I love this channel. Just a guy showing you how hes doing interesting things and why. Easy to watch and useful. Keep it up

have you thought about rate limiting? would love to see a tutorial on that

I totally agree with you. It's interesting that a lot of these libraries are trying to steer people away from using passwords and yet, pretty much every single online service I use (KZbin, Google, Azure, AWS, etc...) still uses passwords!

What are you doing when a user regsiters but has not verified his account? I mean, do you allow the account to be re-registered when not verified? Any thoughts?

Do you have an example on how to fix the JWT callback to get access to data from authorize in NextAuth? It does not get the data that is passed from my authorize function...

when you click on sign in with google then why it will display "See the 3 services ". It looks bad, when some KZbinrs make their video on next auth then on consent screen page it will be user friendly, not like your consent screen page.

I've been using both next auth and Lucia at my job and for my personal projects for the past 1.5-2 years. Both of them can do the job of credentials sign in. The main difference is that next auth has a total mess of docs. Next auth requires a bit more work if you need multiple providers + credentials, a custom adapter if your db isn't supported out of the box(in case ya need a db session management). On the other hand Lucia provides clean docs and great support over discord. Depending on the requirements, time, money I swap between the two. My personal opinion on which is better hands down is Lucia. Keep in mind if I remember correctly Lucia needs a db to work where next auth can work with jwt strategy.

Have you a session invalidation exemple with lucia-auth ?

if I am using strapi, what is the best way to actually do authentication? I am also using next.14 >

i am also want to use lucia in my next.js app, but i cant figure out how to get the session in client component other than getting it in the page/server component level and passing it as a props. You will help me a lot if you share with me the solution to this problem.

OMG, this is just painful and it sucks , everything with next-js just makes me cringe!!, am not really a hater but my GOD WHY?? WHY THE PAIN?!, btw, how is the dev hot reload now, it used to suck with the app router, i never tried the pages router!!

For NextAuth you need to do the db lookup of your user in the authorize callback then the object you return will be passed to the jwt callback and inside there you return the token param of the jwt callback, after that the session callback is run with the session and token able to be destructured from the param, you need to then return the session from this callback. Perhaps it's not clear in the docs but once you know, it's pretty trivial

Please Help me out here. In my case, i don't have access to the database. I only have access to the API endpoints (built in another framework ,by another set of devs, on a separate server), that provides tokens for login, all user info and stuff. So my nextJs app consumes data provided by the endpoints. Can i still use Lucia to handle authentication or should i just do the authentication my self. I tried next auth, didn't work out fine because it's very opinionated.

Is the project you are working on github? Would you mind creating a template with your implementation of lucia? Ive read the docs but somehow couldnt get it to work properly especially oauth

Idk, for me lucia seems much more intuitive than next-auth even though I'm seeing this code for the first time. You don't have weird callbacks that you don't know what they do.

I somehow got it to work. I am using page router if that matters, but you need to add thr session to the callbacks and set up jwt. You also can add role.or whatever to the user, just add it with a default.value then change it later

Did you run into issues with next.js middleware with lucia. My issue with lucia which i ran into few weeks ago (not sure if there is a solution for it) was trying to set up protected pages in the middleware, where i wanted to redirect the user to the auth page if they are not logged in, obviously i didn't want to do it manually in every page/API route, but I had problems running lucia in edge runtime, so I had to go with next-auth. Wondering if you have any experience with that.

What you think about Kinde? it looks nice and easy to setup

wouldnt bcrypt be better than crypto for passwords?

Good job babe!!!! I’m first!!! Finally again haha

Will the wdc starter kit also move to lucia? In the landing page it still says next-auth

Why don't you implement your own authentication/authorization instead of jumping from one library to another?

How is Lucia going for you now😂. Time to make another video on how it actually sucks.

I like the idea of owning my own auth flow, but have never been able to implement it to my satisfaction and with the level of security that I want. Of course, the password reset flows are always fun to build too. Great learning experience, but like I was told a long time ago, you can do it, but by the time you’re done you’ll realize why you should have just offloaded it to a 3rd party…, and then you’ll be spending all your time supporting it and not the app you were building.

Omg Cody. I just spent hours implementing auth with edgedb because of some hackathon, before which I spent a week on a custom implementation of next auth with drizzle, after figuring out a prisma client and auth solution. I may as well roll out with this too... I'm starting to agree with prime that it's probably just better to learn to roll your own auth lol😂

Can you please do a lucia auth in a mern stack

Hello, you have multiple websites with drizzle how do you have multiple databases is it for free ?

how do you deal with forget password ?

I noticed on SignIn that you’re grabbing the user.salt and user.password back from the getUserAccountByEmail SS script when running the verifyPassword function, but I don’t see you using iterations anywhere. Why is that?

I entirely agree about Next-auth. From the moment I found it I decided I wouldn't be using it. The consumers I'm targeting with my apps distrust google and are very familiar with the email/password setup, just like you said.

name of your vscode theme?

can you please try it with convex please 🙏

Dude Cory, I love your videos. You taught me how to generate PDFs with puppeteer and SST. But the Credentials provider in next-auth is extremely powerful. I use it for email password but I also use it for phone OTP verifications. Once you understand how it works, and yes that's a big hurdle, the Credentials provider is basically a back door to a very awesome auth system.

How about Kinde auth?

Had lucia on my list to try for a while, I like the extra control compared to next Auth

How about Clerk?

Yeah I don't mind next-auth's stance on credentials login, but would appreciate if they didn't actively prevent you from doing it if you want/need to have it in your app. Have a big red banner saying you think it's not the optimal/secure way, but at least give a good (secure by default) way to do it. I think them avoiding it will lead to mistakes and people storing plain text passwords in their db just because they don't know better.

Lucia is pretty great compared to NextAuth, because the logic is not that hidden and it shows you that auth is actually not that hard. I now switched to implementing everything by myself and i recommend everybody to do this at least once.

Hey Cody, can we maybeee expect some Remix content? 👉👈

oh, it's so messy, when you try to add multiple of these. Especially hostile ones like Twitter...

ive used lucia-auth for a few months now. love it. whats that maintenance.tsx file? :D

I have to disagree with you on the Next Auth Credentials take. Nextauth has a callbacks section in the documentation explaining what each method does and how to set them up. If you look under the hood of other providers you’ll see they have the same setup. Next Auth doesn’t provide an implementation step directly for the Credentials flow cause they don’t recommend it but they don’t make it any more difficult than setting up third party Oauth either.

Why not supabase?

And now Lucia is deprecated and not covered anymore 🤣

This is also why i never used next-auth...

I dont like Laravel for a lot of things but at least it has the auth figured out. Its *so* streamlined that it puts js frameworks to shame...

I have used both of them. As you said, lucia has lot of duplication of code. You said you can abstract out those parts, but that is the exact thing authjs is doing 😂. So you will end up at authjs somehow. But yeah as you said "Sometimes Duplicate code is okay" agree 💯💯💯

I love the control over the authentication flow and the "lessons learned" trying it.. but I would never use this at my company. There is a reason why companies like auth0 exist. The developer experience of next-auth kinda sucks, but at least there is a big community with a lot of plugins. Adding authorization is also easier.. As much I would love to do it on my own, I think the topic is too critical. xD

remix with remix-auth is also nice

Thank God for clerk js

But you've spent years telling us to use it, and now we aren't supposed to??

Classic case of devs making stuff for themselves not for customers lol

Don’t forgot to remove those console.logs 😂

Table gf_session should be called date

move back to next-auth because lucia is getting deprecated 😂😂😂😂

Switch to Nuxt

Your starterkit seems like too complex. Definitely you should call it finisherkit

Kinde✨️

Clerk > All Auth library

Nextjs is useless without websockets

aaand it's deprecated hahah :(

NextAuth is just overly complicated. Like most libraries are! Even lucia is too much for my taste. Lucia uses oslo under the hood which comes from the same author. With oslo alone you can easily create your own auth and if you dont understand how you should just dont do auth on your own.

Nextauth have a good amount of features, but I have to agree that their documentation is terrible, it is one of the worse documentations that I have seen. I think only java manages to be worse than them.