I went down the rabbithole of using next-auth (now authjs) for a recent project. Having used Passport.js [1] for Oauth2 the last time I was doing node.js ~3 years ago, I found this library to have many footguns as comments/answers on SO and Github.
Seems like many people are trying to shoehorn their codebase [2] (!!) to make it work with the way the library manages sign-in flow, redirects, cookies, logout, etc. [3]
These were solved problems in the MEAN stack era with middlewares, but now that Next.js/react is the trend, people are doing everything they can to make it work - from relaxing security configs, to stashing things in the JWT just so some callback can get an additional piece of data [4].
The nextjs team for the longest time seemed openly hostile to server-side features in the GitHub issues. We ended up using the custom server feature to essentially bypass nextjs entirely so we could adequately do things like server-side auth in an explicit way using existing proven middleware. Next auth was inadequate for us mostly because of the limitations of nextjs itself. Nextjs 13.1 just added actual server-side middleware with full control of requests/responses so hopefully things will improve. I haven't fully investigated it yet but I'm hoping we can rip out all of our custom server stuff and replace it with middleware now.
> Nextjs 13.1 just added actual server-side middleware
the middleware has been available for awhile, they just added a few "advanced" features it looks like.
The problem with their middleware is that it's based on their edge runtime. Which is pretty much very basic web APIs and nothing more. Unlike Express/Koa, you do not have the full node API and cannot do things like read files from the filesystem. It's a total unnecessary clusterfuck just so Vercel can get you on their cloud services. Every single day I work with Next.js I wish I had Express and a decent router.
I like fastify more than express due to the great opinions (json schema, hooks etc). I use fastify + the fastify-nextjs plugin. It works great and lets you expose custom request decorations from node.js to next.js.
The only drawback is the slow startup time of next.js, which becomes really annoying with huge next.js projects. But for smaller projects, fastify-nextjs is fine.
Same. I found this example [1] particularly helpful, although I don't know how good this [2] library it uses is. Overall, I've seen multiple OSS projects [3] that try to support a missing functionality in Next.js seem to just give up trying to keep up with their breaking changes.
We are using nextjs for everything it can do, while bypassing it for the things it can't. With 13.1 that shouldn't be necessary because it is now more capable.
Agreed. This library is so opinionated that it more or less becomes useless. Youre way better off using iron-session or just go all the way and use a provider like Auth0, etc.
I work at Stytch, a company that provides an authentication API
> Seems like many people are trying to shoehorn their codebase...
This is something we're always thinking about in our product; write API first and flexibly enough so developers don't have to do cartwheels to use our product.
If you ever need to jump into authentication in Node again, give us a look!
> Seems like many people are trying to shoehorn their codebase...
Full Disclosure: I work at WunderGraph
But I think you should take a look at WunderGraph. It's vendor agnostic and allows you to choose a authentication provider that will work with your codebase.
Seems like many people are trying to shoehorn their codebase [2] (!!) to make it work with the way the library manages sign-in flow, redirects, cookies, logout, etc. [3]
These were solved problems in the MEAN stack era with middlewares, but now that Next.js/react is the trend, people are doing everything they can to make it work - from relaxing security configs, to stashing things in the JWT just so some callback can get an additional piece of data [4].
[1] https://github.com/jaredhanson/passport
[2] https://github.com/nextauthjs/next-auth/issues/600#issuecomm...
[3] https://stackoverflow.com/questions/tagged/next-auth?sort=Mo...
[4] https://stackoverflow.com/questions/64576733/where-and-how-t...
EDIT: more links in case it helps the authors improve DX