v3 RFC: Request handling

[pilcrowonpaper]

I'm not sure if this should be part of v3 or v4, but since it doesn't change existing v3 changes, I thought it might be fine to be part of the next update.

Anyway, this RFC proposes to remove middleware and remove the caching feature from AuthRequest.validate(). This makes the API more simple and the behavior predictable.

Changes

Remove middleware

Making sure handleRequest() is properly typed based on the middleware sucks,s and it's impossible to properly document it in the API reference. Instead of middleware, we'll provide framework specific RequestContext, similar to adapters.

import { HonoRequestContext } from "lucia/request";

const lucia = new Lucia(adapter, {
  // no more middleware option
});

app.get("/", async (context) => {
  const requestContext = new HonoRequestContext(context);
  const luciaRequest = lucia.handleRequest(requestContext);

  const { session, user } = await luciaRequest.validateSessionCookie();
});

Remove caching feature

AuthRequest.validate() and AuthRequest.validateBearerToken() currently caches the result so you can call it multiple times without making multiple database calls. But like the famous saying, caching sucks. This would make documenting the API easier as well. (validate() will be renamed to validateSessionCookie())

const luciaRequest = lucia.handleRequest(requestContext);

// 2 total db calls
const { session, user } = await luciaRequest.validateSessionCookie();
const { session, user } = await luciaRequest.validateSessionCookie();

Move CSRF protection option

Right now, options for CSRF protection is globally defined:

const lucia = new Lucia(adapter, {
  csrfProtection: false,
});

It'd made more sense to move it within AuthRequest.

const luciaRequest = lucia.handleRequest(requestContext);

const { session, user } = await luciaRequest.validateSessionCookie({
  allowedDomains: ["admin.example.com", "example.com"],
});

const { session, user } = await luciaRequest.validateSessionCookie({
  allowedDomains: "*", // disabled protection by allowing all
});

Should it an option in handleRequest() instead?

Migration steps

For projects that don't utilize the caching feature, it'll be simple as replacing the middleware.

SvelteKit

// src/hooks.server.ts
import { SvelteKitRequestContext } from "lucia/request";

export async function handle({ event, resolve }) {
  const requestContext = new SvelteKitRequestContext(event);
  event.locals.auth = lucia.handleRequest(requestContext);
  const { user } = await event.locals.auth.validateSessionCookie();
  event.locals.user = user;
  return await resolve(event);
}

Astro

// src/middleware.ts
import { AstroRequestContext } from "lucia/request";

export async function onRequest(context, next) {
  const requestContext = new AstroRequestContext(event);
  context.locals.auth = lucia.handleRequest(requestContext);
  const { user } = await context.locals.auth.validateSessionCookie();
  context.locals.user = user;
  return await next();
}

[david-plugge]

Hi! I just stumbled across this repo while building my very own auth library which looks surprisingly similar.
I just had the same question, how do i handle requests for all the different frameworks?
My idea was very similar to yours, but instead of calling auth.handleRequest(...) i do new SvelteKitAuthRequest(auth, ...). This makes it easy to add framework specific methods to the AuthRequest.

[pilcrowonpaper]

In this RFC, SvelteKitRequestContext implements RequestContext which includes the request method, header, and an method to set cookies

[david-plugge]

I´m talking about something like this:

import { SvelteKitAuthRequest } from "lucia/request";

export async function handle({ event, resolve }) {
  event.locals.auth = new SvelteKitAuthRequest(auth, event, { csrf: ... });
  const { user } = await event.locals.auth.validateSessionCookie();
  event.locals.user = user;
  return await resolve(event);
}

[pilcrowonpaper]

Oh, are you asking why I didn't go with that API design? It's just more consistent with the existing adapter model we have