Custom Auth - Web3 / Ethereum

Howdy folks! Thanks to several others here I was able to write my own custom authentication. Props to @edjiang, @3nvy, @danny and @bennett!

I noticed there wasn’t a single comprehensive guide (since things are changing so rapdly), so hopefully the tutorial I wrote will help anyone looking to implement their own custom auth. At the very least its a good crash-course on the dance between @redwood/api, @redwood/auth and @redwood/web to perform authentication.

The demo URL and source code can be found in the tutorial: https://patrickgallagher.dev/blog/2020/12/27/tutorial-redwood-web3-login/tutorial-add-web3-login-to-redwoodjs

Please let me know if you have any comments or suggestions!

I am also considering contributing this to redwood. Some questions for this:

  1. Should I contribute the client portion to @redwood/auth ? I’ll need to write a separate package for this, but don’t mind the small lift.
  2. Should I contribute the server/web portion to a new web3 generator like in this firebase generator example? Alternatively should I contribute to the custom auth generator instead?
  3. Should I adapt this to a cookbook or tutorial in the official docs?

Shoutout to the amazing Redwood team. This is slowly become part of my core stack!

4 Likes

Thanks so much @pi0neerpat for this blog post and example!

Definitely! I read your blog before I read this forum post and … I was thinking the same thing :slight_smile:

The “web/src/auth/client.js” is really close to what the AuthProvider is already.

I think the clearest option would be to make this a “Web3” or “Ethereum” AuthProvider and maybe moving web/src/auth/client.js into a RW auth client and then moving more of the signing and verifying into the api side … maybe into its ouwn decoder (see the Auth0 decoder that make calls to Auth0 to get and verify the signing key).

Or - as you noted “Don’t roll your own crypto. Let users bring their own.” Maybe this is a a more generic AuthProvider like CustomEntryptionAuthProvider and can plug in the encryption system they want – but that seems perhaps too much setup and customization.

I’d favor “EthereumAuthProvider” or “EthereumWalletAuthProvider” I think.

This would be a really nice addition to the auth package so I hope you choose to take it on. Happy to help in any way you need – even reviewing a draft PR.

Cheers.

1 Like

Sweet I’ll totally take you up on the offer!

I published a new package and made a draft PR https://github.com/redwoodjs/redwood/pull/1594

@pi0neerpat this is fantastic! Can’t believe it snuck by me during the holidays.

@dthyresson and @rob --> thoughts about turning his article into a Cookbook? And/or are their similar thoughts or plans in mind once the PR is merged? I know the “custom” Auth path is fraught with pitfalls and we should tread lightly on an official endorsement. But, you know, it’s probably the #1 request we get for Auth so ¯_(ツ)_/¯

1 Like

We can always use more cookbooks!

2 Likes

Assuming @dthyresson will have some great suggestions about how to help people manage and weigh the risks, let’s make this happen.

@pi0neerpat if you’re up for it, let’s revisit this topic after the PR is merged. Also, all this would make for an amazing topic at a future Redwood Meetup. (No pressure. Just excited :rocket:)

1 Like

Definitely could be a cookbook, but looks like @pi0neerpat has started a PR https://github.com/redwoodjs/redwood/pull/1594/files to integrate it as a new AuthProvider.

Could definitely use a cookbook as a how-to setup and use it – and an intro to Ethereum and the benefits, rationale for using it for authentication since many people may not be familiar with it (myself included).

1 Like

Agreed with this. Would definitely be of value!

From the conversations I’ve had with other developers, the more options we can give in terms of auth the better, so I’d love to have tons of cookbooks for all sorts of different auth methods. I think we should also provide some sort of session management as well.

By session mgmt do you mean refresh tokens? Thats something I didn’t implement yet, and would love if I didn’t have to think about it

I’ll have to ask some of the developers that I’ve been talking to about this, it’s still a little above my head but I know that some people have been asking about whether you can do any kind of session management with Redwood.

I’ve talked to Brandon about this with Blitz and it seems like it was an important thing for him to incorporate it into the framework. I don’t know if this necessarily needs to involve any of the current auth work we have now or if this would be something we’d start totally from scratch.

@dthyresson would probably be able to give a more in depth answer about what it would take to get session management into Redwood, he wrote a pretty extensive comment about this back in October.

lolling at this comment from David right after DT’s epic post

Thanks @dthyresson for this amazing reply. And now I’m really wishing this was happening on the Forums so others could find it more easily!

2 Likes