I noticed there wasn’t a single comprehensive guide (since things are changing so rapdly), so hopefully the tutorial I wrote will help anyone looking to implement their own custom auth. At the very least its a good crash-course on the dance between @redwood/api, @redwood/auth and @redwood/web to perform authentication.
Thanks so much @pi0neerpat for this blog post and example!
Definitely! I read your blog before I read this forum post and … I was thinking the same thing
The “web/src/auth/client.js” is really close to what the AuthProvider is already.
I think the clearest option would be to make this a “Web3” or “Ethereum” AuthProvider and maybe moving web/src/auth/client.js into a RW auth client and then moving more of the signing and verifying into the api side … maybe into its ouwn decoder (see the Auth0 decoder that make calls to Auth0 to get and verify the signing key).
Or - as you noted “Don’t roll your own crypto. Let users bring their own.” Maybe this is a a more generic AuthProvider like CustomEntryptionAuthProvider and can plug in the encryption system they want – but that seems perhaps too much setup and customization.
I’d favor “EthereumAuthProvider” or “EthereumWalletAuthProvider” I think.
This would be a really nice addition to the auth package so I hope you choose to take it on. Happy to help in any way you need – even reviewing a draft PR.
@pi0neerpat this is fantastic! Can’t believe it snuck by me during the holidays.
@dthyresson and @rob --> thoughts about turning his article into a Cookbook? And/or are their similar thoughts or plans in mind once the PR is merged? I know the “custom” Auth path is fraught with pitfalls and we should tread lightly on an official endorsement. But, you know, it’s probably the #1 request we get for Auth so ¯_(ツ)_/¯
Assuming @dthyresson will have some great suggestions about how to help people manage and weigh the risks, let’s make this happen.
@pi0neerpat if you’re up for it, let’s revisit this topic after the PR is merged. Also, all this would make for an amazing topic at a future Redwood Meetup. (No pressure. Just excited )
Could definitely use a cookbook as a how-to setup and use it – and an intro to Ethereum and the benefits, rationale for using it for authentication since many people may not be familiar with it (myself included).
From the conversations I’ve had with other developers, the more options we can give in terms of auth the better, so I’d love to have tons of cookbooks for all sorts of different auth methods. I think we should also provide some sort of session management as well.
I’ll have to ask some of the developers that I’ve been talking to about this, it’s still a little above my head but I know that some people have been asking about whether you can do any kind of session management with Redwood.
I’ve talked to Brandon about this with Blitz and it seems like it was an important thing for him to incorporate it into the framework. I don’t know if this necessarily needs to involve any of the current auth work we have now or if this would be something we’d start totally from scratch.
@dthyresson would probably be able to give a more in depth answer about what it would take to get session management into Redwood, he wrote a pretty extensive comment about this back in October.
lolling at this comment from David right after DT’s epic post
Thanks @dthyresson for this amazing reply. And now I’m really wishing this was happening on the Forums so others could find it more easily!