Rename client/server sessions to stateless/database

- Feedback from Balazs
vercel-labs · Mar 19, 2024 · a25de2e · a25de2e
1 parent 8c402b3
commit a25de2e
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 6 deletions.
diff --git a/app/auth/01-auth.ts b/app/auth/01-auth.ts
@@ -14,7 +14,7 @@ import {
   LoginFormSchema,
   SignupFormSchema,
 } from '@/app/auth/definitions';
-import { createSession, deleteSession } from '@/app/auth/02-client-session';
+import { createSession, deleteSession } from '@/app/auth/02-stateless-session';
 import bcrypt from 'bcrypt';
 import { eq } from 'drizzle-orm';
 import { redirect } from 'next/navigation';

diff --git a/app/auth/02-server-session.ts → app/auth/02-database-session.ts b/app/auth/02-server-session.ts → app/auth/02-database-session.ts
@@ -1,9 +1,19 @@
-// Option 1: Client-side stateless session with cookies | Optimistic auth check
-// Option 2 (this file): Server-side sessions with tokens (or session ID) stored in a database | Secure auth check
+// Option 1: Stateless session with cookies | Optimistic auth
+// Option 2 (this file): Database sessions with tokens (or session ID) stored in a database | Secure auth
 
 // This file goes through **servers-side session** management
 // See `middleware.ts` and `03-dal.ts` for the authorization / data access logic
 
+// Store session ID, encrypted in a cookie
+// Ensure the user is logged with the cookies (optimistic)
+// Combine database with stateless session
+// A session can contain more information than the current state, e.g. role, expiresAt, etc.
+// Solving out of sync issues with database <> cookie
+
+// Look into vercel kv / redis for storing sessions (for faster data retrieval)
+// Discuss handling multiple devices (benefit of using database session)
+// https://authjs.dev/concepts/session-strategies
+
 import 'server-only';
 
 import { db } from '@/drizzle/db';

diff --git a/app/auth/02-client-session.ts → app/auth/02-stateless-session.ts b/app/auth/02-client-session.ts → app/auth/02-stateless-session.ts
@@ -1,11 +1,13 @@
-// Option 1 (this file): Client-side stateless session with cookies | Optimistic auth check
-// Option 2: Server-side sessions with tokens (or session ID) stored in a database | Secure auth check
+// Option 1 (this file): Stateless session with cookies | Optimistic auth check
+// Option 2: Database sessions with tokens (or session ID) stored in a database | Secure auth check
 
 // This file goes through **client-side session** management
 // See `middleware.ts` and `03-dal.ts` for the authorization / data access logic
 
 // Recommend jose as it supports Edge Runtime (Middleware)
 
+// Context: next.config.js is hard to maintain (e.g i18n)
+
 import 'server-only';
 
 import { SignJWT, jwtVerify } from 'jose';

diff --git a/middleware.ts b/middleware.ts
@@ -1,5 +1,5 @@
 import { NextRequest, NextResponse } from 'next/server';
-import { verifyClientSession } from '@/app/auth/02-client-session';
+import { verifyClientSession } from '@/app/auth/02-stateless-session';
 
 // Client Sessions can be verified in Middleware
 // as we're only checking for a cookie in the headers