custom auth
Hi everyone,
I want to build an app for internal use with basic email/ password auth and I don’t want public sign up. I followed the Convex doc to implement auth using Supertokens [https://supertokens.com/] but not successful yet. Getting stuck with hook ‘useAuthFromProviderX’. Just wonder if anyone has experiment working with other third party service not Auth0 or Clerk.
3 Replies
Hi @An , I would suggest to use our Lucia integration, which gives you email+password authentication without any additonal services/servers required.
If you’re using Next.js you can get a demo app setup with
npm create convex@latest and choose Next.js and Lucia.
Or checkout the library (links to integration docs):
https://www.npmjs.com/package/@convex-dev/convex-lucia-auth
If you do want to stick with supertokens, you’ll have to build the useAuthFromSupertokens hook, and make sure it returns the JWT token that you got from the supetokens server.npm
@convex-dev/convex-lucia-auth
Convex database adapter for Lucia Auth. Latest version: 0.0.3, last published: 5 days ago. Start using @convex-dev/convex-lucia-auth in your project by running
npm i @convex-dev/convex-lucia-auth. There are no other projects in the npm registry using @convex-dev/convex-lucia-auth.Thanks Michal! I saw convex-lucia-auth is still vulnerable to XSS attack. What is the odd it can happen? Sorry I'm new to programming so this concept of security is not very clear to me
XSS attack would be if you let someone (a hacker) run JavaScript code on your website. For example if you had a text input field, write the text to the database and then rendered the text as HTML on the page. In React you'd have to use dangerouslySetInnerHTML:
https://react.dev/reference/react-dom/components/common#dangerously-setting-the-inner-html
So provided you're sticking with React for rendering your HTML your app should be safe from XSS attacks and the Lucia auth setup should work well.
Common components (e.g. ) – React
The library for web and native user interfaces