cookies with convex
I am trying to implement Lucia v3 with Convex by following the guide on https://stack.convex.dev/convex-with-lucia
The end of the guide mentions localstorage is used to store the session. If I changed it to a secure httponly cookie, does this create a problem for convex? Is it that convex websockets don't see the session cookie? So if thats the case we are left with a less secure localstorage option?
And finally, I wonder how is clerk auth implemented, since clerk stores JWTs in a secure cookie.
Thanks for any help you can provide understanding auth flow.
Thanks for any help you can provide understanding auth flow.
Stack
Custom Authentication (with Lucia)
Learn how to build a full stack app with authentication without any third-party auth providers, using Convex and the Lucia library.
20 Replies
You can use http actions to login, and in the response on the login success or on a valid session check you can store the sessionId in state
So your session will be in an http only cookie
In svelte I pass the session with event.locals so then I can pass my sessionId to whatever I need, but most of my actions are via http
This is an example https://github.com/vynxc/convex-chat-rooms/blob/main/src/hooks.server.ts
GitHub
convex-chat-rooms/src/hooks.server.ts at main · vynxc/convex-chat-r...
Contribute to vynxc/convex-chat-rooms development by creating an account on GitHub.
It's not great code, at all, but it works as it was just a demo
v's approach above is nice
@Northerncoder Clerk also uses localstorage to store the sesssion; as you've suggested, a secure HTTP-only cookie doesn't help with WebSocket auth when that WebSocket is on a different domain. (modulo third party cookies, which don't have good browser support anymore)
GitHub
How is Clerk actually secure if the session in non-http? · clerk · ...
Sorry in advance if this is a dumb question, but in reading the docs for Clerk, apparently Clerk secures against XSS attacks by creating short-lived session access token (__session cookie). But, ho...
thanks for the link for this thread. the discussion there addresses exactly the confusion I was having.
thank you, i will take a look at your implementation
GitHub
GitHub - vynxc/synchrony-app
Contribute to vynxc/synchrony-app development by creating an account on GitHub.
i have this repo too but its not complete though it works well
the backend can be used for any frontend
its basically the same as the previous repo
if you need any help i can try to assist
thank you. i see you created a v3 lucia adapter. i have been looking for one. i managed to make my own but i will be referencing yours to see how close i got
i basically just did as they did in the Lucia demo just upgraded it
We are working on standalone Auth and will be releasing a beta soon, FYI.
Thank you Michal, I am interested in the beta. Just curious does the standalone auth use local storage strategy or does it do the two cookie strategy that clerk uses.
It'll use
localStorage for SPAs (and custom storage for RN), cookie for Next and other server-side frameworks (maybe even for Vite in the future if Vite SSR gets very popular).Thank you
Hey @Michal Srb , is there an ETA for the standalone Auth beta release? would you say it is due within this month?
2030
also would we be able to do password auth like Lucia or will it only support OAuth?
It will support password, and will be released this month.
Repo went public recently
Common w
https://labs.convex.dev/auth
Oh cool!
Convex Auth - Convex Auth
Relations, default values, unique fields and more for Convex