Convex Auth: Shared session across subdomains
Question about convex Auth: Does it support shared session across subdomains?
22 Replies
Yeah, if you use the SPA React client (not Next.js), then you can share sessions across subdomains and domains.
Okay, thanks! Just wondering why is there a client for Nextjs, whats the pros of that, is it only SSA?
Also, is there a specific setup for sharing sessions and how does it work in localhost? Do I need to map localhost:3000 to *.example.local:3000 for the browser to allow it?
It's SSA (authed SSR). It also moves the refresh tokens to http-only cookie, so it's a bit safer against XSS attacks.
The localStorage key is based on the backend's URL:
See
storageNamespace in https://labs.convex.dev/auth/api_reference/react#convexauthproviderreact - Convex Auth
Authentication library for your Convex backend
Thanks but Im afraid I still don't get how to solve it.
My setup is that I have wildcard subdomains (*.example.com) along with static ones (auth.example.com, app.example.com).
I got the setup to work with NextAuth where I put the domain setting in the sessionCookie to ".example.com" making it work across subdomains.
Can I achieve this by setting storageNamespace to ".example.com" or something else?
You shouldn't need to do anything. As long as you're using the same Convex backend across all those subdomains.
The React provider doesn't use cookies.
Okay then theres something else going wrong for me
I guess It could be problematic that I have mapped localhost to example.local since the convex auth implementation doesnt use cookies?
That was my workaround for cookies to be working in local dev with next auth.
It shouldn't matter. What isn't working for you? You might need to configure
redirectTo if you're using OAuth or magic links.This happens when I try to login with oauth
can the <ConvexAuthNextjsServerProvider> or convexAuthNextjsMiddleware be a problem?
I sometimes succesfully get the authJwt in localstorage
But then going to another subdomain, its not there
I guess with shared session in my case is that you can authenticate on auth to set the sessiontoken on all subdomains so you dont have to relog whenever you go to another subdomain
And I know this is possible with cookies but not sure about local storage
Yes, these use cookies.
You'd need to use
@convex-dev/auth/react Provider instead of @convex-dev/auth/nextjs . Do you need SSR?If you do need Next.js, we'll need to allow you to control the cross domain checks and cookie settings. Filed an issue for it:
https://github.com/get-convex/convex-auth/issues/49
GitHub
Next.js: Support sharing auth across domains · Issue #49 · get-conv...
Relevant discord thread: https://discord.com/channels/1019350475847499849/1270898084418949213/1271062187968036928 We currently use cookies for storing the refresh token, and prevent cross-domain re...
Yea I mean Its way easier if I can authorize either in middleware or in server side layouts.
So if I understood you correctly, this combination of sharing auth cross subdomains and server side auth is not possible currently?
Note that authorizing in server side layouts is not secure (the pages will still render)
How much control do you need, would allowing all subdomains to have access to auth be good enough for your use case?
Alright, yeah with NextAuth I authorized in middleware, where I basically redirected them to home if they where not authorized and to auth if they where not authenticated. So optimally would be if I can check a userId in middleware redirect from there.
Yeah, that's how Convex Auth is set up too:
https://labs.convex.dev/auth/authz/nextjs#require-authentication-for-certain-routes
I was checking whether you're ok with all subdomains sharing the same auth session, or whether you need more granular control?
Server-side authentication in Next.js - Convex Auth
Authentication library for your Convex backend
Not sure what more granular control would be, so problably fine with sharing the same auth session. I guess thats what I have done previously
I have another question I hope you can help me with, Im currently using Hono in http.ts. Is it possible to combine that with convex auth?
Thanks will test it eventually