Goals:
Relevant parts:
@urql/svelte
, graphql
, @urql/exchange-auth
, magic-sdk
$lib/stores/auth.js
- there's a lot of auth logic it handles, most notably auth state and login/refresh tokens.login()
is very flexible, doesn't redirect, and can even be used on a widget. Doesn't have to be on a login page.isAuthenticated
derived store. This is what the login page does.$lib/gql/
schema.gql
, setup.fql
, urql.js
login.svelte
- also acts as signup. Looking good 👩🍳 chef's kiss.env.example
- public env variables only, remove .example to usesvelte.config.js
- vite config to alias web optimized GraphQL, b/c standard package is required for codegen introspectioncodegen.yml.example
- optional introspection script config, expects Fauna any secret in your db (public works too)initClient()
somewhere. Normally that's in __layout
setup.fql
login_user function's ttl
to suit your desired access token expiry target. Default 30 days, which may be too long for most tastes'.Refer to https://github.com/armchair-traveller/mlfkn for login backend. Very simple and easy to adapt to other serverless platforms.
Comments in source code starting with these denote areas of configuration:
TODO
- required config/field. Some of it you might have to fill in or it might produce unexpected behavior / bad code⚙
- :gear: emoji: optional config you can tweak to enable/disable or adjust.Any other starting symbols follow default better-comments format.
src/lib/gql/schema.gql
./setup.fql
commands, one block at a time..example
suffix from all root config files, replacing if necessary (you'll fill them in).codegen.yml
. Optional: Create a public role to use w/ it instead.npm gen
.env
. Add Magic secret key to your login backend.TODO: Check if any lacking steps
Upload schema: Fill in your server secret for the curl command (or just upload from dashboard)
curl -H 'Authorization: Bearer <FAUNA_SECRET>' https://graphql.fauna.com/graphql/import?mode=merge --data-binary "./src/lib/gql/merge.gql"
Then generate introspection for the schema: npm gen
A refresh token flow is used where Magic manages email validation. However, the consumer doesn't have to manage sessions, cookies, or JWT pertaining to the refresh token. Magic does that for you but internally, if the auto-refresh option is turned on, it's using IndexedDB so you must be wary if you have potential XSS vulnerabilities. Though you really don't have much choice if your backend isn't on the same site and you want your app to work on privacy-focused browsers like Brave.
auth.js
store keeps auth info in memory@urql/exchange-auth
silently manages refreshing on expiration or token invalidation (auth errors), logging out on failure to refreshauth.js
, removing localStorage and adding Magic.user.isLoggedIn() to .isAuthenticated(), and set to always init defaults. As well as init refresh in urql.js
.