Lucia v2 (beta 3): One final push

[pilcrowonpaper]

This is a major update to Lucia, and it should be the last one!

Session reset

Instead of a new session being created (renewal), the expiration of the session is extended if it's idle (reset). Auth.renewSession() has been removed accordingly.

Middleware

With v2, Lucia no longer needs to set new session cookies when validating sessions if sessionCookie.expires configuration is disabled.

lucia({
	sessionCookie: {
		expires: false
	}
});

This should only be enabled when necessary:

• If you’re using web() middleware
• Next.js project using the app directory, or deployed to the edge

nextjs()

Auth.handleRequest() no longer accepts Response and Headers when using the Next.js middleware. Passing only IncomingMessage or Request will disable AuthRequest.setSession(). We recommend setting cookies manually when creating a new session.

// removed
auth.handleRequest({
	req: req as IncomingMessage,
	headers: headers as Headers
});
auth.handleRequest({
	req: req as IncomingMessage,
	response: response as Response
});
auth.handleRequest({
	request: request as Request
});

// new - `AuthRequest.setSession()` disabled
auth.handleRequest(req as IncomingMessage);
auth.handleRequest(request as Request);

request must be defined as well:

// v1
auth.handleRequest({
	cookies: cookies as Cookies,
	request: request as Request
});

// v2
auth.handleRequest({
	cookies: cookies as Cookies,
	request: request as Request | null
});

web()

Auth.handleRequest() no longer accepts Response and Headers when using the web standard middleware. This means AuthRequest.setSession() is disabled, and we recommend setting cookies manually.

// v1
auth.handleRequest(request as Request, response as Response);
auth.handleRequest(request as Request, headers as Headers);

// v2
auth.handleRequest(request as Request);

Creating sessions and keys

Auth.createSession() and Auth.createKey() now takes a single parameter.

// v1
await auth.createSession(userId);
await auth.createKey(userId, {
	// ...
});

// v2
await auth.createSession({
	userId,
	attributes: {} // must be defined!
});
await auth.createKey({
	userId
	// ...
});

ProviderUserAuth.createUser() has been updated accordingly as well.

const { createUser } = await githubAuth.validateCallback(code);

// v1
await createUser(attributes);

// v2
await createUser({
	attributes // its own property
});

Generate custom user and session id

generateUserId() configuration has been removed. Instead, you can now just pass the id when creating a user or session.

await auth.createUser({
	userId: generateCustomUserId()
	// ...
});

await auth.createSession({
	sessionId: generateCustomSessionId()
	// ...
});

[deadcoder0904]

curious, where are type Cookies is imported from? i can't find an auto-complete for it in vscode.

my other code also gave an error when i did request as Request but it worked when i did change it to request as NextRequest like:

const authRequest = auth.handleRequest({
    request: request as NextRequest,
    cookies,
  })

i can't find anything for Cookies though. i didn't type cookies in api routes like above but my validateSession function gives this error:

Type '() => ReadonlyRequestCookies' is not assignable to type '{ get: (name: string) => NextJsCookie; }'.ts(2322)
(property) cookies: () => ReadonlyRequestCookies

the code looks like:

import { cookies } from 'next/headers'
import { redirect } from 'next/navigation'

import { auth } from '@/app/auth/lucia'

export const validateSession = async (url: string, sessionExists: boolean) => {
  const authRequest = auth.handleRequest({ cookies })
  const session = await authRequest.validate()

  if (sessionExists) {
    if (session) redirect(url)
  } else {
    if (!session) redirect(url)
    return session
  }
}

i modified it a bit for redirects when session exists & when it doesn't exist.

[pilcrowonpaper]

What type error are you getting? Make your Next.js version is the latest.

[deadcoder0904]

i've said it above in the original comment:

Type '() => ReadonlyRequestCookies' is not assignable to type '{ get: (name: string) => NextJsCookie; }'.ts(2322)
(property) cookies: () => ReadonlyRequestCookies

do you mean latest version or canary version? i'm currently on [email protected] which is the latest canary.

github project with this branch → https://github.com/deadcoder0904/next-13-lucia-auth-drizzle-turso-sqlite-magic-link/tree/server-component-bug

although the branch is buggy bcz next.js app directory sucks & gives way too many weird errors. this is on their end, not my end. hopefully, it gets fixed.

but the bug you want to see can be seen in vscode since its just a type error.

[deadcoder0904]

bdw i think its because you've made request required property on auth.handleRequest... if i add request, it'll work since cookies was yelling before i typed request

but then how would my validateSession function change? idk how to access request property outside /api routes & the validateSession is called from pages/ or app/ directory.

[pilcrowonpaper]

Just pass null. I made it explicit because forgetting to define it for POST requests will skip CSRF checks

[deadcoder0904]

alright, passing null made the cookies type error go away too:

const authRequest = auth.handleRequest({ cookies, request: null })