I am trying to write an app using SvelteKit, and I have run into an issue and I am not sure of the best way to proceed.
My problem is that I want to use Netlify Identity to manage users in my app, but I cannot figure out how to verify users’ identity on the server with SvelteKit endpoints. I know that the Netlify Functions Docs state that the context parameter will contain the decoded JWT claims if the JWT is provided and is valid. That is great, but with SvelteKit, Netlify automatically turns the framework’s endpoints into a single Netlify Function called “render”. This is very convenient for code that doesn’t require auth, but there doesn’t seem to be any way to access this verified JWT from within the SvelteKit endpoints.
The only option I can think of is to ignore SvelteKit’s notion of endpoints entirely and just rely purely on Netlify Functions. I am wondering if this is the correct way to do this, or is there a better way? Can I somehow get this identity passed into the SvelteKit endpoints? Can I somehow verify the JWT within the endpoints?
I’ve seen this post, but it doesn’t answer my question. I read through the code and as far as I can tell, it manually sets the JWT as a cookie so the SvelteKit endpoints can access it, but then it just extracts the claims from the JWT without verifying the signature.
Sorry for the delay. Let me just confirm if we’re looking at the same thing here.
By this line, it appears to me that, you’re trying to verify the signature and only that part is the problem. I’m assuming everything else is working?
So if you’re just having troubles verifying, Here’s how that would work:
To “verify” the validity of JWT, you need to know the JWT password. Now, Netlify sets a unique JWT password for each site and there’s no way for you to see it. So you can’t do the verification yourself. However, if you’re seeing a user in context.clientContext in Netlify Functions, you can be sure it’s verified by Netlify.
However, if you have Business plan, you can set a custom JWT secret to sign and decide your JWTs. You can use that password to verify your tokens in the functions. However, you’d have to set the password as an environment variable too, to be able to access them in Functions.
By this line, it appears to me that, you’re trying to verify the signature and only that part is the problem. I’m assuming everything else is working?
This is correct
However, if you’re seeing a user in context.clientContext in Netlify Functions, you can be sure it’s verified by Netlify.
This is the core of my issue. SvelteKit endpoints don’t have access to this field as far as I am aware, even though they are running as a function. My question is how do I verify the JWT if I cannot access this field.
What I meant was, a reproduction repo is what would help us directly check what is happening and what we can suggest. Unfortunately, we do not have the bandwidth to spin up a test case for each and every thread, so it really helps when we have the reproduction right in front of us.
This is a SvelteKit Endpoint, which is an abstraction over serverless functions. Netlify Functions seems to automatically map these abstract serverless functions into something that is compatible with Netlify Functions. This is lovely, but my question is basically is that context argument completely lost in this translation, or is there some way to get at it?
there it was being discussed if the context argument should be passed on to the function or not. Well, I tried and it doesn’t seem as if it’s passed at the moment, but I think you can deploy a custom Netlify Function and use that. Does that work for your use case?