Possible to LOGIN with GoTrue / Identity via serverless function?

Clayton · April 15, 2021, 1:06am

Hi,

Is it possible to create a serverless login function for GoTrue-JS / Netlify Identity?

I’ve been able to create one for user signup but don’t see a similar admin method or identity URL available for login.

The one shown in the documentation seems to reference using auth.login method in the client –

I’m trying to do this since-

I’m having difficulty getting the client-side library ‘auth’ methods to load properly (in a Svelte/Sapper site), and
I’d like to keep as much of this auth logic out of the client as possible – and take advantage of serverless functions where I can.

Or am I going about this wrong and login has to be executed for Gotrue / Netlify Identity client side?

Thanks

procrates · May 1, 2021, 2:37pm

I would like to do that too, and I do believe that is possible. But it would be great to have someone experienced to give some examples:)

Clayton · May 1, 2021, 4:43pm

@procrates I forgot to follow up on this here.

It looks like this can be done, fairly easily.

The endpoint for login (or subsequently grabbing refresh tokens) within your Identity instance is ‘/token’. This can be POST to with either an email+password or refresh token credential method.

Here’s how the endpoint is being called in the GoTrue-JS library -

github.com

netlify/gotrue-js/blob/a7617ee60f9d41f2b814c90bb5cbf896aee28d0b/src/index.js#L56-L68


      
          login(email, password, remember) {
            this._setRememberHeaders(remember);
            return this._request('/token', {
              method: 'POST',
              headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
              body: `grant_type=password&username=${encodeURIComponent(
                email,
              )}&password=${encodeURIComponent(password)}`,
            }).then((response) => {
              User.removeSavedSession();
              return this.createUser(response, remember);
            });
          }

And here’s a bit more info on the GoTrue repo, under “POST /token” header -

Basic steps -

On your login page, have a handler function for the login form that
- calls the login serverless function (passing the email + password)
- handles successful returns
- handles returned errors
In the login serverless function
- parse email and password from the POST request
- recreate some version of the function example above (from GoTrue-JS) that calls the /token endpoint with email + password
- if successful, decide how you’d like to return and/or store the access token and refresh token
  - e.g. the function could return the JWT access token as a cookie and handoff the refresh token to another serverless function that saves it to a user database so this never hits the client
- if fails, return error

Beyond this, you’ll need to also decide -

How you want to provide/control access to the auth’d sections of your site within your app now that you have a valid access token (in the JWT).
- The answer for this can vary a bit depending on how you’re building your app
Where to safely store the JWT for subsequent use and also avoid malicious JS.
- This is commonly done in an httpOnly/secure cookie that JS can’t access but your approach may vary depending on how you want to be able to access it later.
- The choice is a bit trickier when there isn’t a server to help process and utilize cookie values. You don’t want client JS to be able to unsafely access the JWT (e.g. localstorage) but at some point, JS needs to be able to use it to make authorized requests. Definitely take time to consider/research this choice so you don’t accidentally open yourself up to security issues (like XSS and CSRF).
- One method might be to call a separate ‘authenticate’ serverless function that serves as a pseudo middleware - parsing cookies, attaching the JWT to the header as a bearer token, and then passing the request to the target serverless function that requires authorization (e.g. getting user data from a database). But this seems pretty wasteful and un-performant. I’m currently trying to sort out other options on this front as well.
How/when to use the JWT for other authorized calls (e.g. load specific user content via another serverless function)
- If you pass the JWT as an authorization bearer token (done in the request header) to a Netlify serverless function, it will provide you the context for that user in the function and also allow additional admin methods.

I’m definitely still piecing a lot of this puzzle together myself, but I hope this helps.

Cheers,
Clayton

hillary · May 3, 2021, 3:51pm

@Clayton , thank you for coming back and sharing such a tremendously detailed series of steps. This will be very beneficial for future Forums members who encounter something similar. Knowledge sharing is what makes the Forums great