I have Qwik City running on Express. Would appreciate if someone could point out the easiest way to do authorization. Is using an Express authentication/authorization middleware possible?
How do you implement authentication/authorization in Qwik/Qwik City?
732 Views Asked by Fung At
2
There are 2 best solutions below
0
On
Since browsers handle http-only cookie for us. We use the http-only cookie to handle authentication. Here is the step-by-step how we do it:
- Users submit their username/password pairs, the system checks if it's correct, then create a random token in sessions table, and response it via http-only cookie.
- Next time when users access the system, the server components (server$, routeAction$, routeLoader$, endpoints...) use that cookie to look up inside sessions table if exists.
- When logged out, just delete the cookie record in the sessions table and invalidate the cookie.
That's the summary, of course, there are so many other scenarios like redirect if authenticated, logout on other devices, etc. But I would keep it short for summary.
For authorization, since it accesses directly to the back end, and no frontend code leaked, and our backend always serve as SSR so we just store roles and permissions on the database and query it directly when getting User object via routeLoader$
QwikCity includes a package called qwik-auth, which is currently not documented. If you want to get to know how to use it, you can find details in my post on Medium.