Server Side Rendering

[loks0n]

No description provided.

[Meldiron]

I like solution A, can't see why not.
Such token should be hidden by default, and only exposed when creating session.

[loks0n]

What do you mean by such token should be hidden by default?

[Meldiron]

You had 2 solutions. One to have it in response body, one to set it as response header.

I like setting it in response body. But if in future you do getSession, you should no longer get secret. You should only get it once when you first create it.

[Meldiron]

SetSession or SetToken? 🤔

[loks0n]

I feel we generally use token for temporary keys.
This helper could take either the entire session object, or just the secret, in which case setSecret or setSessionSecret might be worth considering

[Meldiron]

We have setKey for setting API key. So to follow that we should do setSecret for setting session secret.

But that sounds so undescriptive.. I would vote for setSessionSecret, but then we should consider doing setApiKey.

[loks0n]

I could live with setSecret, although one advantage of setSession is it makes more sense if used in combination with setKey as may be required to solve rate limiting

[Meldiron]

Currently OAuth works with 1 line of code.
Wit this, it wont. You will need to add extra logic on page load that looks for those params, and then runs method to finish sign-in process.

Similiar to Magic URL - After sending mail, you need 1 extra page that takes URL parals and finishes the logic.

That's kinda annoying :/ Can we find a way to automate this, somehow? Or simplify?

[loks0n]

Unfortunately, I can't see a way to simplify this flow: we are at the mercy of browser cookie security.

Here's why:

• We need a place to store a session on the client, and send it with browser GET requests.
• Local storage doesn't work because browsers don't send it with requests. We need to use secure cookies.
• Browsers only send cookies that belong to requested domain.
• Domains may only set cookies for their own domain.

The extra page isn't so much of an issue if we have a universal token -> session endpoint, right?

[Meldiron]

I see. I agree it's better to ask developer to write more code than to have it not work on some setups like Safari or phone devices.

Might be worth checking competitors and see if they have setup this complex. if not, maybe they found some trick.

[loks0n]

Supabase and Firebase are using the same method, unfortunately.

[Meldiron]

I would not reuse.

Buut I like the idea. But it's of a bigger scope.

My idea is that there should be universal "token -> session" endpoint, where token would also know type of session, like magicUrl or oauth2. Why? Well because then we can add endpoint users.createCustomSession(userId), which returns such token. Then we can exchange this token for session.

This will allow fully custom auth flows. For example, with APpwrite Functions, this will allow logging into account by entering code that Discord bot sent you as private message.. Whatever you want.

[loks0n]

+1 for Universal 'token -> session' endpoint

[Meldiron]

@eldadfux Do you think it would be worth as part of SSR rework? It is pretty highly requested feature. I think this will be most common blocker for any bigger company.

[eldadfux]

We can.

[gewenyu99]

Heard of requests for this in various avenues. Is a build/scale stage issue.

[Meldiron]

I would add them to server sdks, yes. I think they could be useful.
To differentiate we can just use another header name, like x-appwtite-token

[TGlide]

Suggested change

	Many popular web frameworks, such as Next.js, Nuxt.jsm and SvelteKit, support and recommend SSR, by default. When developers attempt to use Appwrite Auth with these frameworks, they run into issues with the current implementation.
	Many popular web frameworks, such as Next.js, Nuxt.js and SvelteKit, support and recommend SSR, by default. When developers attempt to use Appwrite Auth with these frameworks, they run into issues with the current implementation.

Sorry 😬

Also, I'd say the problem is not only Appwrite Auth. I've also run into issues with file uploads. I've managed to get it working, but it was troublesome to say the least.

[TGlide]

This works, but what do we then do with the sessionToken? How would a more complete flow look like?

For reference, this is what I do now to achieve SSR in auth.

[TGlide]

I don't think we should require an external lib to be able to use cookies. An inbuilt helper would be much friendlier

[eldadfux]

+1

[TGlide]

We should include more frameworks here

[eldadfux]

+1

[TGlide]

By server-side SDK, do you mean node-appwrite?

[TGlide]

If so, would you require to have both node-appwrite and appwrite installed in an SSR framework? When would each be used?

[loks0n]

By server-side SDK, do you mean node-appwrite?

Yeah, node-appwrite and the other server SDKs

If so, would you require to have both node-appwrite and appwrite installed in an SSR framework? When would each be used?

This is what I'm getting at, in an ideal world I think we should have a single SDK that handles any compatibility issues.
Second best and easier option is to recommend using node-appwrite in server code and appwrite in all client code.

[eldadfux]

I guess for all fullstack / web work you should use appwrite for any admin related tasks you should use node-appwrite which is basically and admin (or console) like SDK.

[TGlide]

Exactly, it gets harder to differentiate. Also, I worry about rate-limiting, which would currently happen using SSR, right?

[eldadfux]

@loks0n let's check where can rate limit get in the way. If our key is email+ip we should be fine. If the abuse key for an endpoint is only for IP it will be useless.

[loks0n]

Rate limiting is an issue, I've added a section outlining some possible solutions

[TGlide]

Love this! Would be great for adoption.

[eldadfux]

Yeh, this is a must. Can we include it in the main SDK or do we have to create separated packages for it?

[loks0n]

Can be in the main SDK :)

[gewenyu99]

@loks0n What's the expected effect on package size, build time, etc.

If it's trivial we can add, but I wonder when we draw the line for framework specific baggage in the main SDK

[TGlide]

@gewenyu99 in general nowadays tree-shaking should deal with most issues regarding bundle size on your app's final output, build time too. The package size would be bigger on the node-modules folder though.

Alternatively, you can monorepo the SDK, and add adapters. E.g. @appwrite.io/adapter-svelte

[eldadfux]

Can we try and redirect OAuth flow back to the SSR server itself with relevant params (including a secret) on a dedicated route and use it to set the local cookie in a similar way to what we do for a regular session?

[loks0n]

Can we try and redirect OAuth flow back to the SSR server itself with relevant params (including a secret) on a dedicated route and use it to set the local cookie in a similar way to what we do for a regular session?

Are you suggesting to replace the redirect from the OAuth2 provider to Appwrite with OAuth2 to SSR? The Appwrite session is not yet created at this point, and therefore the server would still need to exchange the temporary token