End-to-end example against custom server

[j-lee8]

Hi all.

I've added in next-auth with Google sign in and it works. It inserts the session, user, account etc into my local Postgres.

I'm a bit stuck with how to authorise against a custom backend? I know API routes handles this but I have a separate Apollo server GraphQL API using Prisma I need to hit and I have no idea how I'm supposed to know if a user is authorised. Is there any end-to-end example of this?

I will need to add email/password sign up as well but that can come later.

1. User signs up/in with Google
2. User redirected to protected route after login
3. User requests data from standalone API
   • how are they authorised? How do I know if they are even a valid user and are allowed to access this?

Do I need to use jwt: true? I'm very new to authentication/authorisation. I really don't know how the standalone API is meant to know about whether the user is authorised. If I use JWT is this inserted into the database on user sign in as well? Do I then check this user is authorised on the server based on the JWT token passed in the headers? Something like validateUser(request.authorisation.token)? I just need an end-to-end example I can follow of a custom backend with authorisation.

When I make requests using Apollo client / SWR do I include the JWT token? Are there any examples of this?

Because it inserts a session, could I check that instead of a JWT token? I'm really clueless as to the best way to handle this. It will be used by potentially millions so it needs to be right.

Thanks all. I really appreciate this.

[karthikcodes6]

Did you find any solutions?

[j-lee8]

Unfortunately no. Most examples just seem to tell you to issue a token and store in the user. That's far too vague for somebody doing it for the first time. I understand you need to hit an endpoint to generate a token and return this to the user. I more or less understand how to do it but I'm working on a time sensitive project so I just use API routes for now.

I'm really surprised there are no end-to-end examples! It must be a common problem.

[kaichii]

any updates?

[longfellowone]

I found this but it no longer works with v4. I imagine you could do the same thing in the jwt() callback, but then how would you reject a user here?

https://arunoda.me/blog/add-auth-support-to-a-next-js-app-with-a-custom-backend