Credentials Provider, Sign-in with Ethereum, and Users

[rhinodavid]

I'm starting to experiment with Sign-in with Ethereum (SIWE). They have docs on how to use SIWE with NextAuth, and I was able to get an implementation working fairly easily. However, the implementation uses the CredentialsProvider and here's where I run into problems. From the docs:

It comes with the constraint that users authenticated in this manner are not persisted in the database, and consequently that the Credentials provider can only be used if JSON Web Tokens are enabled for sessions.

And a stern warning:

The functionality provided for credentials based authentication is intentionally limited to discourage use of passwords due to the inherent security risks associated with them and the additional complexity associated with supporting usernames and passwords.

I understand the desire to steer developers away from a username/password strategy, but SIWE is a far cry from that. Theoretically it should be at least as secure as OAuth.

---

I have a few ideas for possible solutions:

• Create an EthereumProvider and add ethereum as a first-class ProviderType alongside email, oauth, and credentials.
• Modify CredentialsProvider to add an override to enable persisting users.

Thanks for taking the time to read this and I'm looking forward to folks' thoughts.