Leverage Next Auth for authentication?

[cball]

Currently we "roll our own" . Next Auth would give us a way to still stay in control of our data, likely be more secure by default, and at the same time give many other options for handling auth.

Pros

• Easy path for adding many auth providers (including OAuth)
• Flexible, but not locked to a specific provider (like Auth0 or Cognito)
• Has a Prisma adapter: https://next-auth.js.org/adapters/prisma
• All generated pages can be customized: https://next-auth.js.org/configuration/pages#email-sign-in

Cons

• Not GraphQL based. How would we allow for a GraphQL-based login?
• DB structure must conform to what the adapter expects (likely not a big deal but worth keeping in mind. We can add additional columns to those models)

[kgajera]

I agree with moving to Next Auth.

Not GraphQL based. How would we allow for a GraphQL-based login?

Why is it important for us to allow this? I have not used Next Auth before, but looking at their examples, it seems as simple as using the form's action to post the form.

Trying to use GraphQL seems like it would add more code to both the back-end and front-end. I don't see what benefits this would provide.

[cball]

The consideration I have is allowing an external client (like a mobile app) to login with the same mechanism as the rest of the API.

If we don't have this, I believe you'd have to issue a csrf request, make a POST request to login with that token, then use GraphQL for everything else.

[mthomps4]

Not GraphQL based. How would we allow for a GraphQL-based login?

#thoughts
Would need to spike this but GraphQL can wrap REST endpoints.
We could have the /api routes defined for NextAuth and GraphQL proxies those requests.

I've not done this with our Next setup, but is a graceful pattern used a lot for migrating/supporting larger legacy apps.