1 00:00:00,000 --> 00:00:01,000 So let's now make sure 2 00:00:01,000 --> 00:00:04,000 that we cannot just create auth sessions, 3 00:00:04,000 --> 00:00:07,000 but that we can also verify auth sessions 4 00:00:07,000 --> 00:00:09,000 so that we can verify 5 00:00:09,000 --> 00:00:13,000 whether a request is coming from a user who did log in. 6 00:00:15,000 --> 00:00:19,000 And for that, in that lib auth.js file, 7 00:00:19,000 --> 00:00:22,000 I'll export a new function, 8 00:00:22,000 --> 00:00:25,000 a new async function 9 00:00:25,000 --> 00:00:28,000 which I'll name verifyAuth. 10 00:00:28,000 --> 00:00:30,000 The name of course is up to you. 11 00:00:31,000 --> 00:00:36,000 This function should check whether an incoming request 12 00:00:36,000 --> 00:00:38,000 is coming from an authenticated user. 13 00:00:38,000 --> 00:00:43,000 So if incoming request has that authentication cookie 14 00:00:43,000 --> 00:00:45,000 and if it's a valid cookie, 15 00:00:45,000 --> 00:00:48,000 so a cookie with a valid session ID 16 00:00:48,000 --> 00:00:51,000 that we stored on the server in the database 17 00:00:51,000 --> 00:00:53,000 because just the existence 18 00:00:53,000 --> 00:00:55,000 of the cookie alone is not enough. 19 00:00:55,000 --> 00:00:57,000 It could be a faked cookie. 20 00:00:57,000 --> 00:01:00,000 We definitely also need to validate it. 21 00:01:01,000 --> 00:01:04,000 Now first, we need to retrieve the cookie 22 00:01:04,000 --> 00:01:06,000 from the incoming request 23 00:01:06,000 --> 00:01:09,000 and therefore we can again use this cookies function, 24 00:01:09,000 --> 00:01:11,000 and then use get, 25 00:01:11,000 --> 00:01:14,000 and then use this Lucia object 26 00:01:14,000 --> 00:01:16,000 which we create up here, 27 00:01:17,000 --> 00:01:22,000 and access SessionCookieName so that we, in the end, 28 00:01:23,000 --> 00:01:26,000 retrieve the cookie with our session cookie name 29 00:01:26,000 --> 00:01:29,000 from the incoming request. 30 00:01:29,000 --> 00:01:32,000 Now this of course might be undefined 31 00:01:32,000 --> 00:01:37,000 if we get a request without a session cookie. 32 00:01:37,000 --> 00:01:39,000 So we have a session cookie 33 00:01:39,000 --> 00:01:41,000 which potentially is undefined. 34 00:01:41,000 --> 00:01:43,000 That could be the case here. 35 00:01:44,000 --> 00:01:47,000 Therefore I'll check if not sessionCookie, 36 00:01:48,000 --> 00:01:50,000 so if we don't have one, 37 00:01:50,000 --> 00:01:55,000 and in that case I'll return an object here in verifyAuth 38 00:01:56,000 --> 00:01:59,000 where I set the user to null 39 00:01:59,000 --> 00:02:01,000 and the session to null, 40 00:02:01,000 --> 00:02:03,000 and it's up to you what you wanna return here. 41 00:02:03,000 --> 00:02:06,000 You could also just return false to indicate 42 00:02:06,000 --> 00:02:11,000 that the request is coming from an unauthenticated user. 43 00:02:11,000 --> 00:02:13,000 Here I'll return such an object 44 00:02:13,000 --> 00:02:17,000 which contains no user and session data 45 00:02:17,000 --> 00:02:19,000 and we can then use that object in our routes, 46 00:02:19,000 --> 00:02:23,000 in our pages to verify whether we did find 47 00:02:23,000 --> 00:02:26,000 an authenticated user on the request or not. 48 00:02:26,000 --> 00:02:28,000 I'll show you how to use it in just a second. 49 00:02:29,000 --> 00:02:33,000 So that's what I return if I don't have a session cookie. 50 00:02:33,000 --> 00:02:36,000 If I do find a session cookie, 51 00:02:36,000 --> 00:02:39,000 we got a cookie value. 52 00:02:39,000 --> 00:02:43,000 So in the end, the session ID you could say 53 00:02:44,000 --> 00:02:47,000 and we get that from our session cookie, 54 00:02:47,000 --> 00:02:50,000 and then there, we can access the value key. 55 00:02:51,000 --> 00:02:56,000 Now if for some reason we don't have a session ID, 56 00:02:56,000 --> 00:03:01,000 I also wanna return this object without user data. 57 00:03:03,000 --> 00:03:04,000 But if we make it past this, 58 00:03:04,000 --> 00:03:07,000 if I know that I have a session cookie 59 00:03:07,000 --> 00:03:09,000 and that I have a session ID, 60 00:03:09,000 --> 00:03:14,000 and now as a next step we need to validate this session. 61 00:03:14,000 --> 00:03:17,000 So we need to find out whether it's a valid session ID 62 00:03:17,000 --> 00:03:20,000 and for that we can use that Lucia object, 63 00:03:20,000 --> 00:03:22,000 and there call validateSession 64 00:03:24,000 --> 00:03:27,000 and pass our session ID to that function. 65 00:03:28,000 --> 00:03:31,000 That will then, in the end, look into the database 66 00:03:31,000 --> 00:03:35,000 and see if it finds a session with that ID in the database 67 00:03:35,000 --> 00:03:37,000 and if that's still a valid session. 68 00:03:38,000 --> 00:03:39,000 So we'll get back a result here 69 00:03:39,000 --> 00:03:42,000 and we need to await this operation, 70 00:03:42,000 --> 00:03:45,000 and that result can now be returned here. 71 00:03:47,000 --> 00:03:49,000 And this result will actually also be 72 00:03:49,000 --> 00:03:51,000 an object with a user key 73 00:03:51,000 --> 00:03:52,000 and a session key. 74 00:03:52,000 --> 00:03:55,000 That's why I used that same shape here. 75 00:03:55,000 --> 00:03:58,000 But now if we did validate that session, 76 00:03:58,000 --> 00:04:01,000 that will either again be an object 77 00:04:01,000 --> 00:04:03,000 where both is set to null 78 00:04:03,000 --> 00:04:05,000 or it will be the actual user data, 79 00:04:05,000 --> 00:04:07,000 so the user ID, for example, 80 00:04:07,000 --> 00:04:10,000 and some extra data about the session. 81 00:04:11,000 --> 00:04:13,000 So we'll return an object of this shape, 82 00:04:13,000 --> 00:04:15,000 but user and session will not be null 83 00:04:15,000 --> 00:04:19,000 if we did find out that it is a valid session. 84 00:04:20,000 --> 00:04:22,000 Now what we should also do here, 85 00:04:22,000 --> 00:04:24,000 if we validated a session 86 00:04:24,000 --> 00:04:27,000 and we found that it's a valid session, 87 00:04:27,000 --> 00:04:31,000 is we should refresh it so that it stays active 88 00:04:31,000 --> 00:04:35,000 and the user isn't suddenly locked out. 89 00:04:35,000 --> 00:04:40,000 Therefore we should check if we have a true session 90 00:04:40,000 --> 00:04:42,000 on that result object. 91 00:04:42,000 --> 00:04:45,000 So we found an active valid session 92 00:04:45,000 --> 00:04:48,000 and we should then check if that session 93 00:04:48,000 --> 00:04:50,000 has fresh set to true. 94 00:04:52,000 --> 00:04:54,000 If that's the case, 95 00:04:54,000 --> 00:04:57,000 we can call lucia.createSessionCookie 96 00:04:57,000 --> 00:05:00,000 again to create a new session cookie 97 00:05:00,000 --> 00:05:04,000 for the session ID of the session we just retrieved, 98 00:05:04,000 --> 00:05:06,000 so the session we got from our result, 99 00:05:10,000 --> 00:05:13,000 and we should then again set that session cookie 100 00:05:13,000 --> 00:05:17,000 just as we did it before when we created it the first time. 101 00:05:17,000 --> 00:05:19,000 That will basically recreate 102 00:05:19,000 --> 00:05:23,000 that cookie for the existing active session 103 00:05:23,000 --> 00:05:26,000 and therefore prolong it you could say. 104 00:05:28,000 --> 00:05:31,000 Now NextJS will actually throw an error 105 00:05:31,000 --> 00:05:33,000 if you try to set a cookie 106 00:05:33,000 --> 00:05:37,000 if you are doing that as part of the page rendering process 107 00:05:37,000 --> 00:05:41,000 and therefore you should wrap this with try 108 00:05:41,000 --> 00:05:42,000 to catch that error 109 00:05:44,000 --> 00:05:45,000 and then do nothing 110 00:05:46,000 --> 00:05:49,000 because it's actually an error we wanna ignore 111 00:05:49,000 --> 00:05:52,000 because we want to be able to set 112 00:05:52,000 --> 00:05:54,000 that authentication session cookie 113 00:05:54,000 --> 00:05:57,000 even if we're just rendering a page. 114 00:05:57,000 --> 00:06:00,000 NextJS normally doesn't like it if we set cookies 115 00:06:00,000 --> 00:06:01,000 when rendering a page, 116 00:06:01,000 --> 00:06:03,000 but we like to do it here. 117 00:06:03,000 --> 00:06:06,000 That is something you find in the Lucia documentation 118 00:06:06,000 --> 00:06:09,000 and therefore we should do it here when using Lucia. 119 00:06:10,000 --> 00:06:14,000 Now it's also possible that we did not find 120 00:06:14,000 --> 00:06:16,000 a session on the result 121 00:06:16,000 --> 00:06:18,000 and in that case, 122 00:06:18,000 --> 00:06:22,000 I wanna clear the session cookie that was sent along 123 00:06:22,000 --> 00:06:27,000 because it's clearly not a cookie for a valid session. 124 00:06:27,000 --> 00:06:29,000 Therefore we should then again create 125 00:06:29,000 --> 00:06:31,000 new session cookie data, 126 00:06:31,000 --> 00:06:33,000 but we should do that with help 127 00:06:33,000 --> 00:06:37,000 of the createBlankSessionCookie method provided by Lucia. 128 00:06:38,000 --> 00:06:41,000 And then again, we should call cookies set 129 00:06:41,000 --> 00:06:43,000 and use the sessionCookie data, 130 00:06:43,000 --> 00:06:45,000 but this will now, as I just explained, 131 00:06:45,000 --> 00:06:49,000 basically clear that existing cookie 132 00:06:49,000 --> 00:06:52,000 because it contained invalid session data anyways. 133 00:06:54,000 --> 00:06:55,000 And that's the operand. 134 00:06:55,000 --> 00:06:58,000 That's all we should do here in verifyAuth 135 00:06:58,000 --> 00:07:00,000 and we can now use 136 00:07:00,000 --> 00:07:03,000 this verifyAuth function here in any route, 137 00:07:03,000 --> 00:07:07,000 in any page that should actually be protected 138 00:07:07,000 --> 00:07:11,000 and that should only be accessible by logged in users. 139 00:07:11,000 --> 00:07:13,000 That's the operand we'll do next.