Next-Auth Login Authentication Tutorial with Next.js App Directory

00:01

[Music]

00:04

hello and welcome I'm Dave today we're

00:07

going to learn how easy it is to add

00:09

authentication to your next JS app with

00:12

next auth and I'll provide links to all

00:14

resources in the description below I'll

00:17

also provide a link for you to join my

00:18

Discord server where you can discuss web

00:20

development with other students and you

00:22

can ask questions that I can answer and

00:25

receive help from other viewers too I

00:27

look forward to seeing you there I'm

00:28

ready for a highly requested tutorial

00:30

about next auth with the new next.js app

00:33

router but first i'm happy to introduce

00:35

kodium AI as the sponsor for this video

00:38

codium AI analyzes your code and

00:40

generates meaningful tests to catch bugs

00:42

before you ship to production or even

00:44

before you have a code review with your

00:46

boss or Mentor with kodium AI you can

00:49

easily and quickly create comprehensive

00:51

test Suites that help ensure the

00:53

reliability and correctness of your code

00:55

and Cody may I currently supports

00:57

JavaScript typescript and python in VSCO

01:00

code and several other popular Ides

01:02

let's look at how it works just click

01:05

the generate test button above any

01:07

function and codium AI will begin

01:09

generating tests for your code review

01:11

the test created and even add your own

01:13

custom tests also check out the code

01:16

analysis and code suggestions I love

01:18

these features and when you're happy

01:20

with the tests save the test Suite to a

01:22

file I'm going to provide links to their

01:24

vs code extension and main website below

01:27

hey guys adding codium AI to your vs

01:30

code is as easy as going to extensions

01:32

searching for kodium AI and then

01:35

installing it it's free add it to your

01:37

vs code extensions today okay let's get

01:40

started I've already created a new

01:42

next.js project and I've said yes to all

01:44

of the questions as the project was

01:46

created now looking at the package Json

01:49

if you're completing this tutorial in

01:51

the future you should note that I'm

01:54

using next version

01:56

13.4.7 its current as of today and if

02:00

you want next to behave the way it does

02:02

here in the tutorial you may want to

02:04

install this version but I'm just

02:06

letting you know that you could try to

02:08

use the latest as well so after that we

02:11

need to go ahead and install next auth

02:13

so let's open up a terminal window once

02:15

again type npmi and then next Dash auth

02:19

and we'll install the next auth package

02:21

we're back at the next auth website and

02:24

I'm looking at the introduction they

02:26

really have great docs and you can

02:28

explore these because next auth is very

02:30

customizable we're going to go over some

02:32

of the basic settings for a quick

02:34

implementation today and that will get

02:37

you started and of course I could cover

02:38

other customizable settings in future

02:41

tutorials as well so let's look at some

02:43

of the introduction here on next auth

02:45

and I want to highlight just a few

02:47

things we've got support for Json web

02:50

tokens and database sessions and this is

02:53

designed for serverless next.js does run

02:56

on serverless but it can also run

02:58

anywhere so next auth can work with AWS

03:01

Lambda Docker Heroku Etc It also says

03:04

own your own data here and I just want

03:06

to highlight that it says it can also be

03:08

used without a database and that's what

03:10

we're going to do today we're going to

03:11

use the default settings for JWT but

03:14

we're also going to set up oauth for a

03:17

GitHub login now let's go to the getting

03:19

started link over here in the left hand

03:20

menu and on getting started we're going

03:23

to scroll down just a little bit and we

03:25

can already see the install for next

03:27

auth and we've already done that then it

03:29

says add an API route but notice a lot

03:31

of the examples here in the docs at

03:33

least currently as I'm making this video

03:35

show the old version here with Pages

03:37

slash API slash auth but then you need

03:40

to read some of the documentation as

03:42

well because it says if you're using

03:44

next.js 13.2 or above it does support

03:47

the new app router and you can

03:49

initialize the configuration using the

03:51

new route handlers by following our

03:53

guide so let's just go ahead and click

03:55

that guide and look at the setup here

03:58

for a route Handler you can see this has

04:00

a different different path now it's in

04:02

the app directory as we're provided in

04:04

next js13.2 and above then we create an

04:08

API directory inside then an auth

04:10

directory and then this catch-all route

04:12

here inside of brackets with the three

04:14

dots that says next auth and then route

04:16

TS so let's go to visual studio code now

04:19

and do that back in vs code we need to

04:21

open up the source directory if you

04:23

added the source directory to your

04:25

project if not you just have the app

04:27

directory on that level and that's where

04:29

you need to create the next directory or

04:32

folder if you will inside and it's

04:33

called API and then inside of that one

04:36

we need to create another directory and

04:39

this is going to be called auth and then

04:41

finally inside of auth we need to create

04:43

that catch-all that has a bracket three

04:46

dots and then next auth and another

04:50

bracket now inside of this directory is

04:53

where we create the route.ts file we'll

04:56

start by importing next auth and that's

05:00

going to come from next Dash auth after

05:05

that we're we're going to import options

05:07

here in just a moment but I won't do

05:09

that yet let's define our Handler

05:12

and we're going to set this equal to

05:14

next auth and this is where next auth

05:17

will receive the options so it's going

05:19

to have a red squiggly until we pass in

05:21

our options object but after this we

05:23

just simply need to export and we'll say

05:26

Handler as get comma and also Handler as

05:31

host so our route.ts file is not too big

05:36

and you will see some go ahead and

05:38

Define their options object inside of

05:40

this file but I prefer to create a

05:43

separate file so let's go ahead and do

05:45

that and we'll just call this

05:47

options dot TS we're back in the next

05:50

auth documentation we're under options

05:53

now in the left hand menu and looking

05:55

under options the main thing we need to

05:57

provide inside of our options object is

06:00

the providers themselves what we plan on

06:02

using so this is where we will say a

06:04

GitHub provider that we're going to use

06:06

with oauth we're also going to have a

06:08

credentials provider and we'll learn how

06:10

to set that up but there are some other

06:12

settings they cover on this page so let

06:15

me scroll down just a little bit it

06:17

talks about a secret here we're going to

06:19

need to set a next auth underscore

06:21

secret as an environment variable so

06:24

we're going to create a DOT env.local

06:27

file in our next JS project for that and

06:29

then there's some other settings they

06:31

cover as well oh and we're going to use

06:33

this by the way to go ahead and create

06:35

that random secret we can do that easily

06:37

with this command in the terminal okay

06:39

underneath that a few other settings

06:41

that we can look at although we're just

06:43

going to use the default today so we

06:45

will not need to provide these but I

06:46

just want to draw your attention to them

06:48

you can set some settings for a session

06:51

here and this is where I wanted to

06:53

really highlight this because note the

06:55

default is a JWT that's encrypted so

06:59

it's referred to as a jwe so if you've

07:02

watched any of my previous React auth

07:05

videos in the past where we use JWT this

07:07

is a little different strategy but I

07:09

really like what they're doing and

07:11

really rather than rolling your own

07:13

which creating your own like we did in

07:15

that react auth series is a great way to

07:18

learn about auth but this has a little

07:20

more full featuredness to it and I

07:22

really like how it's set up so I

07:24

recommend this strategy actually and you

07:26

would use this encrypted jwe that's

07:30

stored inside of a session cookie so

07:33

that's how they're doing this by default

07:35

and then you could use a database

07:37

instead but that's not what we'll be

07:39

doing we will just be using the JWT that

07:42

is once again the default so just

07:45

highlighting that okay let's scroll down

07:47

to just a little bit more and then

07:49

there's also a JWT setting once again we

07:52

won't need to do any of this because

07:53

we're using the default and we're not

07:55

using a database and then they've got

07:57

some other settings for the JWT but the

07:59

other one I want to find is pages so

08:02

notice this this pages is a property

08:04

here inside of that options object and

08:07

then it has its own object here you can

08:09

set up custom pages but if not these

08:13

will be created for you they'll just be

08:16

found at a specific address that next

08:19

auth provides so if you wanted to create

08:21

a custom sign in page then you could

08:24

have it at say just slash sign in

08:26

instead of the default which might be

08:29

auth sign in or auth sign out and so on

08:33

ours because of this new router or route

08:36

Handler set up inside of the API slash

08:40

auth directory everything that's created

08:42

by default will actually be inside of

08:44

Slash API slash auth and then then we

08:47

would have our sign in and sign out but

08:49

next auth creates these for us and so

08:52

just by using the defaults we can

08:54

implement this next auth quickly okay

08:57

let's go back to the code and set up our

08:58

options object and our next auth secret

09:01

as well let's start with import type and

09:05

then we need next auth

09:08

options and this is also going to come

09:11

from next Dash auth after we've imported

09:15

our type we will import our providers

09:18

when we're ready for those but let's

09:19

first just set up the object so I'll say

09:21

export const

09:24

options and we'll set this of course the

09:27

type being our next auth options we'll

09:29

set this to an object then that has a

09:32

providers and this providers is an array

09:35

so this is where we will put our

09:37

providers that we decide to import and

09:40

use in our application now after this

09:42

this is where we would put for example

09:45

the pages object that we looked at so if

09:48

we had a specific sign in then we could

09:51

give the path for that so you might want

09:53

to move it to just sign in but then you

09:55

would have to create your own sign in

09:57

page and next auth we'll create one for

10:00

you so we're not going to provide this

10:02

here the same for the session you would

10:04

set a session and then set the related

10:06

properties for that session that we

10:09

looked at inside of the documentation

10:10

but now we're just going to focus on the

10:13

providers but before we go back to the

10:15

docs and look at each individual

10:16

provider let's go ahead and open up a

10:18

terminal so control in the back tick now

10:21

inside of the terminal let's type that

10:23

command that will will just generate

10:25

that random secret for us so it's open

10:27

SSL

10:29

Rand and then Dash base 64 and then the

10:34

number 32. we'll press enter and there

10:37

is our random secret that we have so we

10:39

can just highlight and copy this with

10:42

Ctrl C and now we need to go ahead and

10:45

create a DOT env.local file in our next

10:48

project and we want this on the same

10:50

level as the package Json file so now

10:53

let's create this file and it's dot

10:56

env.local by default this would be

10:58

listed inside of your git ignore file

11:01

you never want to send your environment

11:03

variables to GitHub so these are secrets

11:06

you keep them in your Dev environment in

11:08

the dot enb.local and then when you

11:10

deploy your application you set the

11:12

environment variables in your host

11:14

whether that's versl or somewhere else

11:16

that you would deploy your next JS

11:18

application so this is a next auth

11:22

underscore

11:23

secret and we'll set it equal to and

11:26

just paste in that value with control V

11:29

is what I use to paste and now we have

11:31

in that random value you will have a

11:34

different value here and of course I'll

11:36

delete these secrets in the future and

11:37

won't be using those online so no luck

11:40

using mine just go ahead and generate

11:42

your own you will not find this dot

11:45

env.local file in the source code for

11:47

this video because as I said you do not

11:49

share this file in your GitHub back in

11:52

the documentation we're under

11:54

configuration providers and then

11:56

credentials this is where we would sign

11:58

in with a username and a password and

12:01

this is showing us how to set up the

12:03

credentials provider that we would need

12:05

to import at the top here and it has

12:07

some explanations but I'll of course

12:09

walk you through this as we created in

12:11

our project as well and then another

12:14

type of provider is oauth now oauth can

12:17

be GitHub Twitter Google Facebook any of

12:20

these providers that provide an oauth

12:22

sign-in and you've probably seen before

12:24

where you can just click sign in with

12:26

GitHub or sign in with Google and so on

12:28

so that's what we'll be setting up now

12:30

there is a full list of them further

12:32

down in the menu here under providers

12:35

and then you can scroll to get the

12:36

details for each one that you want to

12:39

set up here's GitHub and after we scroll

12:42

down just a little bit you'll see

12:43

there's a link and we need to configure

12:45

this in our GitHub account so now you'll

12:48

already need a GitHub account to do this

12:50

and so if you don't have a GitHub

12:52

account I'd go ahead and suggest going

12:53

to github.com and getting that free

12:56

account set up and then coming back and

12:58

do this but most of us probably already

13:00

have a GitHub account at this point so

13:02

let's go ahead and click this link and

13:04

it should open up directly to the page

13:06

we need of course inside of your GitHub

13:09

account this one is mine as you can see

13:11

my little icon up here in the top right

13:13

so now that we're at the GitHub apps

13:15

page we want to click on oauth apps and

13:18

we want to set one up you can see I

13:20

previously set one up as I did some prep

13:22

for this tutorial now I'm going to click

13:24

new oauth app here in the top right I

13:27

need to give this a name so I'm going to

13:29

call this

13:30

next auth Dash Tut for tutorial and then

13:35

the home page URL is going to be HTTP

13:38

colon slash slash localhost colon 3000

13:42

so this is for our Dev environment when

13:44

you would deploy your application you

13:47

would need to come back into your GitHub

13:48

settings for this oauth setting and

13:51

change it to your deployed URL and then

13:54

the other URL here at the bottom

13:57

authorization callback URL starts the

14:00

same but after that we're going to have

14:03

a slash and say API slash auth slash

14:07

callback slash GitHub and that would be

14:11

the full callback URL this is basically

14:14

saying where it's going to send you

14:16

after you authenticate with GitHub where

14:18

should it send you back in your

14:19

application so now let's go ahead and

14:21

click register application and we should

14:24

be good to go now what we want to have

14:27

here is a client ID and a client secret

14:30

we haven't generated that yet let's

14:32

first get the client ID copied I just

14:35

put my client ID in a text file for now

14:37

and you could do the same or paste it

14:39

into a file in vs code whatever just so

14:42

you make sure you have that or you could

14:44

come back to this tab then generate a

14:46

new client secret and you'll need to log

14:49

in if you're not logged into your GitHub

14:51

or actually I was logged in they just

14:53

want you to confirm access so you'll

14:55

need to log in again okay I logged in

14:58

and now notice I have make sure to copy

15:00

your new secret client now you won't be

15:02

able to see it again so make sure to

15:04

just click the copy little icon here and

15:07

copy this and again save it somewhere

15:09

and we're going to put it in our DOT

15:11

env.local so if you just want to go

15:13

straight to that file we can do that now

15:16

too so make sure you get it here because

15:18

when you come back it will no longer be

15:20

available to see the full length of this

15:23

secret you would just have to generate

15:24

another one if you didn't save it back

15:26

in our DOT env.localfile I'm going to

15:29

call this

15:31

GitHub Secret

15:34

and after that I'm going to set it equal

15:36

to the value that I copied out of GitHub

15:38

for the secret I'm also going to have

15:41

GitHub underscore ID and I need to get

15:45

that ID value that I saved in a text

15:48

file and then I'll paste it in here as

15:50

well so now I've got my GitHub ID and

15:53

GitHub secret saved in the dot env.local

15:56

file and it's worth noting that even the

15:58

GitHub client ID that you have here

16:00

changes for each one of those that you

16:03

generate for oauth so this isn't the

16:05

same between those and of course I'll be

16:07

deleting this as well now that we have

16:09

our secrets in our DOT env.local file

16:12

let's go back and complete our options

16:14

with the providers that we need to

16:16

insert so once again at the top of the

16:18

file we need to import each provider so

16:20

I'm going to

16:21

import then say git hub

16:26

provider and this is going to come from

16:29

next Dash auth slash providers slash

16:34

GitHub and then I'm also going to import

16:38

the credentials

16:40

provider

16:42

which should come from next

16:45

Dash auth slash providers slash

16:49

credentials okay we've imported both

16:51

providers we need now let's set those up

16:54

so I'll go ahead and create some space

16:56

here in the array and the first is the

16:58

GitHub provider then we have a

17:01

parenthesis and an object inside now

17:04

we'll have a client ID and this refers

17:07

to the value that we set up for the

17:09

GitHub ID so we want to say

17:11

process.env dot

17:14

GitHub underscore ID now notice

17:18

typescript still doesn't like this and

17:19

we can Mouse over and says type string

17:22

undefined is not assignable to type

17:24

string so we can just use an assertion

17:26

here at the end because we know we have

17:28

a string in r dot env.local file so we

17:31

can just say as string remember an

17:33

assertion is essentially telling

17:35

typescript that you know better then

17:37

we've got client secret we'll set this

17:40

to process.env dot GitHub underscore

17:45

secret and we can then once again say as

17:48

string and that's really all there is to

17:50

setting up our GitHub provider so our

17:53

oauth with GitHub is ready to go now

17:56

let's go ahead and set up the

17:57

credentials provider it takes just a

17:59

little bit more work but this is

18:01

something you're almost always going to

18:03

want as far as having users be able to

18:05

use a login name and a password so here

18:09

we're going to have

18:10

credentials provider and then we've got

18:13

a parenthesis and an object once again

18:16

where the name here will just say

18:19

credentials after that we've got a

18:22

credentials property

18:24

and here this is going to be an object

18:26

and then inside of this object we're

18:28

going to have a username set up which is

18:30

another object so here let's say

18:33

label and we're going to have this as

18:36

username and this will actually appear

18:38

on the page so I want username colon

18:41

then after that there's going to be a

18:43

type and this is a text type and then

18:47

we're going to have a placeholder so

18:49

really we're kind of defining our HTML

18:51

input here and the placeholder you could

18:53

put pretty much anything you want to I'm

18:55

going to say your

18:57

Dash cool Dash username so this is just

19:01

a placeholder for that text field then

19:03

after that we're going to have another

19:06

comma here so we've got the comma for

19:09

the credentials then we've got that's

19:12

actually for the username and then we've

19:14

got the comma or the credentials and

19:17

after that we need to have an async

19:20

function here that is an authorized

19:22

function and we pass in those

19:24

credentials that are received now this

19:28

is where you would actually want to get

19:31

your data from a database if you had a

19:33

user database and you typically would

19:35

with credentials or some place you're

19:37

getting the information from where

19:39

you've set up these users already I'm

19:41

just going to hard code in a user and

19:44

I'm just going to copy and paste this

19:45

part in because it's mostly just a

19:47

comment here that I wanted to note

19:49

inside of the code for this tutorial to

19:52

remind you this is where you would

19:54

retrieve your credentials from whatever

19:56

user table or other source where you are

19:59

storing your user information so here

20:02

I'll hide the file tree with control B

20:04

just so we can read all of this but I

20:06

said this is where you need to retrieve

20:07

your user data to verify credentials and

20:10

then reference the docs at this page

20:12

where you shows how to configure the

20:15

providers because they do Show an

20:16

example of retrieving some user data and

20:19

then comparing it so how that would work

20:22

I'm just hard coding this user here

20:24

which is my name Dave and a simple

20:26

password next auth but you would not

20:29

want to do this this will run on the

20:31

server but this is not probably what

20:33

you'd want to recommend by hard coding

20:35

users that's not too flexible certainly

20:37

doesn't grow with your application

20:39

compared to setting up something where

20:40

you would retrieve users from and now we

20:43

just need an if statement so let's say

20:44

if and we'll have our credentials that

20:47

the

20:48

function receives and will say if there

20:51

is a username notice I'm using optional

20:53

chaining here if that's equal to the

20:56

user.name and remember users what I just

20:58

defined right here then let's use the

21:00

double Ampersand because we also need to

21:03

say

21:04

prudentials

21:06

password once again optional chaining

21:09

equals the user

21:12

dot password and I'm going to press alt

21:15

Z to wrap this down so it just wraps all

21:18

the way down oh and I'm getting a red

21:20

squiggly here because I didn't Define

21:21

the password up here under credentials

21:23

so that's reminding me to go back so

21:25

thank you typescript we will go back

21:27

let's finish this if statement quickly

21:29

and then inside of the if statement if

21:31

they match we're just going to return

21:33

the user and then we can have an else

21:38

and if they don't we're just going to

21:40

return null so you could make this a

21:43

ternary statement if you wanted to I

21:45

think the if statements may be just a

21:46

little easier for everyone to read let's

21:48

go ahead and Define the password up here

21:51

as well which is of course why we had

21:52

the comma there to begin with so now

21:54

we'll have our password and this gets

21:57

defined much the same way so we'll start

21:59

with our label and the label is going to

22:01

be

22:03

password and I'll put a colon there as

22:05

well because this does appear on the

22:06

page now the type of input here

22:09

is a password

22:10

and then finally we'll put a placeholder

22:13

you may not want a placeholder for your

22:15

password field but I'll go ahead and put

22:16

one and I'm going to say here

22:19

awesome

22:21

password now we should not have a red

22:25

squiggly from typescript because we've

22:27

defined both username and password on

22:30

the credentials that are passed in and

22:33

so then it recognizes both properties

22:35

let's take a quick scroll down to make

22:37

sure we've closed out our object and yes

22:39

everything looks good so the options are

22:41

now set up let's go back to our route

22:42

file and import those options here at

22:45

the top so I'm going to say

22:47

import

22:49

options and that's going to come from

22:52

dot options so now we've got that we can

22:54

just pass it into our next auth here

22:56

inside of the route and the routes

22:58

configured I'm going to press Ctrl B to

23:00

show the file tree once again over here

23:02

so we're inside of the route file and

23:04

now this is configured with options that

23:06

we defined in the separate file and we

23:09

could go ahead and start the application

23:11

now and what we want to do is make a get

23:13

request because it will already give us

23:15

some information about our next auth

23:18

setup so let's go ahead and open a

23:20

terminal and I'm going to type clear

23:22

first just to get everything else out of

23:24

here then type npm run Dev which should

23:27

start the application and it won't take

23:29

too long and it will tell us it's

23:31

running here at localhost 3000. it's

23:33

already up and running so we can close

23:35

the terminal now I've got thunderclient

23:38

installed you could make a git request

23:40

with Postman you could actually take the

23:43

URL and paste it into a browser and make

23:45

a get request that way also so just

23:48

let's look at what we've got here I've

23:50

got thunderclient and now I'm going to

23:52

make a get request and I already have it

23:54

set up but here's what we want is our

23:57

HTTP not https just HTTP in our Dev

24:02

environment colon slash localhost colon

24:05

Port 3000 then API auth providers so

24:10

that's where we're going to make our

24:12

request let's send that get request and

24:14

let's see what we get back from next

24:16

auth with our information and it's

24:18

telling us quite a bit about our setup

24:20

here so we have GitHub set up as a

24:22

provider it's type oauth and the sign in

24:25

url that is generated for us

24:27

automatically is found at API auth sign

24:32

in GitHub and then here's the Callback

24:35

as well now here is the sign in url for

24:38

credentials API auth sign in credentials

24:42

and then here's the Callback URL and of

24:44

course it's type credentials so just by

24:47

sending a get request to our API auth

24:50

providers we can get this information

24:52

from next auth so again just by using

24:55

the default settings in next auth it

24:57

does a lot of the heavy lifting for us

24:59

and that's what I wanted to show today

25:00

now I'm going to throw a few examples

25:02

into the front end of our next JS app

25:04

and then we'll review those as well okay

25:06

I've got the front end project up and

25:09

running and I want to show you the

25:10

behavior of the project before we look

25:12

at the code notice I'm on the home page

25:15

right now and it says You shall not pass

25:17

so I am protecting this page and what I

25:20

have in this project are three different

25:22

server components that are all protected

25:25

in a different way so I want to show you

25:27

all three ways you can do that I also

25:29

have a client component so first we're

25:31

on the home page we're not logged in

25:33

with GitHub or our credentials so it

25:35

says you shall not pass now I could try

25:38

to go to the server page it's protected

25:40

in a different way so let's try that if

25:43

we go here we instantly get the sign in

25:45

page that next auth creates on its own

25:47

you can see it says your cool username

25:49

name your awesome password just like we

25:51

set up for the placeholders we could

25:53

click here to use oauth to sign in with

25:55

GitHub or I could sign in here with my

25:58

username and password and of course I

25:59

would have to use the ones I hard coded

26:01

since we're not retrieving those from a

26:03

user table anywhere so that's another

26:06

option so that's how the server page

26:08

here protects itself which is different

26:10

than the home page and then I have one

26:12

other server page that right now it's

26:15

not protected and it's just called extra

26:16

it's an extra page I made however I want

26:19

to show the easiest way to apply next

26:22

auth to your entire site and then it

26:25

will be protected so let's go back to vs

26:27

code back in vs code there's one file I

26:29

haven't created yet so let's do that we

26:32

want to make it inside the source

26:33

directory it needs to be at the same

26:35

level as the app directory so we're

26:38

going to make it inside the source

26:39

directory and this is our middleware

26:41

file so

26:43

middleware.ts now this runs on the edge

26:45

and there's some special things about

26:47

this file if you haven't worked with

26:49

next JS middleware but you only need to

26:51

add one line to this file to protect

26:54

your entire site with next auth so I'm

26:57

just going to paste this in because I

26:59

also have a note with it so it says

27:00

without a defined matcher which we're

27:02

going to talk about in just a second

27:04

this one line applies next auth to the

27:06

entire project so we can save this and

27:10

now next auth is applied to all pages in

27:14

our project so let's go back to the

27:16

browser quickly and now I'm going to

27:18

reload

27:20

and what should happen is yes we get the

27:23

sign in page automatically we're not

27:25

signed in anywhere if I were to go back

27:27

to the home page just getting rid of

27:29

everything else in the URL there just go

27:31

to localhost 3000 it should also want us

27:34

to sign in with the GitHub page now

27:36

because next auth is applying itself to

27:39

every page let's go back to vs code and

27:42

we'll also look at how we can just set

27:43

this for a few select pages with a

27:47

matcher so now underneath this I'm going

27:50

to paste in a matcher now I'll press alt

27:53

Z so we can read all of this which is

27:54

just a link to the reference about a

27:57

matcher in the next JS website not the

28:00

next auth website but this applies next

28:03

auth only to matching routes so this can

28:07

be a regex as well and it can exclude so

28:09

you could look at way more details on

28:11

this next JS page but with this matcher

28:14

I've just got an array here that is

28:16

applying it to the extra route that

28:18

would be our extra page and I'm imagine

28:20

we had a dashboard that we wanted to

28:23

have authentication for for example so I

28:25

just put in slash dashboard as another

28:27

example although I don't have a

28:29

dashboard page in this application now

28:33

if we go back to vs code or actually if

28:35

we go back to the browser we should see

28:37

a difference here so now I'm going to

28:40

reload the home page once again that is

28:42

just localhost Port 3000 now we go back

28:45

to our you shall not pass Behavior

28:47

instead of the behavior that was applied

28:49

by putting the auth on the entire site

28:52

with middleware so now we have the you

28:54

shall not pass here but now if I go to

28:56

the extra page it should still be

28:58

protected remember earlier it wasn't

29:00

when we had that previous Behavior with

29:02

the home page so now the middleware has

29:05

applied next auth to our extra route

29:08

because it's in that matcher now let's

29:10

look at the code for the home page and

29:13

the server page here because they are

29:15

very similar but they're both applying

29:17

off in a different way here's the code

29:18

for our home page come component now

29:20

notice what we're doing we're importing

29:22

options that we defined for next auth

29:24

inside of that route that we have at the

29:27

beginning there when we started working

29:28

on the project API slash auth and the

29:31

catch-all here's our options then we

29:33

also need to import git server session

29:35

from next auth Dash next and then I have

29:39

a user card component that I just

29:40

imported so I could use it in all of the

29:42

examples and you could look at that

29:44

inside of the components directory if

29:45

you want to now inside of this

29:48

functional component we await the git

29:50

server session and we pass in the

29:52

options that gives us our session so

29:55

here I'm using kind of logic to

29:58

determine what we display I'm not doing

30:00

anything else that's just how I'm

30:02

protecting the page so if we have a

30:03

session it shows the user card and if we

30:06

don't have a session it gives us that

30:09

message that we were looking at you

30:10

shall not pass now in comparison let's

30:13

look at the server route here and the

30:15

page inside of it it's very much the

30:18

same but notice I also import reported

30:20

redirect from next navigation so here we

30:24

once again await the server session but

30:27

if we don't have a session we just

30:29

redirect and we use this callback here

30:32

inside of the path so API slash auth

30:35

sign in where our sign in is and then we

30:38

put the Callback value here the param

30:40

inside of the URL that is slash server

30:43

so after we log in it would take us

30:45

right back to the page that we were

30:47

wanting to go to and other than that it

30:50

displays the user card so we're just not

30:51

using the same logic in the page so two

30:54

different ways to protect it there if we

30:56

look at our extra route you'll see

30:58

inside of the code very very simple here

31:01

it's not protected at all with this code

31:04

it doesn't even get the session but

31:06

because we applied the next auth

31:09

protection through middleware this page

31:12

is protected it's just applied in a

31:14

different way back in the browser now

31:15

let's talk about the client component

31:18

now it's worth noting that I don't use

31:19

use any compliant components that need

31:22

session data unless it's absolutely

31:24

necessary so that's just shipping extra

31:27

code to the client when I can easily

31:29

request that same data in a server

31:31

component and not need to ship all of

31:33

that code to the client so for me server

31:35

components are usually the bulk of any

31:37

page and the client components are

31:39

imported for what I would call Islands

31:41

of interactivity so the server is

31:44

usually the parent and then I'm putting

31:46

some client components where needed

31:48

inside of it so you don't have to choose

31:50

server or client whenever possible you

31:53

just make the server component the

31:54

parent and import the client component

31:57

however what we're going to look at is a

32:00

page completely made up of a client

32:02

component just as an example here not

32:04

something I would usually do so let's

32:06

click client here and you shall see it

32:09

is also protected let me go ahead and

32:12

log in just so we can see some behavior

32:13

from these Pages after I'm logged in

32:16

and so I just typed in my username and

32:19

password that we hard coded inside of

32:21

the code sign in with credentials it

32:23

says hello Dave and this is a client

32:26

page if I refresh because we're using

32:28

that cookie that we described in the

32:30

docs it's still there and it works just

32:33

fine notice it takes just a second here

32:35

on the client page it flashes just a

32:37

little bit that's a little different

32:39

Behavior than you'll get on the server

32:41

page because the server page is rendered

32:44

and then sent so you don't get that

32:46

flash so that's something worth noting

32:47

as well but they both work now we can go

32:50

to the extra page also that's protected

32:52

by middleware we can go back to the home

32:54

page and instead of saying you shall not

32:56

pass it also says hello Dave and this is

32:59

the home page so we're clearly logged in

33:01

if we go to sign out then it takes us to

33:04

the auto-generated sign out page as well

33:06

which you can see is at API auth sign

33:10

out you would just change this to sign

33:12

in for the auto-generated sign in page

33:15

so we can sign out here now I'm going to

33:17

go ahead and log in with GitHub and

33:19

we'll talk a little bit about what that

33:21

does as well you're going to need to

33:22

authorize the use if you haven't done

33:24

this after you do this the first time

33:25

it's going to probably save that and you

33:28

won't have to do that again unless you

33:30

delete all your data for that site

33:32

notice I have a image coming in now my

33:35

image from GitHub as well so we'll talk

33:37

about that too but let's go back to this

33:39

client page and discuss how all of this

33:42

is applied and of course now it says

33:44

client page so I'm doing the same thing

33:46

on this page if we refresh this should

33:48

still keep us logged in and it does back

33:50

in vs code I'm not showing you the

33:53

client component code first what I am

33:55

showing you is the layout page that we

33:58

have here at the root level along with

34:00

the root page for the home that's

34:03

because for the client to access that

34:06

user data that we get from the session

34:08

from next auth we need to go ahead and

34:11

create an auth provider and that is a

34:13

react context so let's do that first

34:16

and then of course after we create it it

34:19

gets imported in here to the layout and

34:21

we wrap that around everything that we

34:24

want to send that context to which is

34:26

just like working with any other react

34:29

contacts okay so I created a context

34:31

directory and inside of there I have a

34:34

file called auth provider.tsx notice

34:37

it's a client component we say use

34:40

client then we import the session

34:42

Provider from next Dash auth react then

34:46

I went ahead and created the auth

34:47

provider now it gets children just like

34:49

the layout component does so you can

34:52

look at the layout component and see

34:54

what it's receiving here is just the

34:56

same as that is and then inside of this

34:59

we just wrap the children in this

35:01

session provider that we imported now if

35:04

we go back and look at the layout TX TSX

35:07

it might make a little more sense

35:09

because look this root layout receives

35:12

the exact same thing as far as children

35:14

goes then we're just importing the auth

35:16

provider here and we're wrapping it

35:18

around everything okay now that we've

35:20

covered the provider which is only

35:22

necessary for the client components that

35:24

need the session let's look inside of

35:26

this client directory and look at the

35:28

page because it's a little different

35:30

than the server components there's a

35:31

little more work involved as well it

35:33

says use client here at the top I put in

35:36

a reminder comment that you need that

35:38

auth provider to go ahead and get the

35:41

session data then there's a use session

35:43

hook that we import from next Dash auth

35:45

react we're going to go ahead and import

35:48

redirect as well so we get redirected to

35:51

that login or sign in page with a

35:53

callback that says slash client because

35:55

then we'd want to come back to this page

35:57

so you always make the Callback value

35:59

the page that you're on and then inside

36:02

of you session here notice we get data

36:04

and we're renaming it session we set

36:07

required to true and then there's an on

36:10

unauth account if I could pronounce it

36:13

on on unauthenticated it there we go I

36:17

need more coffee this morning and then

36:19

we redirect of course if we're not

36:21

signed in so that's what all of that

36:23

does then if we are signed in well then

36:25

we're just passing it once again to that

36:27

same user card that we have right there

36:29

and note I'm using the same user card

36:31

inside of those server Pages like the

36:35

home page or the server page I didn't

36:37

think I don't think I put it on the

36:39

extra page that was just very simple but

36:41

I'm using it inside of this client

36:43

component too and I've been asked by

36:44

some can I use a server component inside

36:46

of a client component you wouldn't want

36:48

to do that but don't think of this

36:50

component which is more of a generic

36:51

component in that regard just think of

36:53

it as a react component that we're using

36:55

wherever we need it because this is

36:58

within a client component I don't have

37:00

used server or anything at the top of

37:03

this user card component it's just a

37:05

component that we can reuse just like a

37:07

button so we're not really nesting what

37:09

you would think of as a server component

37:11

inside of a client component and there

37:13

shouldn't be a reason to do that either

37:15

remember what I was advising use the

37:18

server components as the parents

37:20

whenever possible and then import the

37:22

clients and just use those where needed

37:24

however in this example this is

37:27

completely a client component because

37:29

that's what the whole page is I wouldn't

37:31

normally do that but if you need to do

37:34

it of course it is possible okay now