-1

I have a Django application with authenticated (logged-in) users. UPDATE: using the built-in django authentication.

I have another (Svelte) application using Auth.js (https://authjs.dev) for authentication, currently set up with github/facebook/linkedin.

Now I want to send a user from the Django application to the Svelte application, and automagically (i) create the user in the Svelte application if they don't exist, and (ii) log them in to the Svelte application.

I want the end-user experience to be like a regular redirect from one page to the other staying logged-in in both places.

I'm stuck at the part where the user arrives in the Svelte application and I need to create a session. Does Auth.js have any way of doing this without going through a "provider"?

What I have so far is (routes/api/sso/+server.ts):

import { redirect } from '@sveltejs/kit'

export async function GET({url, locals, cookies}) {  // should perhaps be POST..?
    // TODO: validate request..

    // where to go next?
    const next = url.searchParams.get('next')
    if (!next) throw new Error("next is required")

    // who are we logging in?
    const usr = get_or_create(url.searchParams('username')) // and name/email/image/etc.

    // mimic auth.js login behavior...
    const session_token = create_new_session_token()
    locals.session = {
        id: session_token,
        user: {name: usr.name, email: usr.email, image: usr.image}
        expires: new Date(Date.now() + 1000 * 60 * 60 * 2) // two hours
    }
    locals.user = usr
    // ..this might be the only line needed (I'm guessing auth.js will set locals.{session,user} next time it receives a request)?
    cookies.set("authjs.session-token", session_token, {path: "/", httpOnly: true, secure: true, sameSite: "strict"})

    return redirect(307, next)
}
Improve this question
4
  • This question is a bit vague, are you using the builtin authentication backend for Django (so username + password) or are you using some different backend? Simplest thing for you would probably be something like using a common OAuth provider. Commented Dec 13, 2024 at 8:38
  • Hi @AbdulAzizBarkat, I updated the question, but yes, django default username + password. We have thousands of users there already so moving to a common oauth provider would be a pain (I'm also trying to limit the "chatter" between django and svelte during the sso handover since this is a critical path for us (hundreds of users hitting the "button" at the same time - not all on good networks). Commented Dec 13, 2024 at 8:46
  • Not posting an answer since it's just a vague direction but you could make the Django app itself an OAuth provider, and then maybe in the links sending the user to your Svelte app include some query string that tells the app to authenticate using your Django apps provider (There will probably be some back and forth redirects to complete the flow but it could work) Commented Dec 13, 2024 at 8:52
  • @AbdulAzizBarkat I thought about that, and it would be a full oauth flow, except the user would never see a login screen when they were redirected back to Django (since they are already logged in there). It just seems like a lot of back-and-forth just to end up in the same spot. Commented Dec 13, 2024 at 22:49

1 Answer 1

Reset to default
1

I am not sure how you are maintaining the users in backend. Both your Django and Svelet app should be referring to the same user table on authjs. In that case simply passing the auth Headers should be sufficient.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

In this case the Django app does a lot of other work, and the Svelte/Auth.js app is a single task app. It only really need to know that Django vouches for the user being allowed into the Svelte system to do one task. Technically the Svelte/auth.js app doesn't even need any personal data - although we want to send the name for personalization. The Svelte/auth.js app should not have access to the full Django user-profile. It is a pretty standard single-sign-on design where Svelte/auth.js has to trust that Django has done auth/auth.
So your svelte app talks to your django app backend?
It shouldn't be needed. They need to share a secret, which can be handled through an admin interface/manual process. When this secret is present in the Django -> Svelte communication (think Bearer Token), then svelte can be confident that the communication is legitimate and that it should let the user "in" (ie. create a session cookie - and the corresponding user/account/session records in the auth.js tables). Https should prevent MITM attacks, the shared seecret ensures that Svelte knows it really is Django calling. To prevent replay attacks there should probably be a msg id or timestamp.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.