Forem: Toby Hobson The latest articles on Forem by Toby Hobson (@tobyh). https://forem.com/tobyh https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F1694491%2Fdb43bff4-36f3-475a-8fc3-14459a8d5e55.jpg Forem: Toby Hobson https://forem.com/tobyh en Protecting SvelteKit routes using sessions and hooks Toby Hobson Tue, 01 Oct 2024 11:42:29 +0000 https://forem.com/passlock/sveltekit-lucia-and-passkey-authentication-a-tutorial-apo https://forem.com/passlock/sveltekit-lucia-and-passkey-authentication-a-tutorial-apo <p>This tutorial forms the second part of my SvelteKit series. If you haven't already done so, please read the first installment. In this post I'll show you how to protect your routes using user accounts, sessions and hooks.</p> <h2> Add the libraries </h2> <p>We'll use <a href="https://lucia-auth.com" rel="noopener noreferrer">Lucia</a> for session management, and <a href="https://www.prisma.io/docs/orm/overview/introduction/what-is-prisma" rel="noopener noreferrer">Prisma</a> + <a href="https://github.com/WiseLibs/better-sqlite3" rel="noopener noreferrer">SQLite</a> for persistence.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pnpm add <span class="nt">-D</span> lucia pnpm add <span class="nt">-D</span> prisma pnpm add <span class="nt">-D</span> @lucia-auth/adapter-prisma </code></pre> </div> <h2> Setup the database </h2> <p>Initialise Prisma:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pnpm dlx prisma init <span class="nt">--datasource-provider</span> sqlite </code></pre> </div> <p>The prisma init script should have created a prisma directory in your application route. It should also have updated your <code>.env</code> file with a <code>DATABASE_URL</code> key:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nv">DATABASE_URL</span><span class="o">=</span><span class="s2">"file:./dev.db"</span> <span class="nv">PUBLIC_PASSLOCK_TENANCY_ID</span><span class="o">=</span><span class="s2">"..."</span> <span class="nv">PUBLIC_PASSLOCK_CLIENT_ID</span><span class="o">=</span><span class="s2">"..."</span> <span class="nv">PASSLOCK_API_KEY</span><span class="o">=</span><span class="s2">"..."</span> </code></pre> </div> <p>Next, define the database schema by editing <code>prisma/schema.prisma</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>// prisma/schema.prisma generator client { provider = "prisma-client-js" } datasource db { provider = "sqlite" url = env("DATABASE_URL") } model User { id String @id @default(uuid()) email String @unique givenName String? familyName String? sessions Session[] } model Session { id String @id @default(uuid()) userId String expiresAt DateTime user User @relation(references: [id], fields: [userId], onDelete: Cascade) } </code></pre> </div> <p>Run the initial migration:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pnpm dlx prisma migrate dev <span class="nt">--name</span> init </code></pre> </div> <h2> User registration </h2> <p>Previously we registered a passkey on the users device. We'll now create a user in our database and link the passkey to the local user. Update the registration form action:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// src/routes/register/+page.server.ts</span> <span class="k">import</span> <span class="kd">type</span> <span class="p">{</span> <span class="nx">Actions</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./$types</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Passlock</span><span class="p">,</span> <span class="nx">TokenVerifier</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@passlock/sveltekit</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">PUBLIC_PASSLOCK_TENANCY_ID</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">$env/static/public</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">PASSLOCK_API_KEY</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">$env/static/private</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">PrismaClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@prisma/client</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">error</span><span class="p">,</span> <span class="nx">redirect</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@sveltejs/kit</span><span class="dl">'</span> <span class="kd">const</span> <span class="nx">client</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">PrismaClient</span><span class="p">()</span> <span class="kd">const</span> <span class="nx">tokenVerifier</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">TokenVerifier</span><span class="p">({</span> <span class="na">tenancyId</span><span class="p">:</span> <span class="nx">PUBLIC_PASSLOCK_TENANCY_ID</span><span class="p">,</span> <span class="na">apiKey</span><span class="p">:</span> <span class="nx">PASSLOCK_API_KEY</span> <span class="p">})</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">actions</span><span class="p">:</span> <span class="nx">Actions</span> <span class="o">=</span> <span class="p">{</span> <span class="na">default</span><span class="p">:</span> <span class="k">async </span><span class="p">({</span> <span class="nx">request</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">formData</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">request</span><span class="p">.</span><span class="nf">formData</span><span class="p">()</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">formData</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">token</span><span class="dl">'</span><span class="p">)</span> <span class="k">as</span> <span class="kr">string</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">tokenVerifier</span><span class="p">.</span><span class="nf">exchangeToken</span><span class="p">(</span><span class="nx">token</span><span class="p">)</span> <span class="k">if </span><span class="p">(</span><span class="nx">Passlock</span><span class="p">.</span><span class="nf">isPrincipal</span><span class="p">(</span><span class="nx">result</span><span class="p">))</span> <span class="p">{</span> <span class="c1">// FIXME JUST FOR DEVELOPMENT TESTING!!!</span> <span class="k">await</span> <span class="nx">client</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nf">deleteMany</span><span class="p">()</span> <span class="c1">// create a user in the local db</span> <span class="k">await</span> <span class="nx">client</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nf">create</span><span class="p">({</span> <span class="na">data</span><span class="p">:</span> <span class="p">{</span> <span class="na">id</span><span class="p">:</span> <span class="nx">result</span><span class="p">.</span><span class="nx">sub</span><span class="p">,</span> <span class="na">email</span><span class="p">:</span> <span class="nx">result</span><span class="p">.</span><span class="nx">email</span> <span class="k">as</span> <span class="kr">string</span><span class="p">,</span> <span class="na">givenName</span><span class="p">:</span> <span class="nx">result</span><span class="p">.</span><span class="nx">givenName</span><span class="p">,</span> <span class="na">familyName</span><span class="p">:</span> <span class="nx">result</span><span class="p">.</span><span class="nx">familyName</span> <span class="p">}</span> <span class="p">})</span> <span class="nf">redirect</span><span class="p">(</span><span class="mi">302</span><span class="p">,</span> <span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span><span class="p">)</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="nx">result</span><span class="p">)</span> <span class="nf">error</span><span class="p">(</span><span class="mi">500</span><span class="p">,</span> <span class="nx">result</span><span class="p">.</span><span class="nx">message</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Try to register a user </h3> <p>You can now try to register a user account and associated passkey. Navigate to the <code>/register</code> page. The client side template and form action will together:</p> <ol> <li>Register a passkey on the users device</li> <li>Register the public key component in your Passlock vault</li> <li>Create a local Lucia user and link the passkey to that account</li> </ol> <p><strong>Important:</strong> Make sure you don't already have a user registered in your <a href="https://console.passlock.dev/users" rel="noopener noreferrer">Passlock console</a>. Otherwise Passlock will generate an error telling you that a passkey is already registered to that email address.</p> <p>If all goes well, you should be redirected to the login page.</p> <h2> User authentication </h2> <p>Previously, we prompted the user to authenticate with their passkey, then verified the token in our form action. We'll build on that work to:</p> <ol> <li>Lookup a local user using the <code>sub</code> property</li> <li>Create a Lucia session for that user</li> <li>Invalidate any other user sessions</li> </ol> <p>We'll update the login action to hook into Lucia, but before we do that, let's setup Lucia itself. Create a file at <code>src/lib/server/auth.ts</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// src/lib/server/auth.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Lucia</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">lucia</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">dev</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">$app/environment</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">PrismaAdapter</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@lucia-auth/adapter-prisma</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">PrismaClient</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@prisma/client</span><span class="dl">'</span> <span class="kd">const</span> <span class="nx">client</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">PrismaClient</span><span class="p">()</span> <span class="kd">const</span> <span class="nx">adapter</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">PrismaAdapter</span><span class="p">(</span><span class="nx">client</span><span class="p">.</span><span class="nx">session</span><span class="p">,</span> <span class="nx">client</span><span class="p">.</span><span class="nx">user</span><span class="p">)</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">lucia</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">Lucia</span><span class="p">(</span><span class="nx">adapter</span><span class="p">,</span> <span class="p">{</span> <span class="na">sessionCookie</span><span class="p">:</span> <span class="p">{</span> <span class="na">attributes</span><span class="p">:</span> <span class="p">{</span> <span class="c1">// set to `true` when using HTTPS</span> <span class="na">secure</span><span class="p">:</span> <span class="o">!</span><span class="nx">dev</span> <span class="p">}</span> <span class="p">}</span> <span class="p">})</span> <span class="kr">declare</span> <span class="kr">module</span> <span class="dl">'</span><span class="s1">lucia</span><span class="dl">'</span> <span class="p">{</span> <span class="kr">interface</span> <span class="nx">Register</span> <span class="p">{</span> <span class="nl">Lucia</span><span class="p">:</span> <span class="k">typeof</span> <span class="nx">lucia</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Next, update the login action:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// src/routes/login/+page.server.ts</span> <span class="k">import</span> <span class="kd">type</span> <span class="p">{</span> <span class="nx">Actions</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./$types</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Passlock</span><span class="p">,</span> <span class="nx">TokenVerifier</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@passlock/sveltekit</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">PUBLIC_PASSLOCK_TENANCY_ID</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">$env/static/public</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">PASSLOCK_API_KEY</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">$env/static/private</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">lucia</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">$lib/server/auth</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">error</span><span class="p">,</span> <span class="nx">redirect</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@sveltejs/kit</span><span class="dl">'</span> <span class="kd">const</span> <span class="nx">tokenVerifier</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">TokenVerifier</span><span class="p">({</span> <span class="na">tenancyId</span><span class="p">:</span> <span class="nx">PUBLIC_PASSLOCK_TENANCY_ID</span><span class="p">,</span> <span class="na">apiKey</span><span class="p">:</span> <span class="nx">PASSLOCK_API_KEY</span> <span class="p">})</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">actions</span><span class="p">:</span> <span class="nx">Actions</span> <span class="o">=</span> <span class="p">{</span> <span class="na">default</span><span class="p">:</span> <span class="k">async </span><span class="p">({</span> <span class="nx">request</span><span class="p">,</span> <span class="nx">cookies</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">formData</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">request</span><span class="p">.</span><span class="nf">formData</span><span class="p">()</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">formData</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">token</span><span class="dl">'</span><span class="p">)</span> <span class="k">as</span> <span class="kr">string</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">tokenVerifier</span><span class="p">.</span><span class="nf">exchangeToken</span><span class="p">(</span><span class="nx">token</span><span class="p">)</span> <span class="k">if </span><span class="p">(</span><span class="nx">Passlock</span><span class="p">.</span><span class="nf">isPrincipal</span><span class="p">(</span><span class="nx">result</span><span class="p">))</span> <span class="p">{</span> <span class="c1">// delete other active sessions</span> <span class="k">await</span> <span class="nx">lucia</span><span class="p">.</span><span class="nf">invalidateUserSessions</span><span class="p">(</span><span class="nx">result</span><span class="p">.</span><span class="nx">sub</span><span class="p">)</span> <span class="kd">const</span> <span class="nx">session</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">lucia</span><span class="p">.</span><span class="nf">createSession</span><span class="p">(</span><span class="nx">result</span><span class="p">.</span><span class="nx">sub</span><span class="p">,</span> <span class="p">{})</span> <span class="kd">const</span> <span class="nx">sessionCookie</span> <span class="o">=</span> <span class="nx">lucia</span><span class="p">.</span><span class="nf">createSessionCookie</span><span class="p">(</span><span class="nx">session</span><span class="p">.</span><span class="nx">id</span><span class="p">)</span> <span class="c1">// set a cookie representing the new session</span> <span class="nx">cookies</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="nx">lucia</span><span class="p">.</span><span class="nx">sessionCookieName</span><span class="p">,</span> <span class="nx">sessionCookie</span><span class="p">.</span><span class="nx">value</span><span class="p">,</span> <span class="p">{</span> <span class="na">path</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">,</span> <span class="p">...</span><span class="nx">sessionCookie</span><span class="p">.</span><span class="nx">attributes</span> <span class="p">})</span> <span class="nf">redirect</span><span class="p">(</span><span class="mi">302</span><span class="p">,</span> <span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">)</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="nx">result</span><span class="p">)</span> <span class="nf">error</span><span class="p">(</span><span class="mi">500</span><span class="p">,</span> <span class="nx">result</span><span class="p">.</span><span class="nx">message</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Try logging in </h3> <p>Visit the <code>/login</code> page and try to login using the same email address you used for registration. If all goes well, you should be redirected back to the home page. </p> <p>Now check your browser dev tools. You should see a new cookie named <code>auth_session</code> with a long, cryptographically random token.</p> <p>Finally, we need to protect the routes to ensure that only authenticated users can access them...</p> <h2> Protect the routes </h2> <p>Now that we can authenticate users, we want to protect access to certain routes. We can build quite sophisticated authorization policies, but for now we'll just protect a single route, allowing access to <strong>any authenticated user</strong>. We'll do this using <a href="https://kit.svelte.dev/docs/hooks" rel="noopener noreferrer">SvelteKit hooks</a>. Our hook will:</p> <ol> <li>Check for a lucia session cookie</li> <li>Lookup the associated session and user</li> <li>Attach the session and user to the <a href="https://kit.svelte.dev/docs/types#app-locals" rel="noopener noreferrer">app locals</a> </li> <li>Reject any unauthenticated request to a protected route</li> </ol> <h3> Type the locals </h3> <p>As we'll be using <a href="https://kit.svelte.dev/docs/types#app-locals" rel="noopener noreferrer">app locals</a> with Typescript, let's type it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// src/app.d.ts</span> <span class="kr">declare</span> <span class="nb">global</span> <span class="p">{</span> <span class="k">namespace</span> <span class="nx">App</span> <span class="p">{</span> <span class="kr">interface</span> <span class="nx">Locals</span> <span class="p">{</span> <span class="nl">user</span><span class="p">:</span> <span class="k">import</span><span class="p">(</span><span class="dl">"</span><span class="s2">lucia</span><span class="dl">"</span><span class="p">).</span><span class="nx">User</span> <span class="o">|</span> <span class="kc">null</span> <span class="nx">session</span><span class="p">:</span> <span class="k">import</span><span class="p">(</span><span class="dl">"</span><span class="s2">lucia</span><span class="dl">"</span><span class="p">).</span><span class="nx">Session</span> <span class="o">|</span> <span class="kc">null</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> <span class="k">export</span> <span class="p">{}</span> </code></pre> </div> <h3> Attach the user to the request </h3> <p>We'll check for the <code>auth_session</code> cookie, lookup the associated session and user and attach them to the request via app locals:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// src/hooks.server.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">lucia</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">$lib/server/auth</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="kd">type</span> <span class="nx">Handle</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@sveltejs/kit</span><span class="dl">'</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">handle</span><span class="p">:</span> <span class="nx">Handle</span> <span class="o">=</span> <span class="k">async </span><span class="p">({</span> <span class="nx">event</span><span class="p">,</span> <span class="nx">resolve</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">sessionId</span> <span class="o">=</span> <span class="nx">event</span><span class="p">.</span><span class="nx">cookies</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nx">lucia</span><span class="p">.</span><span class="nx">sessionCookieName</span><span class="p">)</span> <span class="c1">// if no sessionId we can assume there is no session or user</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">session</span><span class="p">,</span> <span class="nx">user</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">sessionId</span> <span class="p">?</span> <span class="k">await</span> <span class="nx">lucia</span><span class="p">.</span><span class="nf">validateSession</span><span class="p">(</span><span class="nx">sessionId</span><span class="p">)</span> <span class="p">:</span> <span class="p">{</span> <span class="na">session</span><span class="p">:</span> <span class="kc">null</span><span class="p">,</span> <span class="na">user</span><span class="p">:</span> <span class="kc">null</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="nx">session</span> <span class="o">&amp;&amp;</span> <span class="nx">session</span><span class="p">.</span><span class="nx">fresh</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// refreshed session, update the cookie</span> <span class="kd">const</span> <span class="nx">sessionCookie</span> <span class="o">=</span> <span class="nx">lucia</span><span class="p">.</span><span class="nf">createSessionCookie</span><span class="p">(</span><span class="nx">session</span><span class="p">.</span><span class="nx">id</span><span class="p">)</span> <span class="nx">event</span><span class="p">.</span><span class="nx">cookies</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="nx">sessionCookie</span><span class="p">.</span><span class="nx">name</span><span class="p">,</span> <span class="nx">sessionCookie</span><span class="p">.</span><span class="nx">value</span><span class="p">,</span> <span class="p">{</span> <span class="na">path</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">,</span> <span class="p">...</span><span class="nx">sessionCookie</span><span class="p">.</span><span class="nx">attributes</span> <span class="p">})</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">session</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// effectively delete the session cookie </span> <span class="c1">// by overwriting it with a blank value</span> <span class="kd">const</span> <span class="nx">sessionCookie</span> <span class="o">=</span> <span class="nx">lucia</span><span class="p">.</span><span class="nf">createBlankSessionCookie</span><span class="p">()</span> <span class="nx">event</span><span class="p">.</span><span class="nx">cookies</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="nx">sessionCookie</span><span class="p">.</span><span class="nx">name</span><span class="p">,</span> <span class="nx">sessionCookie</span><span class="p">.</span><span class="nx">value</span><span class="p">,</span> <span class="p">{</span> <span class="na">path</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">,</span> <span class="p">...</span><span class="nx">sessionCookie</span><span class="p">.</span><span class="nx">attributes</span> <span class="p">})</span> <span class="p">}</span> <span class="c1">// attach the user and session to the request</span> <span class="nx">event</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">user</span> <span class="o">=</span> <span class="nx">user</span> <span class="nx">event</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">session</span> <span class="o">=</span> <span class="nx">session</span> <span class="k">return</span> <span class="nf">resolve</span><span class="p">(</span><span class="nx">event</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <h3> Try the status route </h3> <p>At the moment we haven't protected any routes, we simply attach a user to the request. Lets test it. Create a new <code>/status</code> route:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- src/routes/status/+page.svelte --&gt;</span> <span class="nt">&lt;script </span><span class="na">lang=</span><span class="s">"ts"</span><span class="nt">&gt;</span> <span class="k">import</span> <span class="nx">type</span> <span class="p">{</span> <span class="nx">PageData</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./$types</span><span class="dl">'</span> <span class="k">export</span> <span class="kd">let</span> <span class="nx">data</span><span class="p">:</span> <span class="nx">PageData</span> <span class="nt">&lt;/script&gt;</span> userId: {data.user?.id} </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// src/routes/status/+page.server.ts</span> <span class="k">import</span> <span class="kd">type</span> <span class="p">{</span> <span class="nx">PageServerLoad</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./$types</span><span class="dl">'</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">load</span> <span class="o">=</span> <span class="p">(</span><span class="k">async </span><span class="p">({</span> <span class="nx">locals</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">return</span> <span class="p">{</span> <span class="na">user</span><span class="p">:</span> <span class="nx">locals</span><span class="p">.</span><span class="nx">user</span> <span class="p">}</span> <span class="p">})</span> <span class="nx">satisfies</span> <span class="nx">PageServerLoad</span> </code></pre> </div> <p>Login using your passkey, then visit the <code>/status</code> page. If all goes well, you should see your <code>userId</code> displayed. Now clear your cookies and visit the status page again. <code>userId</code> should be undefined.</p> <h3> Protect the route </h3> <p>There are many better ways of doing this, but let's go for a simple approach. Update the hooks and check the route id. If <code>routeId === /status</code> and the user is not authenticated we'll redirect them to the login page:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// src/hooks.server.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">lucia</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">$lib/server/auth</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">redirect</span><span class="p">,</span> <span class="kd">type</span> <span class="nx">Handle</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@sveltejs/kit</span><span class="dl">'</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">handle</span><span class="p">:</span> <span class="nx">Handle</span> <span class="o">=</span> <span class="k">async </span><span class="p">({</span> <span class="nx">event</span><span class="p">,</span> <span class="nx">resolve</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">sessionId</span> <span class="o">=</span> <span class="nx">event</span><span class="p">.</span><span class="nx">cookies</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="nx">lucia</span><span class="p">.</span><span class="nx">sessionCookieName</span><span class="p">)</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">session</span><span class="p">,</span> <span class="nx">user</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">sessionId</span> <span class="p">?</span> <span class="k">await</span> <span class="nx">lucia</span><span class="p">.</span><span class="nf">validateSession</span><span class="p">(</span><span class="nx">sessionId</span><span class="p">)</span> <span class="p">:</span> <span class="p">{</span> <span class="na">session</span><span class="p">:</span> <span class="kc">null</span><span class="p">,</span> <span class="na">user</span><span class="p">:</span> <span class="kc">null</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="nx">session</span> <span class="o">&amp;&amp;</span> <span class="nx">session</span><span class="p">.</span><span class="nx">fresh</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">sessionCookie</span> <span class="o">=</span> <span class="nx">lucia</span><span class="p">.</span><span class="nf">createSessionCookie</span><span class="p">(</span><span class="nx">session</span><span class="p">.</span><span class="nx">id</span><span class="p">)</span> <span class="nx">event</span><span class="p">.</span><span class="nx">cookies</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="nx">sessionCookie</span><span class="p">.</span><span class="nx">name</span><span class="p">,</span> <span class="nx">sessionCookie</span><span class="p">.</span><span class="nx">value</span><span class="p">,</span> <span class="p">{</span> <span class="na">path</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">,</span> <span class="p">...</span><span class="nx">sessionCookie</span><span class="p">.</span><span class="nx">attributes</span> <span class="p">})</span> <span class="p">}</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">session</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">sessionCookie</span> <span class="o">=</span> <span class="nx">lucia</span><span class="p">.</span><span class="nf">createBlankSessionCookie</span><span class="p">()</span> <span class="nx">event</span><span class="p">.</span><span class="nx">cookies</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="nx">sessionCookie</span><span class="p">.</span><span class="nx">name</span><span class="p">,</span> <span class="nx">sessionCookie</span><span class="p">.</span><span class="nx">value</span><span class="p">,</span> <span class="p">{</span> <span class="na">path</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/</span><span class="dl">'</span><span class="p">,</span> <span class="p">...</span><span class="nx">sessionCookie</span><span class="p">.</span><span class="nx">attributes</span> <span class="p">})</span> <span class="p">}</span> <span class="nx">event</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">user</span> <span class="o">=</span> <span class="nx">user</span> <span class="nx">event</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">session</span> <span class="o">=</span> <span class="nx">session</span> <span class="c1">// protect the /status route</span> <span class="k">if </span><span class="p">(</span><span class="nx">event</span><span class="p">.</span><span class="nx">route</span><span class="p">.</span><span class="nx">id</span> <span class="o">===</span> <span class="dl">'</span><span class="s1">/status</span><span class="dl">'</span> <span class="o">&amp;&amp;</span> <span class="o">!</span><span class="nx">event</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">user</span><span class="p">)</span> <span class="p">{</span> <span class="nf">redirect</span><span class="p">(</span><span class="mi">302</span><span class="p">,</span> <span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span><span class="p">)</span> <span class="p">}</span> <span class="k">return</span> <span class="nf">resolve</span><span class="p">(</span><span class="nx">event</span><span class="p">)</span> <span class="p">}</span> </code></pre> </div> <h3> Try to access the protected route </h3> <p>Clear your cookies and visit <code>/status</code>. You should be redirected to the login page.</p> <h2> Sign out </h2> <p>Clearing cookies all the time is pretty annoying, so lets add a <code>/logout</code> route:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- src/routes/logout/+page.svelte --&gt;</span> <span class="nt">&lt;script </span><span class="na">lang=</span><span class="s">"ts"</span><span class="nt">&gt;</span> <span class="k">import</span> <span class="nx">type</span> <span class="p">{</span> <span class="nx">PageData</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./$types</span><span class="dl">'</span> <span class="k">export</span> <span class="kd">let</span> <span class="nx">data</span><span class="p">:</span> <span class="nx">PageData</span> <span class="nt">&lt;/script&gt;</span> <span class="nt">&lt;form</span> <span class="na">method=</span><span class="s">"post"</span><span class="nt">&gt;</span> <span class="nt">&lt;button</span> <span class="na">type=</span><span class="s">"submit"</span><span class="nt">&gt;</span>Logout<span class="nt">&lt;/button&gt;</span> <span class="nt">&lt;/form&gt;</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// src/routes/logout/+page.server.ts</span> <span class="k">import</span> <span class="kd">type</span> <span class="p">{</span> <span class="nx">Actions</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./$types</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">lucia</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">$lib/server/auth</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">redirect</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@sveltejs/kit</span><span class="dl">'</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">actions</span><span class="p">:</span> <span class="nx">Actions</span> <span class="o">=</span> <span class="p">{</span> <span class="na">default</span><span class="p">:</span> <span class="k">async </span><span class="p">({</span> <span class="nx">locals</span><span class="p">,</span> <span class="nx">cookies</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="k">if </span><span class="p">(</span><span class="nx">locals</span><span class="p">.</span><span class="nx">session</span><span class="p">)</span> <span class="p">{</span> <span class="k">await</span> <span class="nx">lucia</span><span class="p">.</span><span class="nf">invalidateSession</span><span class="p">(</span><span class="nx">locals</span><span class="p">.</span><span class="nx">session</span><span class="p">.</span><span class="nx">id</span><span class="p">)</span> <span class="nx">cookies</span><span class="p">.</span><span class="k">delete</span><span class="p">(</span><span class="nx">lucia</span><span class="p">.</span><span class="nx">sessionCookieName</span><span class="p">,</span> <span class="p">{</span> <span class="na">path</span><span class="p">:</span> <span class="dl">'</span><span class="s1">/</span><span class="dl">'</span> <span class="p">})</span> <span class="p">}</span> <span class="nf">redirect</span><span class="p">(</span><span class="mi">302</span><span class="p">,</span> <span class="dl">'</span><span class="s1">/login</span><span class="dl">'</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Try signing out </h3> <p>Navigate to the <code>/logout</code> page and sign out. You should be redirected to the login page. If you check your browser cookies, you should see that the <code>auth_session</code> cookie has been removed.</p> <h2> Summary </h2> <p>We wired up passkey registration with local account registration. We used the <code>sub</code> field, which represents a user in the Passlock system, as the local user id. However we could have generated a local user id and added a column <code>passlock_sub</code> to the user table.</p> <p>Instead of using the passlock <code>sub</code> we could insead have used Passlock's <code>authId</code> (authenticator id) as this represents the passkey itself. However as you'll later discover, there are some benefits to referencing <code>sub</code> as it allows us to easily add social login to our SvelteKit apps.</p> svelte sveltekit How to add passkey login to your SvelteKit app Toby Hobson Tue, 01 Oct 2024 11:42:08 +0000 https://forem.com/passlock/passkey-authentication-in-sveltekit-apps-a-tutorial-kop https://forem.com/passlock/passkey-authentication-in-sveltekit-apps-a-tutorial-kop <p>In this tutorial you'll learn how to add passkey authentication to your SvelteKit apps. In subsequent tutorials I'll show you how to add session management, social login and more. </p> <p>Check out the full <a href="https://passlock.dev/blog/tags/sveltekit/" rel="noopener noreferrer">SvelteKit + Authentication Tutorial</a> on my blog.</p> <h3> Feeling lazy? </h3> <p>I've put together a <a href="https://d1rl0ue18b0151.cloudfront.net" rel="noopener noreferrer">SvelteKit Starter App</a> which supports <strong>passkeys, social sign in</strong> and other features. You can choose from multiple UI frameworks including Daisy UI, Preline and Shadcn. Use the CLI script and follow the prompts:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pnpm create @passlock/sveltekit </code></pre> </div> <p><strong>That's it!</strong> check out the generated source code, which has plenty of comments. If you like it, please <a href="https://github.com/passlock-dev/passlock" rel="noopener noreferrer">give it a star</a> 🙏</p> <p>Alternatively read on to learn how to do this manually...</p> <h2> Create a SvelteKit app </h2> <p>Use SvelteKit's CLI to generate a skeleton project:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pnpm create svelte@latest my-app </code></pre> </div> <p><strong>Note:</strong> Choose the skeleton project template, with Typescript support.</p> <h2> Add the library </h2> <p>We'll use <a href="https://github.com/passlock-dev/passlock" rel="noopener noreferrer">Passlock</a>, my SvelteKit library for passkey registration and authentication:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pnpm add <span class="nt">-D</span> @passlock/sveltekit </code></pre> </div> <h2> Create a registration route </h2> <p>Create a new template at <code>src/routes/register/+page.svelte</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- src/routes/register/+page.svelte --&gt;</span> <span class="nt">&lt;form</span> <span class="na">method=</span><span class="s">"post"</span><span class="nt">&gt;</span> Email: <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"text"</span> <span class="na">name=</span><span class="s">"email"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;br</span> <span class="nt">/&gt;</span> First name: <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"text"</span> <span class="na">name=</span><span class="s">"givenName"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;br</span> <span class="nt">/&gt;</span> Last name: <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"text"</span> <span class="na">name=</span><span class="s">"familyName"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;br</span> <span class="nt">/&gt;</span> <span class="nt">&lt;button</span> <span class="na">type=</span><span class="s">"submit"</span><span class="nt">&gt;</span>Register<span class="nt">&lt;/button&gt;</span> <span class="nt">&lt;/form&gt;</span> </code></pre> </div> <p>This won’t win any design awards but I want to keep things simple. Now for the real work … we’ll intercept the form submission and register a passkey on the users device:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- src/routes/register/+page.svelte --&gt;</span> <span class="nt">&lt;script </span><span class="na">lang=</span><span class="s">"ts"</span><span class="nt">&gt;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">enhance</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">$app/forms</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">register</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@passlock/sveltekit</span><span class="dl">'</span> <span class="c1">// we'll fill in the tenancyId and clientId later</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">onSubmit</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">register</span><span class="p">({</span> <span class="na">tenancyId</span><span class="p">:</span> <span class="dl">'</span><span class="s1">TBC</span><span class="dl">'</span><span class="p">,</span> <span class="na">clientId</span><span class="p">:</span> <span class="dl">'</span><span class="s1">TBC</span><span class="dl">'</span> <span class="p">})</span> <span class="nt">&lt;/script&gt;</span> <span class="nt">&lt;form</span> <span class="na">method=</span><span class="s">"post"</span> <span class="na">use:enhance=</span><span class="s">{onSubmit}</span><span class="nt">&gt;</span> Email: <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"text"</span> <span class="na">name=</span><span class="s">"email"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;br</span> <span class="nt">/&gt;</span> First name: <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"text"</span> <span class="na">name=</span><span class="s">"givenName"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;br</span> <span class="nt">/&gt;</span> Last name: <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"text"</span> <span class="na">name=</span><span class="s">"familyName"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;br</span> <span class="nt">/&gt;</span> <span class="nt">&lt;button</span> <span class="na">type=</span><span class="s">"submit"</span><span class="nt">&gt;</span>Register<span class="nt">&lt;/button&gt;</span> <span class="nt">&lt;/form&gt;</span> </code></pre> </div> <h3> Explanation </h3> <p>We’re using SvelteKit’s <a href="https://kit.svelte.dev/docs/form-actions#progressive-enhancement" rel="noopener noreferrer">progressive enhancement</a> to intercept the form submission. We use Passlock’s SvelteKit extension to register a passkey.</p> <p>If all goes well, this will return a token that we can exchange for a <code>Principal</code> in our form action.</p> <h3> Process the token in the form action </h3> <p>The form will be submitted with an additional token field. We’ll use it to fetch the passkey details in the form action.</p> <p>Create a new form action at <code>src/routes/register/+page.server.ts</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// src/routes/register/+page.server.ts</span> <span class="k">import</span> <span class="kd">type</span> <span class="p">{</span> <span class="nx">Actions</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./$types</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Passlock</span><span class="p">,</span> <span class="nx">TokenVerifier</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@passlock/sveltekit</span><span class="dl">'</span> <span class="c1">// we'll replace the TBCs later</span> <span class="kd">const</span> <span class="nx">tokenVerifier</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">TokenVerifier</span><span class="p">({</span> <span class="na">tenancyId</span><span class="p">:</span> <span class="dl">'</span><span class="s1">TBC</span><span class="dl">'</span><span class="p">,</span> <span class="na">apiKey</span><span class="p">:</span> <span class="dl">'</span><span class="s1">TBC</span><span class="dl">'</span> <span class="p">})</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">actions</span><span class="p">:</span> <span class="nx">Actions</span> <span class="o">=</span> <span class="p">{</span> <span class="na">default</span><span class="p">:</span> <span class="k">async </span><span class="p">({</span> <span class="nx">request</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">formData</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">request</span><span class="p">.</span><span class="nf">formData</span><span class="p">()</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">formData</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">token</span><span class="dl">'</span><span class="p">)</span> <span class="k">as</span> <span class="kr">string</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">tokenVerifier</span><span class="p">.</span><span class="nf">exchangeToken</span><span class="p">(</span><span class="nx">token</span><span class="p">)</span> <span class="k">if </span><span class="p">(</span><span class="nx">Passlock</span><span class="p">.</span><span class="nf">isPrincipal</span><span class="p">(</span><span class="nx">result</span><span class="p">))</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">result</span><span class="p">)</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="nx">result</span><span class="p">.</span><span class="nx">message</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The result includes a <code>sub</code> field (subject / user id), along with an <code>authId</code> (authenticator i.e. passkey id). In the next tutorial we'll use this to link the passkey to a local user account.</p> <h2> Create a Passlock cloud account </h2> <p>We've used <code>TBC</code> for some Passlock config values. It's time to replace these with real values.</p> <p>Create a developer account at <a href="https://console.passlock.dev/register" rel="noopener noreferrer">passlock.dev</a> then head to the <a href="https://console.passlock.dev/settings" rel="noopener noreferrer">settings</a> tab within your console. We're after the <code>tenancyId</code>, <code>clientId</code> and <code>apiKey</code> values. </p> <p><strong>Note:</strong> Passlock cloud is a serverless passkey platform that also supports social login, mailbox verification, audit logs and more. It's free for personal and commercial use.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbyyo5cd5kp8rhhgpini6.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fbyyo5cd5kp8rhhgpini6.png" alt="Find your Passlock config" width="800" height="303"></a></p> <p>Edit your <code>.env</code> file (or .env.local) and create entries for these values:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># .env</span> PUBLIC_PASSLOCK_TENANCY_ID <span class="o">=</span> <span class="s1">'...'</span> PUBLIC_PASSLOCK_CLIENT_ID <span class="o">=</span> <span class="s1">'...'</span> PASSLOCK_API_KEY <span class="o">=</span> <span class="s1">'...'</span> </code></pre> </div> <p>If you don't have a <code>.env</code> file in your app root, create one.</p> <p>You can now reference these in your template and form actions:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- src/routes/register/+page.svelte --&gt;</span> <span class="nt">&lt;script </span><span class="na">lang=</span><span class="s">"ts"</span><span class="nt">&gt;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">PUBLIC_PASSLOCK_TENANCY_ID</span><span class="p">,</span> <span class="nx">PUBLIC_PASSLOCK_CLIENT_ID</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">$env/static/public</span><span class="dl">'</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">onSubmit</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">register</span><span class="p">({</span> <span class="na">tenancyId</span><span class="p">:</span> <span class="nx">PUBLIC_PASSLOCK_TENANCY_ID</span><span class="p">,</span> <span class="na">clientId</span><span class="p">:</span> <span class="nx">PUBLIC_PASSLOCK_CLIENT_ID</span><span class="p">,</span> <span class="p">})</span> <span class="p">...</span> <span class="nt">&lt;/script&gt;</span> </code></pre> </div> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// src/routes/register/+page.server.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">PUBLIC_PASSLOCK_TENANCY_ID</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">$env/static/public</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">PASSLOCK_API_KEY</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">$env/static/private</span><span class="dl">'</span> <span class="kd">const</span> <span class="nx">tokenVerifier</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">TokenVerifier</span><span class="p">({</span> <span class="na">tenancyId</span><span class="p">:</span> <span class="nx">PUBLIC_PASSLOCK_TENANCY_ID</span><span class="p">,</span> <span class="na">apiKey</span><span class="p">:</span> <span class="nx">PASSLOCK_API_KEY</span> <span class="p">})</span> <span class="p">...</span> </code></pre> </div> <h2> Try to register a passkey </h2> <p>Although we're not yet finished, you should be at a point where you can register a passkey.</p> <p>Navigate to the <code>/register</code> page and complete the form. You should be prompted to create a passkey and the form action will spit out details of the passkey registration.</p> <p>You should also see an entry in the <a href="https://console.passlock.dev/users" rel="noopener noreferrer">users</a> tab of your Passlock console. The console can be used to view security related events, suspend and delete users and more.</p> <h3> Too slow? </h3> <p>At this stage things may seem slow and clunky. We'll address this in a subsequent tutorial, for now we just want to get things working.</p> <h2> Create a login route </h2> <p>We can now register a passkey on the users device. Let’s use that passkey to authenticate. The process is essentially the same as it was for registration.</p> <p>Create a login template at <code>src/routes/login/+page.svelte</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="c">&lt;!-- src/routes/login/+page.svelte --&gt;</span> <span class="nt">&lt;script </span><span class="na">lang=</span><span class="s">"ts"</span><span class="nt">&gt;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">enhance</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">$app/forms</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">login</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@passlock/sveltekit</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">PUBLIC_PASSLOCK_TENANCY_ID</span><span class="p">,</span> <span class="nx">PUBLIC_PASSLOCK_CLIENT_ID</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">$env/static/public</span><span class="dl">'</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">onSubmit</span> <span class="p">}</span> <span class="o">=</span> <span class="nf">login</span><span class="p">({</span> <span class="na">tenancyId</span><span class="p">:</span> <span class="nx">PUBLIC_PASSLOCK_TENANCY_ID</span><span class="p">,</span> <span class="na">clientId</span><span class="p">:</span> <span class="nx">PUBLIC_PASSLOCK_CLIENT_ID</span> <span class="p">})</span> <span class="nt">&lt;/script&gt;</span> <span class="nt">&lt;form</span> <span class="na">method=</span><span class="s">"post"</span> <span class="na">use:enhance=</span><span class="s">{onSubmit}</span><span class="nt">&gt;</span> Email: <span class="nt">&lt;input</span> <span class="na">type=</span><span class="s">"text"</span> <span class="na">name=</span><span class="s">"email"</span> <span class="nt">/&gt;</span> <span class="nt">&lt;br</span> <span class="nt">/&gt;</span> <span class="nt">&lt;button</span> <span class="na">type=</span><span class="s">"submit"</span><span class="nt">&gt;</span>Login<span class="nt">&lt;/button&gt;</span> <span class="nt">&lt;/form&gt;</span> </code></pre> </div> <p>Notice how we’re only passing the email this time. Now for the form action:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// src/routes/login/+page.server.ts</span> <span class="k">import</span> <span class="kd">type</span> <span class="p">{</span> <span class="nx">Actions</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">./$types</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">Passlock</span><span class="p">,</span> <span class="nx">TokenVerifier</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">@passlock/sveltekit</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">PUBLIC_PASSLOCK_TENANCY_ID</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">$env/static/public</span><span class="dl">'</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">PASSLOCK_API_KEY</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">'</span><span class="s1">$env/static/private</span><span class="dl">'</span> <span class="kd">const</span> <span class="nx">tokenVerifier</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">TokenVerifier</span><span class="p">({</span> <span class="na">tenancyId</span><span class="p">:</span> <span class="nx">PUBLIC_PASSLOCK_TENANCY_ID</span><span class="p">,</span> <span class="na">apiKey</span><span class="p">:</span> <span class="nx">PASSLOCK_API_KEY</span> <span class="p">})</span> <span class="k">export</span> <span class="kd">const</span> <span class="nx">actions</span><span class="p">:</span> <span class="nx">Actions</span> <span class="o">=</span> <span class="p">{</span> <span class="na">default</span><span class="p">:</span> <span class="k">async </span><span class="p">({</span> <span class="nx">request</span> <span class="p">})</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">formData</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">request</span><span class="p">.</span><span class="nf">formData</span><span class="p">()</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="nx">formData</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">token</span><span class="dl">'</span><span class="p">)</span> <span class="k">as</span> <span class="kr">string</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">tokenVerifier</span><span class="p">.</span><span class="nf">exchangeToken</span><span class="p">(</span><span class="nx">token</span><span class="p">)</span> <span class="k">if </span><span class="p">(</span><span class="nx">Passlock</span><span class="p">.</span><span class="nf">isPrincipal</span><span class="p">(</span><span class="nx">result</span><span class="p">))</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="nx">result</span><span class="p">)</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="nx">result</span><span class="p">.</span><span class="nx">message</span><span class="p">)</span> <span class="p">}</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>The form action is the same (at this stage). Passlock abstracts passkey registration and authentication into a common structure known as a <code>Principal</code>.</p> <h2> Try to login using your passkey </h2> <p>Navigate to the <code>/login</code> page, enter your email (the one you used for registration) and click login. If all goes well, you should see your user details in the server console.</p> <p>Within your Passlock console, under the users tab you should see an entry. If you click on the user you'll be able to see the passkey registration and authentication events. </p> <h2> Summary </h2> <p>We used the Passlock library to register a passkey on the users device. The public key component of the passkey is stored in your Passlock vault.</p> <p>During authentication we ask the user to present their passkey. Passlock verifies that the passkey is authentic, then generates a secure token. This token is passed to the backend form action in the form submission.</p> <p>The form action verifies the secure token is authentic, exchanging it for details about the user and the passkey they used to authenticate.</p> <h2> Next steps </h2> <p>We've made a great start but we now need to link the passkeys to local user accounts and sessions. That's the subject of the next tutorial..</p> svelte sveltekit