RFC: Support native apps with bearer token support

[pilcrowonpaper]

I've gotten a few questions regarding on if Lucia can be used with native apps like React Native, Expo, Electron, and Tauri. Lucia is a server side library so it'll work as long as you have a server your app can call. Something like this for OAuth:

1. user clicks "Sign in with Github"
2. redirected to "api.example.com/oauth?provider=github"
3. Github redirects user to "api.example.com/oauth/github" with code
4. "api.example.com/oauth/github" redirects to "app://idkhowthisworks?access_token=<session_id">
5. store "token" (ie. session id) in device

Unlike regular session ids, it should be long lasting (like a year). The client can now make requests by sending the token as a bearer token in the authorization header.

For token renewal, I'm not sure what's the best way to go. You can just disable it all together, or just send a 401 whenever the token is expired and let the client renew it.

API change

I think adding a way to validate access tokens would be enough:

const authRequest = auth.handleRequest();
const { user, session} = await authRequest.validateToken();

Unlike validateUser(), it should not renew idle sessions.

Docs

Maybe add a "Native" framework id, and add guides to Electron, React Native, etc? This part I need the help most :D

[FredBuild]

👍🏻 I am looking forward to this feature! I suggest adding guides to the CLI as well.

[richtommmy]

me too)

[pilcrowonpaper]

I'm guessing there's 2 ways of handling auth.

Use app as the auth client

Use fetch() (or equivalent) to send user's credentials to a web server, which returns a token if valid. Simple.

Use web as the auth client

Validation happens in the browser. Token is sent with deep-linking (myapp://<token>), or the app detects navigation on the browser window and extracts the token stored in the params.

I'm going to guess that listening for navigation is the easier option for desktop (?):

framework	support	notes
electron	✅	seem simple?
tauri	⚠️	available only in Rust

For mobile (Expo and Native), still looking into it

[SergioRibera]

Reviewing, it seems to me that to make a correct integration with tauri it would be necessary to rewrite the library but in rust, this for security issues, this can have 2 benefits, the use in tauri (through a tauri plugin) and its integration in backend systems, either rocket, wrap, actix or even its base use in some service.

I think I can help with the Rust and tauri part.

PS: Tauri has in development mobile implementations so even the integration in tauri could already be mobile.

[pilcrowonpaper]

@SergioRibera Yeah, I'm not making Lucia for Rust (maybe someday though). I'm interested in having guides for each native framework, and that's the biggest bottleneck. In my mind, the client should be relatively simple but I may be under severely under-estimating the work needed. The example should be something like this:

1. App opens browser window
2. Server handles stuff (easy)
3. Listen to navigation => extract token from url
4. Store token in device
5. Send simple GET request with token

[SergioRibera]

Ok, I think I have you, I'll create the project and in a few days I'll tell you here a little about how it's planned to be done

[pilcrowonpaper]

Thanks, let me know if you need any help!

[SeanCassiere]

Looks like Tauri has a plugin already for deep-linking with an open issue on their github.

[lmssiehdev]

any update on using this with expo?

[pilcrowonpaper]

I'll likely add a guide on Expo but it might take a while

[damianmarek]

Definitely waiting for it

[andrictham]

Eagerly waiting for it too! Especially for Expo on iOS and how to deal with “Sign in with Apple”.

[victorbueno]

I'm developing a sveltekit server. I want to use it for an Expo app. It seems that we do not have it yet. I'm going to finish testing tomorrow. If it does not work, I'm going to have develop all the logic and wait for Lucia to keep up.

[trevorpfiz]

does “Sign in with Apple” work by following the Expo guide?