remix-auth-github icon indicating copy to clipboard operation
remix-auth-github copied to clipboard
verified publisher icon sergiodxa

redirectURI without the domain?

Open kentcdodds opened this issue 10 months ago • 6 comments

Right now I have to do this:

return new GitHubStrategy(
	{
		clientId: process.env.GITHUB_CLIENT_ID,
		clientSecret: process.env.GITHUB_CLIENT_SECRET,
		redirectURI: 'https://www.epicstack.dev/auth/github/callback',
	},
	async () => {
		// ...
	}
)

But I want to be able to do this:

return new GitHubStrategy(
	{
		clientId: process.env.GITHUB_CLIENT_ID,
		clientSecret: process.env.GITHUB_CLIENT_SECRET,
		redirectURI: '/auth/github/callback',
	},
	async () => {
		// ...
	}
)

And then the strategy would get the domain from the request.

This would make it so we can run this locally and on staging. Additionally with this improvement people wouldn't have to change this hard-coded URL when creating an epic app.

kentcdodds avatar Feb 22 '25 15:02 kentcdodds

For now I've updated it to an environment variable, but I still think it would be nice to not have to configure that.

kentcdodds avatar Feb 22 '25 15:02 kentcdodds

The solution I recommend is that instead of making the strategy be smart about how to format the endpoint based on the hostname of the app, let the app itself do it.

You can create a function that receives the Request, and creates and return the Authenticator with the strategy.

export function createAuthenticator(request: Request) {
  let authenticator = new Authenticator<T>()
  authenticator.use(
    new GitHubStrategy({ redirectURI: new URL("/auth/github/callback", request.url) }, verify)
  )
  return authenticator
}

This way you're in control of how to generate the redirectURI based on the request.url.

sergiodxa avatar Feb 25 '25 00:02 sergiodxa

So you recommend dynamically creating a new authenticator per request?

kentcdodds avatar Feb 25 '25 00:02 kentcdodds

Yes, the class itself is really simple and can be discarded after the response is sent. If it ever becomes an issue you could use cachified to ensure it's created once after the first request.

You could also create the Authenticator once at the module level, and only create the strategy in a function as that's the only part that depends on the Request.

sergiodxa avatar Feb 25 '25 00:02 sergiodxa

That's a little different from the way everyone seems to use remix-auth (including how the docs recommend using it). Any reason you can't make the redirectURI support a function that accepts the request?

kentcdodds avatar Feb 25 '25 00:02 kentcdodds

Mostly because every strategy needs to do it, and that way to use Remix Auth is also the way to use it on Cloudflare Workers app as you need to pass any env variable from the AppLoadContext so you need to create the strategies from inside a function.

sergiodxa avatar Feb 25 '25 05:02 sergiodxa