Astro D1 Actions Magic Link Auth

Inspired / based on Lucia-auth basic API sqlite, with no ORM

Tech

1. Cloudflare D1
2. Resend
3. Astro Actions
4. Astro Scoped Styles
5. Astro on-demand rendering

Walkthrough

• Creates an @auth API with useful functions, and requires zero deps.
• Handles sessions within middleware for certain routes, but relies on those routes to protect themselves
• Creates a set of actions (actions.auth) which use the @auth API
• Attempts to be Progressive Enhancement, meaning requires zero JS to work, meaning all actions are submit via html forms
• Attempts to rate limit emails in the auth actions based on the token createdAt time
• Uses schema.sql and creates indexes in attempt to improve performance (didn't test if these help)
• Attempts to provide opaque messaging to prevent enumeration attacks on existing accounts
• Will not sign in if user has not signed up, but will sign in if user has already signed up and tries to sign up again
  • not 100% sure about this pattern but maybe supports some special sign up stuff in future, but does create friction if user doesn't realize they must sign up first
• Has a non action based endpoint for verification, looked into having it use actions but it just didn't feel right, this is my first actions project

Dev Experience / Deploying

• Uses Astro Dev server, and wrangler cli
• wrangler types && astro dev
• wrangler d1 create magic-links-prod
• wrangler d1 execute magic-links-prod --local --file=./src/lib/db/schema.sql for dev server
• wrangler d1 execute magic-links-prod --remote --file=./src/lib/db/schema.sql in prod from cli
• Secrets added via dashboard in prod (RESEND_API_KEY)
  • View project -> settings -> variables and secrets -> add secret and redeploy
• Didn't bother with local or preview DB for dev
• Created a resend account and tested via the onboarding email (which can only send to your account's email)

Notes

This project made me excited for Astro Sessions and things like laravel's flash data