@convex-dev/convex-lucia-auth

Convex Database Adapter + UI for Lucia Auth Library

This library enables authentication built entirely on top of Convex without any third-party platform. It uses Lucia for the authentication logic.

Features:

• Without any additional setup, you can sign in with an email+password combination
• Sign out button
• Session is preserved in localStorage
• Passwords are securely hashed

This integration works! You can see a production deployment at this live site: https://get-convex.github.io/convex-lucia-auth-demo/.

Install

npm install @convex-dev/convex-lucia-auth

Checkout Docs for how to integrate the library into your app.

Deploying to production

In your production deployment's settings page configure this variable:

• LUCIA_ENVIRONMENT=PROD

Note on CSRF protection

The React components use localStorage for storing the secret sessionId. This means that sessions are only preserved on pages served on the same subdomain, such as foo.example.com or username.github.io. This prevents CSRF attacks.

This does though invite an XSS attack. Make sure your app is not susceptable to XSS.

Convex currently doesn't support accessing cookies in queries and mutations, so cookie-based authentication can only be used in Convex HTTP actions.

What is Convex?

Convex is a hosted backend platform with a built-in database that lets you write your database schema and server functions in TypeScript. Server-side database queries automatically cache and subscribe to data, powering a realtime useQuery hook in our React client. There are also Python, Rust, ReactNative, and Node clients, as well as a straightforward HTTP API.

The database support NoSQL-style documents with relationships and custom indexes (including on fields in nested objects).

The query and mutation server functions have transactional, low latency access to the database and leverage our v8 runtime with determinism guardrails to provide the strongest ACID guarantees on the market: immediate consistency, serializable isolation, and automatic conflict resolution via optimistic multi-version concurrency control (OCC / MVCC).

The action server functions have access to external APIs and enable other side-effects and non-determinism in either our optimized v8 runtime or a more flexible node runtime.

Functions can run in the background via scheduling and cron jobs.

Development is cloud-first, with hot reloads for server function editing via the CLI. There is a dashbord UI to browse and edit data, edit environment variables, view logs, run server functions, and more.

There are built-in features for reactive pagination, file storage, reactive search, https endpoints (for webhooks), streaming import/export, and runtime data validation for function arguments and database data.

Everything scales automatically, and it’s free to start.