This article was published on Monday, January 8, 2024 by Niccolo Belli @ The Guild Blog
The first release candidate of Accounts.js 1.0 is now officially
available!
It's the culmination of a long process of rearchitecting the whole framework, which is finally a
first-class citizen of the graphql-modules package. It
supports the latest GraphQL.js v16 and graphql-tools v10 as
well as any modern GraphQL server including Apollo Server v4 and
GraphQL Yoga v5.
About Me
My name is Niccolò Belli, darkbasic on GitHub. I'm a freelance
full-stack web developer passionate about open source who loves to work with Typescript and GraphQL,
along with managing Linux servers. I've been working on Open Source technologies since many years
and I've recently become an Accounts.js maintainer because I was tired of the existing alternatives
and their lack of GraphQL integration. While I don't like overly-opinionated frameworks that lock
you in into their ecosystems I love to work with libraries that allow you to quickly prototype your
application while being scalable and highly customizable. That's why I'm also a MikroORM
collaborator, which is the best Node.js ORM available and allows me to retain any amount of
flexibility if I decide to manually write big PostgreSQL queries and hydrate the results back into
the ORM for further processing. I've developed many tools around this workflow, including
automatically generating slonik types via the ORM metadata to
manually write composable SQL queries that are type safe at runtime and build time. This is material
for another blog post but I would love to make everything open source once my prerequisite
zod PR gets merged.
What Is Accounts.JS
The @accounts
suite of packages aims to provide an end-to-end authentication and accounts
management solution with n user-friendly way to start while preserving options for configuration.
These packages offer OAuth support for popular providers such as Instagram or Twitter, two-factor
authentication, password-based accounts, recovery options, and customizable account creation and
validation.
To integrate accounts-js
into your application, you need to configure these three components:
Transports: The flexibility of
accounts-js
allows it to be integrated with different types
of APIs. For now, we provide packages for both GraphQL and REST.Databases: Accounts.js provides a
native Mongo integration.
Additionally, it offers
MikroORM and
Typeorm
integrations, which lets you useaccounts-js
with any database. Optionally, you can use Redis
to store the session data, or provide a custom database adapter that will work with existing
authentication strategies by implementing theDatabaseInterface
.Strategies: You can use multiple strategies to let your users access your app. For now, it
supports password-based, magic link, and OAuth authentication methods.
Note: Accounts.js is a full-stack solution, providing a full set of packages to seamlessly
implement your chosen authentication workflow on the client as well!
The New Architecture
In Accounts.js 1.0, we use graphql-modules
to compose the authentication framework, automatically
piecing together your preferred database adapter(s) with the authentication service(s) of your
choice (password-based, OAuth, etc). As mentioned before, accounts-js
currently supports GraphQL
and REST. For the former, graphql-modules
automatically provides the schema based on the modules
you're using, while for the latter, it provides dependency injection across the various modules to
piece them together.
const app = createApplication({
modules: [
createAccountsCoreModule({ tokenSecret: 'secret' }),
createAccountsPasswordModule({
requireEmailVerification: true,
sendVerificationEmailAfterSignup: true,
}),
createAccountsMongoModule({ dbConn }),
],
schemaBuilder: buildSchema({ typeDefs, resolvers }),
If your application already uses graphql-modules
, all you need to do is add the accounts.js
modules of your choice to your own application module. Otherwise, it's a matter of providing your
resolvers and type definitions to the buildSchema
function.
// GraphQL Yoga 5
const yoga = createYoga({
plugins: [useGraphQLModules(app)],
context: ctx => context(ctx, { createOperationController })
})
createServer(yoga).listen()
// Apollo Server 4
const apollo = new ApolloServer({
gateway: app.createApolloGateway()
})
startStandaloneServer(apollo, {
context: ctx => context(ctx, { createOperationController })
})
At this point, whatever your GraphQL server of choice, your authenticated application is just a few
lines of code away.
But what if all I care is REST?
Use the graphql-modules
injector to retrieve the AccountsServer
instance and feed it to
@accounts/rest-express
!
const controller = app.createOperationController({
context: {}
})
const accountsServer = controller.injector.get(AccountsServer)
expressApp.use(accountsExpress(accountsServer))
Alternatively, if you don't want to use graphql-modules
, you can still manually instantiate the
providers. Here's
an example.
The New MikroORM Database Adapter
The second big change in Accounts.js 1.0 is the release of the brand new
MikroORM database adapter. MikroORM is a TypeScript ORM for Node.js based
on Data Mapper, Unit of Work and Identity Map patterns. It is also very well-written and actively
developed. Today also marks the release of the v6 of MikroORM, which incorporates
my recent work to automatically batch references
and collections and retrieve them via dataloaders firing a single query. This is especially useful
with GraphQL transport since it automatically solves its notorious N+1 problem without you even
noticing it—more information here.
@Entity()
export class User extends AccountsUser {
@Property()
firstName: string
@Property({ nullable: true })
lastName?: string
constructor({ firstName, lastName, ...otherProps }: CtorArgs) {
super(otherProps)
this.firstName = firstName
if (lastName) {
this.lastName = lastName
}
}
}
The Accounts.js MikroORM database adapter can be backed by your database of choice (PostgreSQL,
MySQL, MariaDB, SQLite, MongoDB). It won't force you into any existing entity schema: you can use
the existing entities or provide your own, but please make sure to extend the base ones so that
authentication can occur.
entities: [
User,
getUserSchema({ AccountsUser, abstract: true }),
getEmailSchema({ UserEntity: User }),
getServiceSchema({ UserEntity: User }),
getSessionSchema({ UserEntity: User }),
],
Under the hood, it uses MikroORM's EntitySchema, so you
must also provide the schema for the base entities.
Breaking Changes
@accounts/boost
has been removed. It was no longer deemed necessary because of the new
graphql-modules
architecture that already allows you to plug and play various modules. For
example, instead of providing an existing database connection, you can let @accounts/module-mongo
create a new one for you:
const app = createApplication({
modules: [
[...],
// If you don't provide dbConn it will automatically
// create a new one, but the module needs to be awaited.
await createAccountsMongoModule(),
@accounts/graphql-api
has been moved into the following packages:
-
@accounts/module-core
-
@accounts/module-magic-link
-
@accounts/module-mikro-orm
-
@accounts/module-mongo
-
@accounts/module-password
-
@accounts/module-typeorm
These packages can assemble your desired authentication workflow and your preferred database
adapter. Despite the significant changes under the hood, I strived to keep the public API mostly the
same, so migrating to 1.0 should be a manageable effort.
What's New
- We switched from pnpm to yarn 4.
- We now return code 401 unmasked errors when unauthorized.
- Added the
requireEmailVerification
option to require the user to verify the email in order to be able to authenticate. - You can now enable both
ambiguousErrorMessages
andenableAutologin
ifrequireEmailVerification
is disabled. -
@accounts/password
provides express endpoints to verify the email or reset the password whenever the user clicks on the links received via email. -
@accounts/rest-express
now validates its inputs via express-validator. - The examples now use graphql-yoga v5 instead of the old apollo-server 2.
- A new
@apollo/server
v4 example has been added. - A basic graphql-http example has been added.
- A MikroORM example has been added.
- The accounts-microservice example has been rewritten from scratch to use modern graphql-tools.
- Docs have been refactored to use
docusaurus-plugin-typedoc-api
instead ofscripts/generate-api-docs.ts
. - New and much improved CI release workflow.
- Basic support for running tests from vscode.
- Upgraded
graphql-modules
to v3 alpha - Upgraded
@graphql-tools/merge
to v9 - Upgraded
@graphql-tools/schema
to v10 - Upgraded
@graphql-tools/utils
to v10 - Upgraded
graphql
to v16 - Upgraded
typeorm
to 0.3.17 - Upgraded
@apollo/client
to 3.8 - Upgraded
@graphql-codegen
to v5 - Upgraded
mongodb
to v6 - Upgraded
ioredis
to v5 - Upgraded
jsonwebtoken
to v9 - Upgraded
lodash
to 4.17 - Upgraded
pg
to 8.11 - Upgraded
request-ip
to 3.3 - Upgraded
oauth
to 0.10 - Upgraded
node-fetch
to 2.7 - Upgraded
express
to 4.18 - Upgraded
emittery
to 0.13 - Upgraded
@levminer/speakeasy
to 1.4 - Upgraded
@graphql-tools/delegate
to v10 - Upgraded
@graphql-tools/stitch
to v9 - Upgraded
@graphql-tools/wrap
to v10 - Upgraded
mongoose
to v8 - Upgraded
react
to 18.2 - Upgraded
jest
to 29 - Upgraded
typescript
to 5.3 - Upgraded
eslint
to v8 - Upgraded
prettier
to v3 - Upgraded
@apollo/server
to 4.9 - Upgraded
docusaurus
to v3
Remaining Work for the Stable Release
OAuth authentication, while working, surely deserves some love. While REST endpoints for OAuth
should be functional, there are no mutations or resolvers yet, meaning you can't use them with the
GraphQL transport. I'd also like to review the OAuth code and write some examples.
@accounts/oauth-instagram
, in particular, still relies upon the deprecated request
package and
should be updated. Other popular OAuth providers like Facebook still need to be added (but PRs
exist).
Before the 1.0 stable gets released, I plan to get the existing providers in a better shape,
together with examples and the relevant GraphQL schema.
Post 1.0
I want to create a new @accounts/phone
authentication service which lets you authenticate via SMS
OTPs. That would be especially useful in react-native applications where you could automatically
read the SMS and automate the authentication process.
Currently, Accounts.js bundles CommonJS code. While CommonJS can be imported in both CommonJS and
ESM applications, that would rule out Deno/Bun support. For the same reason, we cannot use a wrapper
either: while that would allow us to use ESM imports, it wouldn't be real ESM and thus won't be
compatible. The remaining alternatives are pure ESM and dual packages. While several library authors
opted for the former because of
dual package hazard concerns, I
weigh the benefits differently. While dual package hazards are real, the whole GraphQL ecosystem
relies on dual packages; thus, using instance of
is already a hazard. These authors suggest using
async imports
to import their pure ESM libraries in common projects, which exposes everyone to the
same hazard (not even considering that this is only viable in async contexts). That goes against why
they decided to bundle pure ESM in the first place. I think it's still too early to target pure ESM,
and dual package is the lesser evil, so I'm leaning towards that for future releases, but I'm ready
to change my mind if you provide enough arguments.
I'd also like to implement some form of account linking, where users could link their existing
account with a different authentication service (for example, password-based and OAuth).
I want to extend Multi-Factor Authentication outside of the password service, baking it into the
core of accounts.js so that any authentication service can take advantage of it.
If future major versions of Accounts.js introduce breaking changes to the database structure, I
would like to provide migrations directly via the @accounts/mikro-orm
package.
Last but not least, I would like to bake in cookies authentication. Not only would that fare better
against XSS, but it would also allow server-side rendering and thus enable the usage of frameworks
like Next.js. Alternative storage methods would remain available for those using native
applications.
At the end of the day, 1.0 is just a number, and I really want to provide stable APIs via semantic
versioning.
Accounts.js is an open-source project, and we welcome your
contributions!
Top comments (0)