Announcing Accounts.js 1.0 Release Candidate

This article was published on Monday, January 8, 2024 by Niccolo Belli @ The Guild Blog

The first release candidate of Accounts.js 1.0 is now officially
available!

It's the culmination of a long process of rearchitecting the whole framework, which is finally a
first-class citizen of the graphql-modules package. It
supports the latest GraphQL.js v16 and graphql-tools v10 as
well as any modern GraphQL server including Apollo Server v4 and
GraphQL Yoga v5.

About Me

My name is Niccolò Belli, darkbasic on GitHub. I'm a freelance
full-stack web developer passionate about open source who loves to work with Typescript and GraphQL,
along with managing Linux servers. I've been working on Open Source technologies since many years
and I've recently become an Accounts.js maintainer because I was tired of the existing alternatives
and their lack of GraphQL integration. While I don't like overly-opinionated frameworks that lock
you in into their ecosystems I love to work with libraries that allow you to quickly prototype your
application while being scalable and highly customizable. That's why I'm also a MikroORM
collaborator, which is the best Node.js ORM available and allows me to retain any amount of
flexibility if I decide to manually write big PostgreSQL queries and hydrate the results back into
the ORM for further processing. I've developed many tools around this workflow, including
automatically generating slonik types via the ORM metadata to
manually write composable SQL queries that are type safe at runtime and build time. This is material
for another blog post but I would love to make everything open source once my prerequisite
zod PR gets merged.

What Is Accounts.JS

The @accounts suite of packages aims to provide an end-to-end authentication and accounts
management solution with n user-friendly way to start while preserving options for configuration.
These packages offer OAuth support for popular providers such as Instagram or Twitter, two-factor
authentication, password-based accounts, recovery options, and customizable account creation and
validation.

To integrate accounts-js into your application, you need to configure these three components:

1. Transports: The flexibility of accounts-js allows it to be integrated with different types
   of APIs. For now, we provide packages for both GraphQL and REST.

2. Databases: Accounts.js provides a
   native Mongo integration.
   Additionally, it offers
   MikroORM and
   Typeorm
   integrations, which lets you use accounts-js with any database. Optionally, you can use Redis
   to store the session data, or provide a custom database adapter that will work with existing
   authentication strategies by implementing the DatabaseInterface.

3. Strategies: You can use multiple strategies to let your users access your app. For now, it
   supports password-based, magic link, and OAuth authentication methods.

Note: Accounts.js is a full-stack solution, providing a full set of packages to seamlessly
implement your chosen authentication workflow on the client as well!

The New Architecture

In Accounts.js 1.0, we use graphql-modules to compose the authentication framework, automatically
piecing together your preferred database adapter(s) with the authentication service(s) of your
choice (password-based, OAuth, etc). As mentioned before, accounts-js currently supports GraphQL
and REST. For the former, graphql-modules automatically provides the schema based on the modules
you're using, while for the latter, it provides dependency injection across the various modules to
piece them together.

const app = createApplication({
  modules: [
    createAccountsCoreModule({ tokenSecret: 'secret' }),
    createAccountsPasswordModule({
      requireEmailVerification: true,
      sendVerificationEmailAfterSignup: true,
    }),
    createAccountsMongoModule({ dbConn }),
  ],
  schemaBuilder: buildSchema({ typeDefs, resolvers }),

If your application already uses graphql-modules, all you need to do is add the accounts.js
modules of your choice to your own application module. Otherwise, it's a matter of providing your
resolvers and type definitions to the buildSchema function.

// GraphQL Yoga 5
const yoga = createYoga({
  plugins: [useGraphQLModules(app)],
  context: ctx => context(ctx, { createOperationController })
})
createServer(yoga).listen()

// Apollo Server 4
const apollo = new ApolloServer({
  gateway: app.createApolloGateway()
})
startStandaloneServer(apollo, {
  context: ctx => context(ctx, { createOperationController })
})

At this point, whatever your GraphQL server of choice, your authenticated application is just a few
lines of code away.

But what if all I care is REST?

Use the graphql-modules injector to retrieve the AccountsServer instance and feed it to
@accounts/rest-express!

const controller = app.createOperationController({
  context: {}
})
const accountsServer = controller.injector.get(AccountsServer)
expressApp.use(accountsExpress(accountsServer))

Alternatively, if you don't want to use graphql-modules, you can still manually instantiate the
providers. Here's
an example.

The New MikroORM Database Adapter

The second big change in Accounts.js 1.0 is the release of the brand new
MikroORM database adapter. MikroORM is a TypeScript ORM for Node.js based
on Data Mapper, Unit of Work and Identity Map patterns. It is also very well-written and actively
developed. Today also marks the release of the v6 of MikroORM, which incorporates
my recent work to automatically batch references
and collections and retrieve them via dataloaders firing a single query. This is especially useful
with GraphQL transport since it automatically solves its notorious N+1 problem without you even
noticing it—more information here.

@Entity()
export class User extends AccountsUser {
  @Property()
  firstName: string

  @Property({ nullable: true })
  lastName?: string

  constructor({ firstName, lastName, ...otherProps }: CtorArgs) {
    super(otherProps)
    this.firstName = firstName
    if (lastName) {
      this.lastName = lastName
    }
  }
}

The Accounts.js MikroORM database adapter can be backed by your database of choice (PostgreSQL,
MySQL, MariaDB, SQLite, MongoDB). It won't force you into any existing entity schema: you can use
the existing entities or provide your own, but please make sure to extend the base ones so that
authentication can occur.

entities: [
  User,
  getUserSchema({ AccountsUser, abstract: true }),
  getEmailSchema({ UserEntity: User }),
  getServiceSchema({ UserEntity: User }),
  getSessionSchema({ UserEntity: User }),
],

Under the hood, it uses MikroORM's EntitySchema, so you
must also provide the schema for the base entities.

Breaking Changes

@accounts/boost has been removed. It was no longer deemed necessary because of the new
graphql-modules architecture that already allows you to plug and play various modules. For
example, instead of providing an existing database connection, you can let @accounts/module-mongo
create a new one for you:

const app = createApplication({
  modules: [
    [...],
    // If you don't provide dbConn it will automatically
    // create a new one, but the module needs to be awaited.
    await createAccountsMongoModule(),

@accounts/graphql-api has been moved into the following packages:

• @accounts/module-core
• @accounts/module-magic-link
• @accounts/module-mikro-orm
• @accounts/module-mongo
• @accounts/module-password
• @accounts/module-typeorm

These packages can assemble your desired authentication workflow and your preferred database
adapter. Despite the significant changes under the hood, I strived to keep the public API mostly the
same, so migrating to 1.0 should be a manageable effort.

What's New

• We switched from pnpm to yarn 4.
• We now return code 401 unmasked errors when unauthorized.
• Added the requireEmailVerification option to require the user to verify the email in order to be able to authenticate.
• You can now enable both ambiguousErrorMessages and enableAutologin if requireEmailVerification is disabled.
• @accounts/password provides express endpoints to verify the email or reset the password whenever the user clicks on the links received via email.
• @accounts/rest-express now validates its inputs via express-validator.
• The examples now use graphql-yoga v5 instead of the old apollo-server 2.
• A new @apollo/server v4 example has been added.
• A basic graphql-http example has been added.
• A MikroORM example has been added.
• The accounts-microservice example has been rewritten from scratch to use modern graphql-tools.
• Docs have been refactored to use docusaurus-plugin-typedoc-api instead of scripts/generate-api-docs.ts.
• New and much improved CI release workflow.
• Basic support for running tests from vscode.
• Upgraded graphql-modules to v3 alpha
• Upgraded @graphql-tools/merge to v9
• Upgraded @graphql-tools/schema to v10
• Upgraded @graphql-tools/utils to v10
• Upgraded graphql to v16
• Upgraded typeorm to 0.3.17
• Upgraded @apollo/client to 3.8
• Upgraded @graphql-codegen to v5
• Upgraded mongodb to v6
• Upgraded ioredis to v5
• Upgraded jsonwebtoken to v9
• Upgraded lodash to 4.17
• Upgraded pg to 8.11
• Upgraded request-ip to 3.3
• Upgraded oauth to 0.10
• Upgraded node-fetch to 2.7
• Upgraded express to 4.18
• Upgraded emittery to 0.13
• Upgraded @levminer/speakeasy to 1.4
• Upgraded @graphql-tools/delegate to v10
• Upgraded @graphql-tools/stitch to v9
• Upgraded @graphql-tools/wrap to v10
• Upgraded mongoose to v8
• Upgraded react to 18.2
• Upgraded jest to 29
• Upgraded typescript to 5.3
• Upgraded eslint to v8
• Upgraded prettier to v3
• Upgraded @apollo/server to 4.9
• Upgraded docusaurus to v3

Remaining Work for the Stable Release

OAuth authentication, while working, surely deserves some love. While REST endpoints for OAuth
should be functional, there are no mutations or resolvers yet, meaning you can't use them with the
GraphQL transport. I'd also like to review the OAuth code and write some examples.
@accounts/oauth-instagram, in particular, still relies upon the deprecated request package and
should be updated. Other popular OAuth providers like Facebook still need to be added (but PRs
exist).

Before the 1.0 stable gets released, I plan to get the existing providers in a better shape,
together with examples and the relevant GraphQL schema.

Post 1.0

I want to create a new @accounts/phone authentication service which lets you authenticate via SMS
OTPs. That would be especially useful in react-native applications where you could automatically
read the SMS and automate the authentication process.

Currently, Accounts.js bundles CommonJS code. While CommonJS can be imported in both CommonJS and
ESM applications, that would rule out Deno/Bun support. For the same reason, we cannot use a wrapper
either: while that would allow us to use ESM imports, it wouldn't be real ESM and thus won't be
compatible. The remaining alternatives are pure ESM and dual packages. While several library authors
opted for the former because of
dual package hazard concerns, I
weigh the benefits differently. While dual package hazards are real, the whole GraphQL ecosystem
relies on dual packages; thus, using instance of is already a hazard. These authors suggest using
async imports to import their pure ESM libraries in common projects, which exposes everyone to the
same hazard (not even considering that this is only viable in async contexts). That goes against why
they decided to bundle pure ESM in the first place. I think it's still too early to target pure ESM,
and dual package is the lesser evil, so I'm leaning towards that for future releases, but I'm ready
to change my mind if you provide enough arguments.

I'd also like to implement some form of account linking, where users could link their existing
account with a different authentication service (for example, password-based and OAuth).

I want to extend Multi-Factor Authentication outside of the password service, baking it into the
core of accounts.js so that any authentication service can take advantage of it.

If future major versions of Accounts.js introduce breaking changes to the database structure, I
would like to provide migrations directly via the @accounts/mikro-orm package.

Last but not least, I would like to bake in cookies authentication. Not only would that fare better
against XSS, but it would also allow server-side rendering and thus enable the usage of frameworks
like Next.js. Alternative storage methods would remain available for those using native
applications.

At the end of the day, 1.0 is just a number, and I really want to provide stable APIs via semantic
versioning.

Accounts.js is an open-source project, and we welcome your
contributions!