congrats! and some quick thoughts

[osseonews]

Just want to say congrats on continuing to build this. Hadn't looked in a few months and you made really amazing progress. I've been working on something similar and you are way, way ahead. So I'll probably drop what I did, and use this, and maybe just contribute here.

BTW, do you plan to upgrade the dependencies? Some are old, e.g. Hono (>4) Lucia Auth to 3.0?

I'm also curious why you use Lucia auth to create the bearer token. The problem with Lucia is that you have to continue to hit the database to verify everything. I think the better option (all big companies do it this way), is that after you verify the login for the user with Lucia, you create a custom JWT based on an ENV secret, and send that back to the client. Then on every request back to the API endpoints, you jsut verify the JWT. This is more scaleable, especially if you are going to use Sonicjs as a headless platform to manage content on a website and you will be hitting the API alot to get data. Below is some basic code. From what I can tell now, the way you verify the auth, which is just a session in the databsae, on the Bearer with Lucia is that every request to the API gets the bearer and checks it against the database session. This is very intensive and will slow things down alot.

EDIT: I might be missing something here though. Apparently, all the API endpoints are accessible by a client without authorization? If so, the authorization is just for the admin backend? In that case, Lucia is fine. But, the problem is that you need some way to restrict access to the actual api endpoints, like posts. There should be some sort of public access token that allows client side applications to access this. I'm not sure how this logic is handled in this repo

//route to generate JWT after successful login
app.get('/admin/token-generate', async (c) => {
  const payload = {
    sub: `${USER_ID}`,
    role: 'admin',
    //exp: Math.floor(Date.now() / 1000) + 60 * 5, // Token expires in 5 minutes 
  }
  const secret = `${c.env.API_SECRET}` //some super secret to sign
  const token = await sign(payload, secret)
  return c.text(`Hello. Here is your token:${token}`)
})

//route to verify token
app.use('/api/*', async (c, next) => {
  const headerToken = c.req.header('Authorization')
  if (!headerToken) {
    // No Authorization header
    const res = new Response('Unauthorized. No Authori', {
      status: 401,
    })
    throw new HTTPException(401, { res })
  } else {
    //verify the token and then verify the payload
    const tokenToVerify = headerToken.substring(7, headerToken.length);
    const secretKey = `${c.env.API_SECRET}`
    //if this doesn't match it will throw and cause an error
    try {
      const decodedPayload = await verify(tokenToVerify, secretKey)
      const payloadUser = decodedPayload.sub
      //verify the payload in some way, just an example, you would want to be sure the user acually exists
      const match = payloadUser === "some user"
      console.log("match bearer user", match)
      if (!match) {
        throw new Error('Unauthorized. Invalid user id.')
      } else {
        await next()
        return
      }

    } catch (e) {
      console.log("error bearer", e)
      const res = new Response(`Unauthorized. Invalid Bearer.`, {
        status: 401,
      })
      throw new HTTPException(401, { res })
    }
  }
})

[lane711]

hey @osseonews , thanks for you feedback:

Regarding your auth questions, please see here - does this answer your questions?

https://sonicjs.com/authentication
https://sonicjs.com/access-control

Upgrading dependencies - I do this periodically and a little behind ATM but will get to that asap.

[osseonews]

Yeah, thanks. Reviewed all that. Lucia 3.x would change the code quite a bit, btw from my quick look. Hono upgrade probably won't change much, but I think you would benefit alot from their new features, like client side code and better JSX. I'm still wondering if it's better to do the frontend like you did - it's a lot of work and not easy. Sort of reinventing the wheel on the frontend. Might be easier to use something like this, https://refine.dev/ - they already have a SQLite adaptor, so should work out of the box. I think you might be able to install it with Hono now, that they have client side abilities.