v0.13.0: What's new?

[pilcrowonpaper]

Fixed critical security issue with v0.13.1 - Please use v0.13.1

Hello!

Sorry about the pushing another semi-major update, but had some good feedback so I wanted to implement them immediately.

Major changes

Handle sessions inside hooks

Lucia will now read, validate, and renew sessions inside hooks, handled by handleHooks(). Previously it was inside the root layout server load function using handleServerSession(). This means Lucia will automatically validate your requests as well as renew requests using expired sessions. handleServerSession() will read the session data, fetch the user, and pass that data to your load functions and the client.

locals.getSession()

This is the new way of getting the session in the server. No more validateRequestEvent() and try catch blocks.

export const load: PageServerLoad = async ({ cookies, locals }) => {
	const session = locals.getSession();
	if (!session) throw redirect(302, '/login');
};

transformUserData()

By default, the user object will only have userId, regardless of if you have additional columns stored in the user table. You can configure transformUserData() to transform the raw database data to the user object.

export const auth = lucia({
	transformUserData: (userData) => {
		return {
			userId: userData.id,
			username: userData.username
		}
	}
});

Renamed userData to attributes

userData was a vague, confusing name so I'm happy that it's getting a proper name. This means all instance of userData have changed: userData for createUser() is now attributes, updateUserData() is now updateUserAttributes(), etc. This change also affects adapters.

Adapters: setUser() returns the created user

Previously it returned the user id of the created user. Should be a quick fix.

Removed validateRequestEvent()

validateRequest() has been added back by this does NOT attempt to renew the session.

Migration

First, update your adapter to the latest version. Aside from the changes above, the Lucia namespace has changed.

Export the type of auth:

export const auth = lucia();

export type Auth = typeof auth

And in app.d.ts:

/// <reference types="lucia-sveltekit" />
declare namespace Lucia {
	type Auth = import('$lib/server/lucia.js').Auth;
	type UserAttributes = {}
}

/// <reference types="@sveltejs/kit" />
declare namespace App {
	interface Locals {
		getSession: import("lucia-sveltekit/types").GetSession
	}
}

The path in import('$lib/server/lucia.js').Auth is where you exported auth (lucia()), while UserAttributes is the old UserData. Locals should configured as well.

Changelog

• [Breaking] handleHooks() automatically validates and renew session
• [Breaking] User is { userId: string } by default - additional data stored in user table are no longer automatically added
• [Breaking] Renamed userData fields to attributes for createUser()
• [Breaking] Renamed updateUserData() to updateUserAttributes()
• [Breaking] setUser() adapter method returns User instead of user id
• [Breaking] Renamed Lucia.UserData to Lucia.UserAttributes
• [Breaking] Renamed userData to attributes field for updateUser() adapter method
• [Breaking] Lucia.Auth and Lucia.UserAttributes type must be configured for transformUserData()`
• [Breaking] Removed validateRequestEvent() method
• [Breaking] setUser() adapter method returns created User instead of user id
• Added validateRequest() method
• New transformUserData() config

Edit: Fixed issue where hooks wasn't validating request origin. I remember fixing this issue but it seems it wasn't saved? Nonetheless, really sorry about this! I'm will be extra careful moving forward but I think this shouldn't be an issue since it was fixed in 5 minutes since release.

[pilcrowonpaper]

Also, with this update I'm pretty satisfied with Lucia so unless there's a major change in SvelteKit or I think of something major, there likely won't be a major update for a while.

[dawidmachon]

For that update, whole docs ned to be reviewed again and updated. Because in a lot places there are informations about UserData still ;)

[pilcrowonpaper]

Thanks for pointing that out!

[pilcrowonpaper]

@dawidmachon
I think I removed all references to the old UserData

[dawidmachon]

Thanks for your hard work. ;)