Set Up Robust Auth & Session Management with WeWeb and Xano

Ask us anything How do I?
,
1

I’m working on implementing secure, state-of-the-art session management in my web app using WeWeb and Xano. My goals are:

  1. Enable secure, user-friendly session management.
  2. Allow insights into user behavior for analytics purposes.

Options for Authentication in WeWeb

WeWeb offers two authentication options, each with pros and cons:

1. Token-Based Authentication

  • Pros:
    • Supports access_token and refresh_token, which aligns with security best practices and enables robust session management.
    • Allows users to manage their sessions effectively.
  • Cons:
    • WeWeb limits this method to one endpoint for login, signup, and token refresh. This restriction prevents me from managing multiple datasources or branches in Xano (e.g., staging, production, etc.).
  • Possible Workarounds:
    1. Submit a Feature Request: Request WeWeb to enable support for multiple endpoints, allowing flexibility across development, staging, and production (similar to Xano Auth).
    2. Use One Branch Temporarily: Accept the single branch/datasource limitation for now and work within a single Xano environment until WeWeb offers broader support.

2. Xano Auth

  • Pros:
    • Supports multiple datasources and branches in Xano, making it more flexible across environments.
  • Cons:
    • Lacks native support for access_token and refresh_token, which I need for secure session management and tracking.
  • Potential Workarounds:
    1. Use Xano Middleware:
    • Store both tokens: Save the refresh_token within the access_token in Xano and secure both in WeWeb using “Store auth token.”
    • Token Handling in Middleware:
      • Every request to Xano includes both tokens from WeWeb.
      • Xano middleware checks if the access_token is valid.
        • If valid: Proceed with the request.
        • If invalid and refresh_token is still valid, issue a new access_token.
    • Challenges:
      • Middleware needs to differentiate between protected and unprotected endpoints.
      • Xano may throw an error when the access_token is invalid, which could interfere with refreshing it even if the refresh_token is still active.

3. Other ideas?

Open to suggestions on better handling of token management in general using WeWeb & Xano, especially if someone has experience with a similar setup.

Would appreciate insights from anyone who’s tackled similar challenges!

Thanks in advance!

2

We actually had a pretty nice discussion about this in our Discord group, even a Xano expert got involved as well :slight_smile: Just gonna leave the link here.

1 Like