►
From YouTube: SvelteKit Authentication with Github OAuth - Tom Wilson
Description
👋🏻 Hello,
This is a workshop on how to set up cookie-based session authentication using SvelteKit.
SvelteKit is the new way to build Svelte Applications, it combines the client and server in a clean and seamless bridge so you can build your applications in complete flow.
For more details check out:
https://blog.hyper.io/sveltekit-authentication/
Workshop Completed Github Repository:
https://github.com/hyper63/sveltekit-auth-workshop
Thank you for taking the workshop!
A
A
So
with
all
that,
that's
what
we'll
learn
today.
It's
a
couple
caveats
one!
This
is
june
2nd
and
spelt
kit
is
still
in
beta.
So
some
of
these
things
may
change
in
the
future.
But
this
is
the
current
state
of
spelt
kit
as
of
june
2nd.
A
What
you
should
know
before
you
take
this
workshop
number
one
you
should
be
familiar
with
javascript
should
know
a
little
bit
about
the
fetch
api,
so
we're
going
to
use
the
fetch
api
quite
a
bit
and
if
you
don't
really
know
how
to
use
it,
I'll
have
a
link
to
go
check
out
the
documentation
of
fetch
and
we'll
be
using
version.
14
of
node.js,
we'll
just
make
sure
version.
A
A
All
right
so
getting
started,
we're
going
to
use
visual
studio
and
we're
actually
using
getpod.io.
Getpod.Io
is
a
great
toolkit.
It
allows
you
to
run
your
development
environment
in
the
cloud
using
visual
studio
code,
a
terminal
and
and
get
it's
it's
amazing,
and
it
works
in
sync
with
your
github
repository,
so
you
can
create
a
little
button
in
the
github
by
installing
an
extension
and
every
time
you
click
that
button,
it'll
launch,
git
pod
will
launch
a
project
in
get
pod.
I
o
definitely
encourage
you
to
check
that
out.
A
It's
made
my
life
much
much
simpler,
so
getting
started,
we're
going
to
use
the
spelt
command
line
and
again
since
swelt
kit
is
in
beta
the
command
line,
we're
going
to
do
createspell
using
npm.net
and
give
it
the
at
next
tag.
So
the
at
next
tag
will
let
us
know
that
we're
still
in
in
beta,
so
on
your
terminal
in
an
empty
directory.
A
So
the
first
question
is
the
directory
not
empty.
Do
we
want
to
continue,
and
the
answer
is
yes,
we
want
to
continue,
then
the
second
one
will
be
which
spelt
app
template.
Do
we
use
and
we're
going
to
use
the
skeleton
project?
The
skeleton
project
will
just
basically
give
us
an
empty
app.
The
spelt
kit
demo
app
is
awesome.
It
has
some
great
kind
of
example
code
in
there,
but
for
this
we're
just
going
to
use
the
skeleton
project
and
we're
going
to
just
say
no
to
typescript
no
to
eslint
and.
A
No
to
prettier,
okay,
so
now
we've
got
a
app
kind
of
set
up
for
svelte,
so
we
can
just
do
yarn.
You
could
use
npm
install,
but
I
am
really
used
to
using
yarn
so
we'll
use
yarn
to
pull
down
all
the
dependencies
and
build,
and
then
we
can
use
yarn
dev
to
run
our
application
now
with
git
pod.
I'm
going
to
open
this
in
the
preview
window,
which
should
give
us
a
little
browser
view
of
the
app
and
we're
going
to
set
that
to
the
side,
see.
A
Like
that
whoa
cool-
well,
let's
do
this:
let's
open
up
a
file
that
we're
going
to
be
working
on,
let's
go
ahead
and
just
open
up
routes,
index.spelt
and
then
split
the
screen
and
then
launch
the
browser.
A
So
we'll
launch
the
browser
preview.
There
we
go
all
right.
So
now
we
got
a
nice
little
split
screen
and
you
know
we
can
say
welcome
to
so
off
save
and
we
refresh.
We
can
see
this
now.
The
hot
module
reload
is
not
quite
set
up
here,
but
it
will
reload
as
you'll
see,
but
there's
a
little
trick
with
get
pod
to
get
all
the
web
sockets
firing.
But
we're
not
going
to
worry
about
that
right
now,
because
we're
going
to
focus
on
off.
A
The
easiest
way
to
do
that
is,
go
to
github
and
go
to
your
icon
and
go
to
settings
and
it
will
default
you
to
a
profile
page.
What
you
want
to
do
is
click
developer,
settings,
click
on
oauth,
apps
and
then
new
oauth
app
and
just
give
it
a
name.
I'm
going
to
call
mine
authy,
because
that
sounds
cute,
but
give
it
a
name.
And
then
what
we
want
to
do
is
give
it
a
home
page,
url
and
a.
A
Callback,
so
our
homepage
url
we're
going
to
just
do
htp,
calling
localhost
3000
and
then
the
callback
we're
going
to
do.
Http,
localhost,
3000,
slash,
call
and
we're
going
to
register
the
application,
and
that
will
take
you
to
the
application
view
screen
and
what
we
want
to
do
is
get
the
client
id.
A
So
we
want
to
copy
this
number
here
and
we'll
just
do
copy
and
then
we'll
go
to
our
terminal
and
I'm
going
to
create
a
well
we'll
go
to
our
file
folders
in
vs
code
and
we'll
create
a
new
file
in
the
root
directory.
So
we
want
to
be
in
the
root
directory:
do
a
new
file
and
we'll
call
it
dot
emb
and
in
that
dot,
emv
file,
we'll
open
it
up.
A
Stick
it
on
the
tab
here
and
we're
going
to
type
vipe
client
id
equals
and
then
we're
going
to
paste
that
id
in
there
now
we're
using
the
prefix
byte,
because
sveltkit's
built
on
vite
and
in
order
for
us
to
see
the
environment
variables,
we
need
to
use
byte
and
then
we're
going
to
add
another
one,
we'll
call
it
by
dot.
Client
secret
equals
and
we're
going
to
go
back
to
our
oauth
application
and
we're
going
to
click
generate
a
new
client
secret.
A
A
Static
directory
and
the
config
file
and
yarn
dot
dot.
Okay,
so
really
the
only
thing
we
didn't
want
to
add
is
dot
emv
and
the
npm
rc,
which
we
could
add
that
if
we
wanted
to
so
we're
going
to
create
a
branch
by
checking
out
dash
b
and
we're
going
to
call
this
branch
setup
and
we'll
just
do
one
dash
setup.
I
think
that'll
work,
okay
and
we're
going
to
commit.
A
First
code,
I
wanted
to
say
first
commit
oh
well,
you'll
get
the
the
gist
right
status
and
now
we're
going
to
push.
A
B
B
A
A
We
want
to
actually
use
that
on
the
server,
so
we're
going
to
use
the
endpoints
feature
of
spelt
kit
and
we're
going
to
create
a
file
called
login.js,
and
this
works
similarly
to
a
express
endpoint
if
you've
used
it's
the
express
framework
and
it
keeps
putting
these
files
over
here
up
over
here,
I
want
them
over
here.
Okay,
so
with
this,
if
we
do
slash,
login
swelt
kit
is
going
to
be
looking
for
a
particular
handler
function
in
this
file.
In
this
case,
a
get
and
you'll
notice
each
function
kind
of
matches
the
verb.
A
Okay.
So
now,
when
I
come
over
here,
I'm
going
to
refresh
just
to
make
sure
and
then
click
login.
I
get
hello.
So
when
I
click
the
login
button,
it
just
directs
me
to
this
endpoint
hello.
Now
what
we
want
to
do
is
we
want
to
build
a
redirect
url.
So
we
want
to
redirect
to
github
for
authorization.
A
So
in
order
to
do
that,
we
need
the
target
that
we
want
to
go
to
so
target
and
it's
going
to
be
equal
to
https
github.com
log
in
o.
A
Authorize
and
from
that
target
we
need
to
pass
it
a
couple
of
things.
We
need
to
pass
it
our
client
id
and
we
need
to
pass
it
a
state.
A
So
let's
pull
the
client
id
from
our
environment,
so
meta,
dot,
emb,
dot
by
client
id
and
then
we're
just
gonna
make
up
a
state
for
right
now
for
demo
purposes.
So
we're
gonna
call
this
our
session
id
and
we're
just
gonna
give
it
a
string
of
one
two.
Three
four.
B
A
So
now,
since
I'm
running
in
gitpod,
I
need
to
change
my
oauth
settings
a
little
bit
because
the
url
that
it
is
actually
on
is
a
little
bit
different
than
if
you
were
running
this
on
your
local
machine.
So
here
the
url
is
like
beige,
narwhal,
blah
blah
blah.
So
I
need
to
go
and
change
my
application
settings
to
that.
Url.
A
And
the
same
thing
with
my
callback
there
all
right,
so
I
think
I'm
good
to
go
now.
If
everything
works
out.
This
will
redirect
me
to
the
login
of
the
github
oauth
application.
So
when
I
click
login
using
github,
you
just
refresh
just
to
make
sure
everything's
loaded
great.
So
now
it's
taken
my
client
and
it
recognizes
this
app
authy
and
it's
asking
if
I
want
to
authorize
and
if
I
hit
authorize
authy
will
be
able
to
see
any
of
my
public
data.
A
That's
it!
That's
all
we
wanted
to
see.
So,
let's
select
authorize
now
what's
going
to
happen,
is
it's
going
to
try
to
call
callback,
but
callback
doesn't
exist
and
it's
passing
this
code?
So
that's
our
next
step
is
that
we
need
to
handle
that
callback
coming
back
from
github
and
I'm
going
to
see
if
this
simple
browser
works
because
that'll
be
easier
than
switching
back
and
forth
yeah.
I
didn't
think
it
would
work.
Maybe
I
don't
know
I
don't
know
why
it
won't
work,
we'll
just
switch
back
and
forth.
A
A
Let's
call
it
login
endpoint.
B
B
A
A
And
well,
push
to
github.
B
A
Okay,
so
now
we
need
to
add
a
callback
endpoint,
just
like
we
did
with
the
login
endpoint
we're
going
to
create
a
new
file
in
source
routes.
We're
going
to
call
it
callback.js
and
callback
is
actually
going
to
get
called
from
the
github
endpoint,
but
we
need
to
catch
it
with
the
same
handler
that
we
added
for
the
login.js
file,
export
a
sync
function,
get
and
we'll
get
a
request
back
and
then
what
we
want
to
return
is
some
response
right
like
that.
A
So
we're
going
to
get
a
code
and
we're
going
to
use
that
code
in
our
client
and
secret
id
and
make
another
call
to
github
to
give
us
an
access
token.
So
that'll
be
this
three-legged
handshake
with
the
identity
server
so
that
we
can
access
the
api
so
we're
gonna.
Do
client
id
equals
import
meta
environment
by
client.
A
And
then
we
need
the
target
url
that
we're
going
to
call
to
get
the
token.
So,
let's
just
call
this
token
url
and
that's
going
to
be
https
github
dot,
com,
log
in
oauth
access
token.
A
A
A
Those
are
all
the
headers
we
want
to
send.
Finally,
we
need
to
send
a
body
and
that
body
we're
going
to
go
ahead
and
stringify,
and
it's
going
to
be
the
client
id
and
that'll
be
our
client
id
and
the
client
secret
and
that'll
be
our
secret
and
then
finally,
our
code,
okay
and
when
it
comes
back,
it's
going
to
come
back
as
a
response.
A
So
we
want
to
handle
that
here
and
do
a
then
and
convert
that
body
of
that
response
to
json
and
then
we're
going
to
just
pop
off
that
body
of
response
will
have
a
couple
of
different
properties
and
what
we're
going
to
do
is
get
the
access,
token
property,
so
we're
just
going
to
call
r
dot
access
token,
and
you
may
want
to
dig
in
further
to
look
at
all
the
other
properties,
especially
if
you
want
to
use
the
github
api
for
stuff.
A
B
A
Look
we've
already
got
a
token,
but
we
can
start
from
the
beginning
and
we
log
in
using
github
and
we
get
a
token
pretty
cool,
so
that
works
great
and
then
the
next
thing
is.
Is
we
want
to
get
the
user
info
now
that
we
have
the
access
token?
We
can
get
the
user
information.
A
A
A
Api.Github.Com,
user,
okay,
pretty
straightforward,
so
we'll
use
user
url
and
we're
going
to
give
it
some
headers
mainly
accept
what
we
will
accept
is
json
back
and
we
want
to
authorize
this
request
with
a
bearer
token
and
our
token
okay,
and
then
we
want
to
grab
the
response,
and
so
finally,
up
here
we're
going
to
do
json,
stringify
user,
common
null,
comma
2..
A
Maybe
that'll
give
us
a
a
simple,
pretty
print
here.
Okay,
so
we've
got
our
main
screen.
We
hit
log
in
using
github
and
when
it
comes
back
we
get
the
user.
So
we
actually
get
the
login
user.
With
all
the
public
information
pretty
cool,
we
are
making
progress.
We
have
logged
into
github
using
our
application,
but
we
don't
want
to
print
the
user.
A
A
All
right,
let's
go
ahead
and
fire
up
well
we're
going
to
have
to
install
some
things.
Let's
don't
do
that
yet,
okay!
So
that's
our
callback,
pretty
cool!
We
get
a
code
back
from
github,
then
we
call
github
to
give
us
an
access
token,
and
then
we
use
that
token
to
get
our
user
and
now
we're
just
sort
of
printing
the
user
out.
A
But
what
we
really
want
to
do
is
set
up
a
session
and
we're
going
to
just
use
the
user
login
information
as
a
unique
identifier
to
indicate
that
there's
a
session.
So
we
can
kind
of
store
it
on
the
cookie
and
it
will
be
public
information,
but
it
won't
be
anything
that
anyone
could
use
to
access
anything.
So
it's
a
good
way
to
demo
this.
A
A
So
we're
going
to
create
a
new
file
called
hooks.js
and
in
that
new
file,
we're
going
to
create
a
handler
called
export
sync
function,
handle
and
this
handler
will
be
a
middleware
kind
of
feature
where
we
can
do
some
stuff
before
the
request
goes
to
one
of
our
endpoints
and
then,
when
it's
resolved
we
can
do
some
stuff.
After
so
when
the
handle
gets
called.
It
gives
us
an
object,
and
on
that
object
we
have
a
request,
object
and
a
resolve
function.
A
Await
resolve
request
and
that
function
actually
will
do
all
the
processing
that's
going
on
now,
so
that
functional,
depending
on
the
route,
go
to
the
right
route,
whether
it's
login
index
or
callback,
and
that's
going
to
happen
when
we
call
resolve
requests.
So
here
we
can
kind
of
do
stuff
before
that,
and
here
we
can
do
stuff
after
so.
A
The
first
thing
we
want
to
do
is
set
a
cookie.
So
after
this
response
we
want
to
set
an
http
only
cookie,
which
can
only
be
modified
in
the
server
but
does
go
to
the
client
and
comes
back
so
we're
going
to
call
response.headers
and
we're
going
to
say,
set
cookie
and
we're
going
to
set
that
equal
to
a
string,
and
that
string
is
going
to
have
a
user
and
we're
going
to
need
something
here
and
then
it's
going
to
have
a
path.
A
And
that's
going
to
be
equal
to
root,
so
that
just
means
in
you
know,
put
this
cookie
on
every
single
path
on
the
origin
and
then
we're
going
to
set
it
to
http
only
and
that's
very
important
because
we
want.
A
We
do
not
want
people
to
be
able
to
change
the
value
here.
So
we
need
a
way
to
set
this
user
up.
So
when
we
do
the
login,
we
can
actually
mutate
the
request
locals
object
and
set
it
give
it
some
properties
and
that's
what
we'll
do
is
we're
going
to.
A
Then,
once
we've
got
the
user
property
set,
we're
going
to.
A
A
A
A
So
we're
going
to
say,
requests
dot,
headers,
dot,
cookie
and
if
that
doesn't
exist,
we're
just
gonna
set
this
to
empty
and
then
just
to
see
how
we're
doing
here,
let's
go
ahead
and
just
console.
A
Well,
let's
do
yeah
console
log.
A
Okay,
that
should
give
us
enough
to
see
how
this
thing
works
or
to
debug
any
bugs
that
we've
created
here
all
right,
so
we're
running
our
server.
And
now,
if
we
go
back
to
the
main
page,
we
should
get.
You
know
our
button
and
we
click
our
button.
We're
going
to
do
our
authentication,
it's
going
to
go
to
the
callback
it's
going
to
set
the
cookie
and
then
it's
going
to
come
back
to
the
screen.
So
if
everything
works
right,
it's
going
to
look
like
nothing
happened,
right,
go
figure!
A
So
let's
try
that
log
in
we
click
does
some
stuff
and
it
comes
back
here.
So
that's
a
good
sign.
That
means
nothing
happened,
and
here
we're
logging,
this
user
cookie,
and
you
can
see
it's
undefined,
it's
empty
empty
and
oh
there
it
is
t
wilson
63.,
so
the
cookie
was
set
and
when
it
came
back
a
second
time
to
show
the
main
page
from
the
redirect,
we
can
see
that
it's
set
in
this
cookie
user's
thing.
A
A
Request.Locals.User
equals
cookies.user
right
and
now
we
can
kind
of
pass
that
around.
So
now,
when
we
go
to
another
page,
we
can
access
that
as
a
session,
but
there's
one
more
step
to
get
there
and
that's
still
in
this
hooks
file.
We
need
to
add,
what's
called
a
get
session
function
and
this
get
session
function
basically
allows
us
to
pull
anything
from
the
request
and
add
it
in
a
little
session
object
so
that
it's
just
easier
to
get
at
in
our
page
routes.
So,
let's
create
that.
A
A
Okay,
now,
let's
go
to
our
index
page
and
if
the
user
is
logged
in,
let's
hide
the
login
from
with
github
button
and
show
a
log
out
button
that
would
be
pretty
cool.
A
A
A
That
session
comes
straight
from
that
get
session
and
then
we're
going
to
just
return
some
props
and
we'll
call
it
user
and
set
it
to
session
user
like
that,
pretty
cool.
So
if
all
that
worked,
we
should
see
my
login
name
on
the
main
page.
So
if
we
hit
refresh-
and
we
don't
so-
let's
log
in
with
github-
and
we
do
cool
so
welcome-
t
wilson,
63
and
then
we
have
log
out
which
log
out
is
not
found
pretty
cool
and
now,
if
we
refresh
we're
logged
in
right,
which
is
really
nice.
A
Okay.
So
let's
go
ahead
and
check
that
code
in
because
it's
working,
it's
always
good
to
check
in
code.
When
it's
working,
I'm
going
to
call
this
number
four,
let's
just
make
sure.
B
A
Like
so
cool
okay,
so
we
got
a
log
out
button.
Let's
implement
a
log
out
endpoint
handler
and
that's
super
easy,
probably
have
an
idea
of
how
to
do
that
now.
So
we
in
our
routes,
folder,
we
create
a
logout.js
file
and
in
that
logout.js
file,
we're
going
to
export
a
sync
function
called
get
and
it's
going
to
take
a
request
object
and
what
we
want
to
do
is.
A
Let's
see
we
want
to
just
go
back
to
the
home
page,
okay,
so
that's
going
to
clear
out
that
local
user,
then
it's
going
to
come
into
our
hooks,
handle
method
and
in
this
case
local
user
will
be
null.
So
that's
going
to
make
it
blank
so
set
cookie.
Will
blank
out
the
username
return,
the
response
and
then,
when
it
reloads
the
home
page,
it's
going
to
parse
the
cookie
header
and
it's
going
gonna
find
that
it's
blank,
so
this
cookies
will
be
undefined
and
we
could
just
make
it
a
little
bit
clearer.
A
A
B
A
A
B
A
A
B
A
Okay,
so
that's
pretty
much
it
the
one
last
thing
I
want
to
show
you
is
how
you
might
go
about
protecting
a
list
of
routes
right,
so
you
may
have
a
set
of
routes
like
an
admin
section
or
a
pacific
section
that
you
want
to
protect
or
maybe
pacific
routes
you
want
to
protect,
or
vice
versa.
You
may
only
want
some
routes
unprotected
and
everything
else
protected.
A
So,
instead
of
going
to
each
page
and
doing
a
check
like
if
user,
you
know
every
single
time,
you
can
take
advantage
of
the
svelte
kit
layout
page,
which
wraps
all
the
pages
in
the
route.
So
we
can
create
a
new
file
and
we
do
underscore
underscore
layout.js
and
this
file
actually
wraps
around
all
of
the
page
requests.
A
We
can
just
basically
you
know
do
this:
if
well,
oh
yeah,
it's
not
layout.js,
it's
layout.spell,
because
it's
a
small
component,
much
better,
okay.
So
basically,
what
we're
doing
here
is.
A
If
the
page.path
starts
with
slash
admin
and
something
else
and
session
user
is
empty
right
and
we
could
change
that
and
say
because
we
know
session
user
will
be
null,
so
we
can
just
say
not
equal
to
null.
A
Is
null
right,
then
we
want
to
redirect
to
the
home
page
otherwise
go
through
and
we'll
just
return,
props
and
then
it'll
go
to
each
individual
page
and
do
whatever
it
needs
to
do
so.
That's
kind
of
how
you
can
protect
your
pages
using
this
mode
of
authentication.
A
And
let's
see
now,
it
might
not
work
with
this
demo
because
we
don't
have
an
admin
page,
let's
see
so
here
we
go
admin.
We
could
create
one
yeah
yeah,
so
we
would
have
to
create
one
blah
blah
blah,
but
I
think
you
get
the
point
you
can
definitely
play
around
with
it.
A
But
if
we
go
home
and
we
log
in
and
then
we
go
to
an
admin
page,
we
can
check
that
and
you
can
definitely
play
around
with
that
and
see
how
it
goes
and-
and
you
can
do
all
kinds
of
things-
we're
just
using
a
regex
and
test.
But
you
could
do
an
array
of
pass
and
doing
includes
you
know
what
whatever
you
want
to
do
there,
but
that
should
give
you
some
idea
on
how
you
can
protect
your
your
routes
and
then
your
endpoints.
A
A
And
cool
so
that
concludes
the
workshop.
Hopefully
you
learned
something
there
will
be
a
post
that
goes
through
the
same
process.
If
you
just
check
the
description
and
again,
I
think
it's
really
cool
really
well
done
how
the
spelt
kit
team
has
put
together
kind
of
this.
A
Really
nice
well
thought
out,
process
between
server
and
client
not
allow
you
to
operate
in
both
contexts
within
components
and
endpoints
and
give
you
just
a
really
simple
kind
of
set
of
functions
in
this
hooks
object
to
manage
kind
of
some
of
these
pieces,
so
give
it
a
try.
Let
me
know
what
you
think
and
yeah.
I
hope
you
have
fun
with
it.
Thanks
for
your
time,
see
you.