Civic Docs
Civic Auth
Civic PassCivic AuthCivic Docs
Civic Auth
Civic PassCivic AuthCivic Docs
  • 🔏Civic Auth
  • Integration
    • React
    • Next.JS
    • Node.JS
      • Express
      • Hono
      • Fastify
    • Other OIDC / OAuth 2.0-Compliant Environments
    • FAQs
    • Error Codes
  • Auth Pricing
  • Web3
    • Embedded Wallets
    • Auth + Embedded Wallets Pricing
    • Ethereum / EVM
    • Solana
Powered by GitBook
On this page
  • 1. Install dependencies
  • 2. Configure your App
  • 3. Set up Cookies
  • 4. Create a Login Endpoint
  • 5. Create the Callback Endpoint
  • 6. Create a Logout Endpoint
  • 7. Add Middleware
  • 8. Use the Session
  • PKCE and Client Secrets

Was this helpful?

  1. Integration
  2. Node.JS

Hono

Follow these simple steps to set up Civic Auth with a Hono backend (a working example is available in our github examples repo).

1. Install dependencies

npm install @civic/auth
yarn add @civic/auth
pnpm install @civic/auth
bun add @civic/auth

2. Configure your App

Your app will need the following configuration:

const config = {
  clientId: // Client ID from auth.civic.com
  redirectUrl: 'http://localhost:3000/auth/callback', // change to your domain when deploying
  postLogoutRedirectUrl: 'http://localhost:3000/' // The postLogoutRedirectUrl is the URL where the user will be redirected after successfully logging out from Civic's auth server.
};

Note: redirectUrl and postLogoutRedirectUrl must be absolute URLs.

3. Set up Cookies

Civic Auth uses cookies for storing the login state by default

import { Context } from 'hono';
import { getCookie, setCookie } from 'hono/cookie';
import { CookieStorage, CivicAuth } from '@civic/auth/server';

class HonoCookieStorage extends CookieStorage {
  constructor(private c: Context) {
    super();
  }

  async get(key: string) {
    return getCookie(this.c, key) ?? null;
  }

  async set(key: string, value: string): void {
    setCookie(this.c, key, value);
  }
}

// Middleware to attach CookieStorage and civicAuth API to each request
app.use('*', async (c, next) => {
  const storage = new HonoCookieStorage(c)
  c.set('storage', storage);
  c.set('civicAuth', new CivicAuth(storage, config));
  return next();
});

4. Create a Login Endpoint

This endpoint will handle login requests, build the Civic login URL and redirect the user to it.

import { buildLoginUrl } from '@civic/auth/server';

app.get('/', async (c) => {
  const url = await c.get('civicAuth').buildLoginUrl();

  return c.redirect(url.toString());
});

5. Create the Callback Endpoint

This endpoint handles successful logins and creates the session

import { resolveOAuthAccessCode } from '@civic/auth/server';

app.get('/auth/callback', async (c) => {
  const code = c.req.query('code') as string
  const state = c.req.query('state') as string

  await c.get('civicAuth').resolveOAuthAccessCode(code, state);
  return c.redirect('/admin/hello');
});

6. Create a Logout Endpoint

This endpoint will handle logout requests, build the Civic logout URL and redirect the user to it.

import { buildLogoutRedirectUrl } from '@civic/auth/server';

app.get('/auth/logout', async (req: Request, res: Response) => {
  const url = await c.get('civicAuth').buildLogoutRedirectUrl();
  res.redirect(url.toString());
});

7. Add Middleware

Middleware protects routes that require login.

import { isLoggedIn } from '@civic/auth/server';

// Apply authentication middleware to any routes that need it
app.use('/admin/*', async (c, next) => {
  if (!c.get('civicAuth').isLoggedIn()) return c.text('Unauthorized', 401);

  return next();
});

8. Use the Session

If needed, get the logged-in user information.

import { user } from '@civic/auth/server';

app.get('/admin/hello', async (c) => {
  const user = await c.get('civicAuth').getUser();
  return c.text(`Hello, ${user?.name}!`);
});

PKCE and Client Secrets

Civic Auth uses PKCE (Proof Key for Code Exchange), to protect users and clients from unauthorized access to user information. This, alongside domain registration for apps in production environments, mean that you don't need to provide a client secret in your backend.

When using the Civic Auth SDK, PKCE is handled entirely by the library.

PreviousExpressNextFastify

Last updated 11 days ago

Was this helpful?