Auth and Social Login
Authentication is a critical component of modern web applications, yet implementing it correctly can be challenging and error-prone. AIScript simplifies this process with built-in authentication directives that handle complex security flows while maintaining type safety throughout the authentication process.
Authentication Options
AIScript provides several authentication mechanisms out of the box:
- JWT Authentication: Secure token-based authentication
- Basic Authentication: Simple username/password authentication
- SSO (Single Sign-On): Integration with social login providers like Google, GitHub, and more
JWT
JSON Web Tokens (JWT) provide a stateless authentication mechanism that's perfect for APIs and single-page applications. AIScript makes JWT implementation straightforward with the @auth
directive.
post /signin {
body {
username: str,
password: str,
}
// Verify username and password correctly
use std.auth.jwt;
// Create payload with claims
let payload = {
sub: body.username,
};
// Create access token that expires in 1 hour (3600 seconds)
let token = jwt.create_access_token(payload, 3600, "your-secret");
return { token };
}
@auth
get /ask {
query {
@string(min_len=5, max_len=50)
question: str
}
ai fn ask_llm(question: str) -> str {
return prompt question;
}
let answer = ask_llm(query.question);
return { answer };
}
When a route is decorated with @auth
, AIScript automatically:
- Verifies the JWT token from the
Authorization
header
- Rejects requests with invalid or expired tokens
- Makes the decoded token payload available within the route handler
Configure JWT settings in your project.toml
:
[auth.jwt]
secret = "your-secret"
expiration = 3600 # Token expiration time in seconds
For enhanced security, use environment variables for sensitive values like the JWT secret.
Basic Auth
For simpler use cases or admin interfaces, AIScript provides basic authentication with the @basic_auth
directive:
@basic_auth
post /guess {
body {
@number(min=1, max=100)
magic: int = 1
}
let result = "Try again!";
if body.magic == 42 {
result = "You guessed it!";
}
return { result };
}
The @basic_auth
directive validates username and password credentials according to your configuration.
Configure basic authentication in your project.toml
:
[auth.basic]
username = "admin"
password = "123456" # Use environment variables for production
Social Login with SSO
AIScript makes implementing social login seamless with the @sso
directive. This handles the complex OAuth flows required by providers like Google, GitHub, or Microsoft.
Setting Up Google Authentication
- Configure the provider in your
project.toml
:
[sso.google]
client_id = "123" # Your Google OAuth client ID
client_secret = "abc" # Your Google OAuth client secret
redirect_url = "http://localhost:8080/auth/google/callback"
scopes = ["email", "profile"]
- Create an authorization endpoint:
@sso(provider="google")
get /auth/google {
let url = sso.authority_url();
print(url);
return temporary_redirect(target=url);
}
- Implement the callback endpoint:
@sso(provider="google")
get /auth/google/callback {
query {
code: str,
state: str,
}
print("code", query.code);
print("state", query.state);
let user_info = sso.verify(code=query.code);
print(user_info);
return { user_info };
}
When a user visits /auth/google
, they'll be redirected to Google's authentication page. After successful authentication, Google redirects back to your /auth/google/callback
endpoint with an authorization code. The sso.verify()
function exchanges this code for an access token and retrieves the user's profile information.
Supporting Multiple Providers
AIScript supports multiple SSO providers simultaneously. Simply add additional configurations in your project.toml
:
[sso.github]
client_id = "456"
client_secret = "def"
redirect_url = "http://localhost:8080/auth/github/callback"
scopes = ["user:email"]
[sso.microsoft]
client_id = "789"
client_secret = "ghi"
redirect_url = "http://localhost:8080/auth/microsoft/callback"
scopes = ["User.Read"]
Then create corresponding route handlers for each provider:
@sso(provider="github")
get /auth/github {
return temporary_redirect(target=sso.authority_url());
}
@sso(provider="github")
get /auth/github/callback {
query { code: str, state: str }
let user_info = sso.verify(code=query.code);
return { user_info };
}
Conclusion
AIScript's authentication directives simplify the implementation of secure authentication flows without sacrificing flexibility. Whether you need simple password-based authentication or complex multi-provider SSO, AIScript provides the tools to implement authentication with minimal boilerplate while maintaining type safety throughout the process.
By abstracting away the complex security details, AIScript lets you focus on building your application logic while ensuring your authentication implementation follows security best practices.