docs: Document serverpod_auth_email setup and migrating from serverpod_auth to the new provider using serverpod_auth_migration

tp · tp · commit e2f365bbeaeb · 2025-06-30T19:26:27.000+02:00
Closes serverpod/serverpod#3663
diff --git a/docs/06-concepts/11-authentication/01-setup_new.md b/docs/06-concepts/11-authentication/01-setup_new.md
@@ -0,0 +1,197 @@
+# Setup (`serverpod_auth_*`)
+
+Serverpod comes with built-in support for authentication. It is possible to build a [custom authentication implementation](custom-overrides), but the recommended way to authenticate users is to use one of the provided `serverpod_auth_*` modules. The modules make it easy to authenticate with email or social sign-ins and currently supports signing in with email, Google, Apple, and Firebase.
+
+Future versions of the authentication module will include more options. If you write another authentication module, please consider [contributing](/contribute) your code.
+
+We provide the following packages of ready-to use authentication providers. They all include a basic user profile courtesy of `serverpod_auth_profile`, and session management through `serverpod_auth_session`.
+
+|Package|Functionality|
+|-|-|
+|`serverpod_auth_email`|Ready to use email authentication.|
+|`serverpod_auth_apple`|Ready to use "Sign in with Apple" authentication.|
+|`serverpod_auth_google`|Ready to use "Sign in with Google authentication.|
+
+If you would like the basic authentication offered by these packages, but combine them with a different approach to session management or another kind of user profile have [a look at the underlying packages below](#low-level-building-blocks).
+
+## Sessions
+
+When using any of the "ready-to-use" authentication providers listed above, session management based on `serverpod_auth_session` is already included.
+
+Just follow any of the individual authentication provider guides to set the `AuthSessions`' `authenticationHandler` on your `Serverpod` instance.
+
+## Email
+
+To get started with email based authentications, add `serverpod_auth_email` to your project. This will add a sign-up flow with email verification, and support logins and session management (through `serverpod_auth_session`). By default, this adds user profiles for each registration through `serverpod_auth_profile`.
+
+The only requirement for using this module is having a way to send out emails, so users can receive the initial verification email and also request a password reset later on.
+
+
+### Server setup
+
+Add the module as a dependency to the server project's `pubspec.yaml`.
+
+```sh
+$ dart pub add serverpod_auth_email_server
+```
+
+
+As the email auth module does not expose any endpoint by default, but rather just an [`abstract` endpoint](../working-with-endpoints#endpoint-method-inheritance), a subclass of the default implementation has to be added to the current project in order to expose its APIs to outside client.
+
+For this add an `email_account_endpoint.dart` file to the project:
+
+```dart
+import 'package:serverpod_auth_email_server/serverpod_auth_email_server.dart'
+    as email_account;
+
+/// Endpoint for email-based authentication.
+class EmailAccountEndpoint extends email_account.EmailAccountEndpoint {}
+```
+
+In this `class` `@override`s could be used to augment the default endpoint implementation.
+
+Next, add the authentication handler to the Serverpod instance.
+
+```dart
+import 'package:serverpod_auth_email_server/serverpod_auth_email_server.dart';
+
+void run(List<String> args) async {
+  var pod = Serverpod(
+    args,
+    Protocol(),
+    Endpoints(),
+    authenticationHandler: AuthSessions.authenticationHandler, // Add this line
+  );
+
+  ...
+}
+```
+
+In order to generate server and client the code for the newly added endpoint, run:
+
+```bash
+$ serverpod generate
+```
+
+Additionally the database schema will need to be extended to add new tables for the email accounts. Create a new migration using the `create-migration` command.
+
+```bash
+$ serverpod create-migration
+```
+
+As the last step, the email authentication package needs to be configured.  
+For this set the `EmailAccounts.config` (from package `serverpod_auth_email_account_server`), which contains the business logic used by the endpoint. This configuration should be added before the `await pod.start();` call. Callbacks need to be provided for at least `sendRegistrationVerificationCode` and `sendPasswordResetVerificationCode`, while the rest can be left to their default values.
+
+```dart
+import 'package:serverpod_auth_email_server/serverpod_auth_email_server.dart';
+
+  EmailAccounts.config = EmailAccountConfig(
+    sendRegistrationVerificationCode: (
+      final session, {
+      required final email,
+      required final accountRequestId,
+      required final verificationCode,
+      required final transaction,
+    }) {
+      // Send out actual email with the verification code
+    },
+    sendPasswordResetVerificationCode: (
+      final session, {
+      required final email,
+      required final passwordResetRequestId,
+      required final transaction,
+      required final verificationCode,
+    }) {
+      // Send out actual email with the verification code
+    },
+);
+```
+
+If you're not hosting on Serverpod Cloud, you might consider an email sendout provider like [Mailjet](https://www.mailjet.com/) or [SendGrid](https://sendgrid.com/en-us).
+
+It is up to the application to decide how to use the callbacks. Basically there are 2 primary approaches possible:
+- Send out the `verificationCode` and require that the client initiating the request completes the operation (account creation or password reset). In that case the user could copy/paste or retype the (short) verification into a form on the client.
+- Alternatively emails could contain a deep link with both the respective request ID and the verification code, which would then even support them being opened on any device (e.g. on a desktop, even if the original request was made on mobile).
+
+Additionally you need to update the `passwords.yaml` file to include secrets for both `serverpod_auth_session_sessionKeyHashPepper` and `serverpod_auth_email_account_passwordHashPepper`.  
+These should be random and at least 10 characters long. These pepper values must not be changed after the initial deployment of the server, as they are baked into every session key and stored password, and thus a roatation would invalidate previously created credentials.
+
+After a restart of the Serverpod the new endpoints will be usable from the client.
+
+### Client setup
+
+First, add a dependency on `serverpod_auth_session_flutter` to your app's `pubspec.yaml`, to be able to make use of the sessions generated by the newly created email endpoint.
+
+```yaml
+dependencies:
+  flutter:
+    sdk: flutter
+  serverpod_flutter: ^3.0.0
+  auth_example_client: # You generated client, name may differ
+    path: ../auth_example_client
+  
+  serverpod_auth_session_flutter: ^3.0.0 # Add this line
+``` 
+
+Next, add the `SessionManager` to your app, passing it to the generated Serverpod `Client`.
+
+```dart
+import 'package:serverpod_auth_session_flutter/serverpod_auth_session_flutter.dart' show SessionManager;
+
+late SessionManager sessionManager;
+late Client client;
+
+void main() async {
+  // Need to call this as we are using Flutter bindings before runApp is called.
+  WidgetsFlutterBinding.ensureInitialized();
+
+  // The session manager keeps track of the signed-in state of the user. You
+  // can query it to see if the user is currently signed in and get information
+  // about the user.
+  sessionManager = SessionManager();
+  await sessionManager.init();
+
+  // The android emulator does not have access to the localhost of the machine.
+  // const ipAddress = '10.0.2.2'; // Android emulator ip for the host
+
+  // On a real device replace the ipAddress with the IP address of your computer.
+  const ipAddress = 'localhost';
+
+  // Sets up a singleton client object that can be used to talk to the server from
+  // anywhere in our app. The client is generated from your server code.
+  // The client is set up to connect to a Serverpod running on a local server on
+  // the default port. You will need to modify this to connect to staging or
+  // production servers.
+  client = Client(
+    'http://$ipAddress:8080/',
+    authenticationKeyManager: sessionManager,
+  )..connectivityMonitor = FlutterConnectivityMonitor();
+
+  runApp(MyApp());
+}
+```
+
+### User consolidation
+
+<!-- TODO: Explain how to connect with other providers -->
+<!-- Other providers should just refer to this section, as the setup will be similar -->
+
+## Low-level building blocks
+
+### Session Management
+
+|Package|Functionality|
+|-|-|
+|`serverpod_auth_session`|Database-backed session handling, with flexible configuration per session.|
+|`serverpod_auth_jwt`|JWT-based session implemented, which can also generate access token with public/private key cryptography to use with 3rd party services.|
+
+### Authentication
+
+The following package provide the core authentication functionality, but without providing a default `Endpoint` base implementation. Thus they can be combined with another session package and include further modification, like for example a custom user profile.
+
+|Package|Functionality|
+|-|-|
+|`serverpod_auth_email_account`|Basic email authentication.|
+|`serverpod_auth_apple_account`|Basic "Sign in with Apple" authentication.|
+|`serverpod_auth_google_account`|Basic "Sign in with Google authentication.|
+
diff --git a/docs/08-upgrading/06-upgrading-from-serverpod_auth.md b/docs/08-upgrading/06-upgrading-from-serverpod_auth.md
@@ -0,0 +1,137 @@
+# Upgrading from `serverpod_auth`
+
+With the release of Serverpod 3.0, the single legacy `serverpod_auth` package was replaced with a set of modular packages providing flexible modules for users, authentication providers, profiles, and session management.
+
+For an existing Serverpod application which makes use of `serverpod_auth` (which also still works with Serverpod 3.0) to upgrade to the new package, there exists `serverpod_auth_migration` to facilitate moving over all authentication- and user-related data into the new modules.  
+Once the migration is complete, the legacy `serverpod_auth` module and the `serverpod_auth_migration` dependencies can be removed, which will also remove the then obsolete tables from the database.
+
+Due to the modular approach, each used authentication provider (email, Apple, Google, etc.) needs to be configured individually for the migration.  
+No matter through which authentication provider(s) a user is migrated, their profile will always be migrated as well by default.
+
+## General timeline
+
+The suggested migration timeline applies to all auth providers.
+
+1. Add and configure the new auth modules for the desired providers, e.g. [email](../concepts/authentication/setup_new#email)
+2. Add the migration module and configure each auth provider and set up a background migration job <!-- TODO: Build and document Future call for migration -->
+3. Switch over all clients to use the new authentication endpoints
+4. After a sufficient percentage of the userbase has migrated to the new endpoints, disable sign-ups throught the legacy package <!-- TODO: Build and showcase "off switch" in legacy package -->
+5. Later on also disable logins and password resets on the `serverpod_auth` APIs
+6. Once all users have been migrated (some of them via the background processes, albeit without passwords) remove the dependency on `serverpod_auth` and `serverpod_auth_migration` and delete all obsolete code
+7. The next migration will then also remove obsolete tables
+
+If the Serverpod application stores data with a relation to the `int` `UserInfo` ID, this needs to be migrated to the new `UUID` id of the `AuthUser`.  
+To support this the `serverpod_auth_migration` packages provides a single hooks which is run for each user migration in which any related entities from your app can be migrated as well.
+
+## Sessions
+
+In order to support both sessions created by the legacy `serverpod_auth` and through the new `serverpod_auth_session` package, the `authenticationHandler` has to be updated to try both of them.  
+Since an invalid/unknown session key just yields a `null` result, they can be chained like this:
+
+```dart
+import 'package:serverpod_auth_server/serverpod_auth_server.dart' as auth;
+import 'package:serverpod_auth_email/serverpod_auth_email.dart' show AuthSessions;
+
+
+final pod = Serverpod(
+  args,
+  Protocol(),
+  Endpoints(),
+  authenticationHandler: (session, key) async {
+    return await AuthSessions.authenticationHandler(session, key) ??
+        await auth.authenticationHandler(session, key);
+  },
+);
+```
+
+All high-level authentication provider package use `serverpod_auth_session` under the hood, and only a single handler needs to be registered to support all of them.
+
+## Migrating Email Authentications
+
+Before starting with the email account migration, the email authentication from `serverpod_auth_email` must be [set up as described](../concepts/authentication/setup_new#email).
+
+Since the password storage format changed between the legacy and new modules, and because we only have access to the plain text password during `login` (when it's sent from the client), there are 2 scenarios of migrating user accounts and the email authentication.
+
+During a login, we can verify the incoming credentials, and then migrate the entire account including the password.  
+In all other cases (e.g. a password reset or a background migration job) we can migrate the user profile and account, but not set its password. The password could be set on a subsequent login (if it matches the one from the legacy module), or in case the user did not log in during the migration phase, they will have to resort to a password reset.
+
+In order to avoid creating duplicate accounts for the "same" user in both the legacy and new system, one needs to ensure that the migration is always called before the new module would attempt any user lookups or creations.  
+To support this in the new endpoint, which now exists as a subclass in the Serverpod application, the migration methods need to be added to each affected endpoint.
+
+```dart
+class EmailAccountEndpointWithMigration
+    extends email_account.EmailAccountEndpoint {
+  @override
+  Future<String> login(
+    final Session session, {
+    required final String email,
+    required final String password,
+  }) async {
+    // Add this before the call to `super` in the endpoint subclass
+    await AuthMigrationEmail.migrateOnLogin(
+      session,
+      email: email,
+      password: password,
+    );
+
+    return super.login(session, email: email, password: password);
+  }
+
+  @override
+  Future<void> startRegistration(
+    final Session session, {
+    required final String email,
+    required final String password,
+  }) async {
+    // Add this before the call to `super` in the endpoint subclass
+    await AuthMigrationEmail.migrateOnLogin(
+      session,
+      email: email,
+      password: password,
+    );
+
+    return super.startRegistration(session, email: email, password: password);
+  }
+
+  @override
+  Future<void> startPasswordReset(
+    final Session session, {
+    required final String email,
+  }) async {
+    // Add this before the call to `super` in the endpoint subclass
+    await AuthMigrationEmail.migrateWithoutPassword(session, email: email);
+
+    return super.startPasswordReset(session, email: email);
+  }
+}
+```
+
+After this modification, the endpoint will always attempt a migration first, before then proceeding with the desired request (e.g. registering a new account if none exists yet).
+
+The migration works fully out of the box. But in case the existing `UserInfo` should not be moved to a new `serverpod_auth_profile` `UserProfile`, this can be disabled through the `AuthMigrationEmailConfig`:
+
+```dart
+AuthMigrationEmail.config = AuthMigrationConfig(
+  importProfile: false,
+  userMigrationHook: (session, {required newAuthUserId, required oldUserId, transaction}) => …,
+);
+```
+
+## User ID Migration
+
+The `userMigrationHook` shown above is also the place where you should migraten all references to a legacy `UserInfo` id to the new `AuthUser` `UUID`.
+
+Commonly there are 2 approach how this could be handled:
+
+One way would be to extend any database table that currently points to a `UserInfo` to also gain an optional `AuthUser` id column.  
+Then during the migration identify all rows belonging to the user and set their `AuthUser` id value. Later on the `UserInfo`-relation column will just be dropped when the migration is done.
+Care needs to be taken that one does not keep writing new rows with just a `UserInfo` relation, as the migration for the previous user will not be run again, and thus this would become unreachable with the user's new ID.
+A benefit of this approach is that existing queries for the user's entities (e.g. team memberships) could easily be accomodated by looking for the `int` or `UUID` value depending on the ID type of the `AuthenticationInfo`.
+
+Alternatively, especially if one wants to make further changes to one schema in conjunction with the user migration, one could migrate to altogether new tables in the migration, which only point to `AuthUser`s and where the relation would not need to be optional.
+All future reads and writes (for migrated users) should then go to the new tables – which might not be feasible if the data is shared between both legacy and new users. But potentially one could just run a migration for all users in a team/company so all users in that group could start using the new tables.
+<!-- For this to work with old session, we would probably need another migration layer to look up the "new ID" in a request (which was started with a legacy session) (on the session? might easily get races on app start up) -->
+
+## Future calls (background migration)
+
+<!-- TODO -->
