React Query and Auth: Who is Responsible for What?

Bookmark

React Query manages server state on the client, and auth manages user sign in/sign up/sign out. Where do these two overlap, and how do you separate concerns? This talk proposes a data flow with custom hooks for both auth and React Query to manage authentication status and user profile updates.


Transcript


Intro


Hi, thanks for coming to this talk on React Query and Auth. So React Query and Auth overlap somewhat, and this talk is going to discuss who's responsible for what.

So first, I'd like to introduce myself with this amazing steampunk avatar that React Advanced made for me. It's my new favorite thing. My name is Bonnie Schulkin, and I've been in the software industry for around 20 years. I've held a lot of roles, but currently I am a developer and trainer. You can find me at bonnie.dev, which is in the lower right of all of these slides. Twitter, I'm @bonniedotdev with the dot spelled out. And I am incredibly proud to hold the @Bonnie handle on GitHub.

[01:10] To introduce this talk, I want to just give a few notes. The first one is that here I'm going to talk about concepts, and I'm not really going to introduce code. If you're interested in the code, I'll have a link to the code example at the end. The approach here is actually making my own system to handle all of the players that are interested in user information and Auth. And this way we can understand all the pieces. But at the end, I will talk about a couple of npm libraries you can use. And then finally, if you're somebody who likes to click links from talks, or if you like to follow along with the slides, you can get these slides in my bonnie.dev site slash talks. And you can just look for the React Advanced talk.

I have made some puns in some of the images that you can look out for if you like that kind of thing. So here's a table, for the table of contents.

First, I'm going to be introducing React Query for people who don't know about this amazing library.

Then I'll talk about the app for this talk and what kind of authentication assumptions it uses.

I'll talk about the solution I have to merge React Query and Auth, and then I'll talk about those npm libraries I mentioned.


What is React Query?


[02:40] So let's start talking about React Query. React Query is a library whose job it is to maintain server state on the client. So it uses this making a cache of server data on the client.

One of the main tools from React Query is the useQuery hook. And this hook takes a query function that's responsible for actually getting the data from the server. In order to subscribe to that data, the react code runs the useQuery hook.

[03:20] Now part of React Query's job is to make sure that the data is in sync with the server. So useQuery actually updates the data from the server. It pulls new data from the server, depending on some triggers. Some of them are automatic, like a network reconnect, or if the page is focused. You can also manually invalidate the data in the cache. And the reason I'm bringing that up is because we'll talk about that later in this talk. When you manually invalidate the data in the cache, then useQuery goes to the server and fetches fresh data.

I have some small print here. It's a simplification. React Query is a pretty sophisticated app, so I'm not talking about a lot of concepts like stale data and expiring the cache and so forth.

[04:18] There are a couple other React Query concepts that I'd like to talk about that are relevant to this talk. One is mutations. So you useQuery is if you simply want to fetch data from the server. Mutations are if you want to update data on the server. And so React Query has a useMutation hook in addition to a useQuery hook.

There's also a concept of dependent queries. So these are queries that you can turn on or off based on the value of an expression. So if the expression evaluates to truthy, then the query will be on and it will do all of those data refetches as it does in order to keep the data fresh. If it's off, if that value is falsy, then the data is off and is not going to be communicating with the server. I should say the query is off. I think I said the data is off.


App assumptions for this talk


[05:19] Now I'd like to talk about the app that I wrote this solution for. So this is a day spa app where you can reserve massages or facials or scrubs. You can tell what was on my mind when I wrote this app. So it has available treatments that it needs to get from the server. It also has staff that it needs to get from the server and a calendar of appointments. And it does all of this through React Query. This is pretty basic server data for React Query.

But it also has a sign in feature. A user needs to be signed in order to reserve appointments. And so it has a useAuth hook that manages the sign in, sign up and sign out. The useAuth hook returns, sign in, sign up, and sign out functions that can be used. And the server uses JSON Web Token authentication.

[06:23] So those sign in and sign up functions in the useAuth hook actually receive a token and the user data in the response from the server. And the question is, "Who owns this data?"


Merging React Query and Auth


[06:40] So now we're starting to get into overlap between Auth and React Query. Is this client data or server data? Well, I think you could argue that the user who is signed in, the particular user who signed into this client, that is client data, but the details of the user, their name, their email address, their authorization, that is server data.

I'm really sorry if you can hear chainsaws. There's tree work being done in the neighborhood.

So user data has actually a lot of parties that have an interest. useAuth is receiving that user data when it makes the calls to the server and then the user data also needs to be persisted in local storage, because we want to make sure if the user refreshes the page, for example, that they aren't automatically logged out.

[07:41] There's also something interesting about useQuery here. The query function is going to need to use the ID. It's going to need that user ID in order to tell the server whose data to fetch. But it needs the data in order to know the ID. So that's why I have this chicken egg graphic here. You need the ID to get the data, but you need the data to get the ID.

So this is a complication that may make you ask, "Why would we even want to involve React Query at all? Why not just store the user data in a context and leave React Query out of the picture?"

[08:20] I have a couple reasons that I think React Query is a good idea when comes to user data. The first is mutations. So the user can update their data. They can update their name or their email. And we want to make sure that the client is showing accurate data from the server.

So imagine this situation, imagine a user updates their data, and then there's a problem, there's a network error or, heaven forbid, there's a programming error on the server and it prevents an update. The user needs to know what the actual state of data is on the server. And with React Query, we can manage that invalidating that cache value after the mutation, then React Query will go and fetch the actual data from the server. So this will update the data for anybody subscribed to this React Query cache, including, say, if you have the username on the nav bar, any components are going to have the most up-to-date data.

[09:34] The second reason I think it's a good idea to involve React Query is for app startup. The app is going to use local storage or some kind of browser storage to maintain the login across sessions so that the user can refresh the page. What if the user updated the data from another browser? So let's say yesterday they went to a different browser at their friend's house and they updated the data, our app is going to look clumsy if we don't have that updated data when they log back in from their new browser. I should say when they log back in from their browser that they were in before they went to their friend's house.

So that's something that will just make the app look more sophisticated. But there's also a security issue here. So what if we had some user at the spa who was allowed to update the treatments and they did something really wrong and they got fired? We want to make sure that if they go back into the application, that we update their user data so that they are no longer authorized to update those treatments. It's really hard to get rid of a token in local storage, but React Query can make it so that we can make sure that we have updated data on startup.

[11:09] All right. So now maybe you've swung over to the React Query should manage everything. However, we do need to look after useAuth and localStorage. We need to hook those in somehow. Do we want those to subscribe and update the React Query cache individually? And then we've also got that chicken and egg situation for the user ID in the query function.

So the solution that I have come up with is to centralize everything with a useUser hook. This is the source of truth. It tracks user data with an internal user state that's exposed as a return value of the hook. And that is the canonical user data. We'll use localStorage to maintain data, not only across sessions but also whenever a useUser is initialized. And we'll also keep the user data up to date with the server using useQuery so that any of those triggers that I mentioned will update the data. And we can take care of that chicken and egg situation disabling that query if user is falsy. Whenever user data updates, it will go through this useUser hook. So in order to make sure that the data is maintained everywhere it needs to be, in the internal user state, in the query cache, and in local storage.

[12:55] So because I like visuals, here's the useUser hook. It will both receive data from React Query when React Query gets updated data from the server and will also set data in the cache when it gets user data from other sources. Another source it might get user data from is the useAuth hook, which receives data from sign in and sign up. And localStorage is both getting set anytime user data is updated, and it's also providing the initial value for the useUser hook.

To get into that a little bit more, the useUser hook is going to return that user state for people who want to subscribe to that user data. And then it's also going to return updateUser, updateUser function that takes user data and updates the data for all three players. It will also have a clearUser which updates the data for all three players to be, "There is no user." And all of the updates, any user data updates, go through useUser. So when React Query updates the data, it uses the updateUser function from the useUser hook, same with the useAuth hook.


Example project with code


[14:28] All right. So that's my brief introduction to how I solve this issue. If you'd like to look at the code, you can go to this GitHub repository and you can go to completed-apps, lazy-day-spa, and client as far as the directory tree goes.


npm libraries


[14:50] I'll conclude this talk talking a little bit about npm libraries that exist.

The first one is React Query Auth. And here's a link to it. This is a fairly lightweight wrapper around React Query. So as a user of React Query Auth, you initialize it giving it sign in, sign out and sign up functions, and then it uses a separate AuthProvider that takes your config and React Query functions and provides a bunch of both data and functions for you. So it gives you the user data and whether or not there was an error, then it gives you functions to re fetch the user to log in, log out and register, which is what I've been calling sign up. And then it also gives you data on whether or not events are currently occurring.

The way it uses React Query is it treats sign in and sign up as mutation functions. It uses useMutation for that because used mutation allows you to run the function later. And then it has a call back on success of these mutation functions to update the cache. This does not address persistence in the browser. And here, if you want to take a look at the code, like I say, it's fairly lightweight, it's actually not that many lines of code.

[16:23] There's also a Firebase library. And here you go. This actually uses useQuery for all of the auth calls. And the useQuery takes Firebase functions as the query functions. It stores all of the data directly in the React Query cache. And Firebase itself, through those Firebase functions, manages the persistence in the localStorage and session storage. It has other options as well. And if you'd like to look at the code for this, I have a link to that here.

As of earlier this month, both of these libraries are still finding traction. So you can see that React Query Auth has about 500 downloads per week and React Query Firebase has about 30 downloads per week. I should say the auth part of it. You can compare this to around 575,000 downloads per week for React Query.

[17:35] All right, so to conclude this talk, I just want to reiterate that the reason that this merited an entire talk is because there are three main players when it comes to user data. There's React Query, which can maintain the state of the data on the server. There's Auth functions, which can be in charge of retrieving the initial data. And then there's the persistence across sessions, so that can be localStorage or other persistence tools. Any complete solution needs to address all three of these.

So thank you so much for coming to my talk. Thank you to React Advanced for having me and for making that amazing steampunk avatar.



Transcription


Hi, thanks for coming to this talk on react, Query, and Auth. So react, Query, and Auth overlap somewhat, and this talk is going to discuss who's responsible for what. So first I'd like to introduce myself with this amazing steampunk avatar that react advanced made for me. It's my new favorite thing. My name is Bonnie Shulkin, and I've been in the software industry around 20 years. I've held a lot of roles, but currently I am a developer and trainer. You can find me at bonnie.dev, which is in the lower right of all of these slides. Twitter, I'm at bonnie.dev with the dots spelled out. And I am incredibly proud to hold the at bonnie handle on GitHub. To introduce this talk, I want to just give a few notes. The first one is that here I'm going to talk about concepts, and I'm not really going to introduce code. If you're interested in the code, I'll have a link to the code example at the end. The approach here is actually making my own system to handle all of the players that are interested in user information and auth. And this way we can understand all the pieces. But at the end I will talk about a couple of npm libraries you can use. And then finally, if you're somebody who likes to click links from talks, or if you like to follow along with the slides, you can get these slides in my bonnie.dev site slash talks, and you can just look for the react advanced talk. I have made some puns in some of the images that you can look out for if you like that kind of thing. So here's a table for the table of contents. First I'm going to be introducing react query for people who don't know about this amazing library. Then I'll talk about the app for this talk and what kind of authentication assumptions it uses. I'll talk about the solution I have to merge react query and auth. And then I'll talk about those npm libraries I mentioned. So let's start by talking about react query. react query is a library whose job it is to maintain server state on the client. So it uses this by making a cache of server data on the client. One of the main tools from react query is the use query hook. And this hook takes a query function that's responsible for actually getting the data from the server. In order to subscribe to that data, the react code runs the use query hook. Now part of react query's job is to make sure that the data is in sync with the server. So use query actually updates the data from the server. It pulls new data from the server depending on some triggers. Some of them are automatic, like a network reconnect or if the page is focused. You can also manually invalidate the data in the cache. And the reason I'm bringing that up is because we'll talk about that later in this talk. When you manually invalidate the data in the cache, then use query goes to the server and fetches fresh data. I have some small print here. It's a simplification. react query is a pretty sophisticated app. So I'm not talking about a lot of concepts like stale data and expiring the cache and so forth. There are a couple other react query concepts that I'd like to talk about that are relevant to this talk. One is mutations. So use query is if you simply want to fetch data from the server. Mutations are if you want to update data on the server. And so react query has a use mutation hook in addition to a use query hook. There's also a concept of dependent queries. So these are queries that you can turn on or off based on the value of an expression. So if the expression evaluates to truthy, then the query will be on and it will do all of those data refetches as it does in order to keep the data fresh. If it's off, if that value is falsy, then the data is off and is not going to be communicating with the server. I should say the query is off. I think I said the data is off. Now I'd like to talk about the app that I wrote this solution for. So this is a day spa app where you can reserve massages or facials or scrubs. You can tell what was on my mind when I wrote this app. So it has available treatments that it needs to get from the server. It also has staff that it needs to get from the server and a calendar of appointments. And it does all of this through react query. This is pretty basic server data for react query. But it also has a sign in feature. A user needs to be signed in in order to reserve appointments. And so it has a use auth hook that allows the user or that manages the sign in, sign up and sign out. The use auth hook returns sign in, sign up and sign out functions that can be used. And the server uses JSON web token authentication. So those sign in and sign up functions and the use auth hook actually receive a token and the user data in the response from the server. And the question is who owns this data? So now we're starting to get into the overlap between auth and react query. Is this client data or server data? Well I think you could argue that the user who is signed in, the particular user who signed into this client, that is client data. But the details of the user, their name, their email address, their authorization, that is server data. I'm really sorry if you can hear chainsaws. There's tree work being done in the neighborhood. So user data has actually a lot of parties that have an interest. Use auth is receiving that user data when it makes the calls to the server. And then the user data also needs to be persisted in local storage because we want to make sure if the user refreshes the page, for example, that they aren't automatically logged out. There's also something interesting about use query here. The query function is going to need to use the ID. It's going to need that user ID in order to tell the server who's data to fetch. But it needs the data in order to know the ID. So that's why I have this chicken egg graphic here. You need the ID to get the data, but you need the data to get the ID. So this is a complication that may make you ask why would we even want to involve react query at all? Why not just store the user data in a context and leave react query out of the picture? I have a couple reasons that I think react query is a good idea when it comes to user data. The first is mutations. So the user can update their data. They can update their name or their email. And we want to make sure that the client is showing accurate data from the server. So imagine this situation. Imagine a user updates their data. And then there's a problem. There's a network error or, heaven forbid, there's a programming error on the server and it prevents an update. The user needs to know what the actual state of data is on the server. And with react query, we can manage that by invalidating that cache value after the mutation. Then react query will go and fetch the actual data from the server. So this will update the data for anybody subscribed to this react query cache, including, say, if you have the username on the nav bar. Any components are going to have the most up-to-date data. The second reason I think it's a good idea to involve react query is for app startup. The app is going to use local storage or some kind of browser storage to maintain the login across sessions so that the user can refresh the page. What if the user updated the data from another browser? So let's say yesterday they went to a different browser at their friend's house and they updated the data. Our app is going to look clumsy if we don't have that updated data when they log back in from their new browser. I should say when they log back in from the browser that they were in before they went to their friend's house. So that's something that will just make the app look more sophisticated. But there's also a security issue here. So what if we had some user at the spa who was allowed to update the treatments and they did something really wrong and they got fired? We want to make sure that if they go back into the application that we update their user data so that they are no longer authorized to update those treatments. It's really hard to get rid of a token in local storage, but react Query can make it so that we can make sure that we have updated data on startup. So now maybe you've swung over to react Query should manage everything. However, we do need to look after a use auth in local storage. We need to hook those in somehow. Do we want those to subscribe and update the react Query cache individually? And then we've also got that chicken and egg situation for the user ID in the query function. So the solution that I have come up with is to centralize everything with a use user hook. This is the source of truth. It tracks user data with an internal user state that's exposed as a return value of the hook. And that is the canonical user data. We'll use local storage to maintain data not only across sessions, but also whenever a use user is initialized. And we'll also keep the user data up to date with the server by using use query so that any of those triggers that I mentioned will update the data. And we can take care of that chicken and egg situation by disabling that query if user is falsy. Whenever user data updates, it will go through this use user hook. So in order to make sure that the data is maintained everywhere it needs to be in the internal user state, in the query cache, and in local storage. So because I like visuals, here's the use user hook. It will both receive data from react Query when react Query gets updated data from the server and will also set data in the cache when it gets user data from other sources. Another source it might get user data from is the use auth hook, which receives data from sign in and sign out. And local storage is both getting set anytime user data is updated, and it's also providing the initial value for the use user hook. To get into that a little bit more, the use user hook is going to return that user state for people who want to subscribe to that user data. And then it's also going to return update user, an update user function that takes user data and updates the data for all three players. It will also have a clear user, which updates the data for all three players to be there is no user. And all of the updates, any user data updates go through use user. So when react Query updates the data, it uses the update user function from the use user hook. Same with the use auth hook. So that's my brief introduction to how I solved this issue. If you'd like to look at the code, you can go to this GitHub repository and you can go to completed apps, Lazy Day Spa, and client as far as the directory tree goes. I'll conclude this talk by talking a little bit about npm libraries that exist. The first one is react Query Auth. And here's a link to it. This is a fairly lightweight wrapper around react Query. So as a user of react Query Auth, you initialize it by giving it sign in, sign out, and sign up functions. And then it uses a separate auth provider that takes your config and react Query functions and provides a bunch of both data and functions for you. So it gives you the user data and whether or not there was an error. Then it gives you functions to refetch the user, to log in, log out, and register, which is what I've been calling sign up. And then it also gives you data on whether or not events are currently occurring. The way it uses react Query is it treats sign in and sign up as mutation functions. It uses use mutation for that because use mutation allows you to run the function later. And then it has a callback on success of these mutation functions to update the cache. This does not address persistence in the browser. And here, if you want to take a look at the code, like I said, it's fairly lightweight. It's actually not that many lines of code. There's also a Firebase library. And here you go. This actually uses use query for all of the auth calls. And the use query takes Firebase functions as the query functions. It stores all of the data directly in the react Query cache. And Firebase itself, through those Firebase functions, manages the persistence in the local storage and session storage. And it has other options as well. And if you'd like to look at the code for this, I have a link to that here. As of earlier this month, both of these libraries are still finding traction. So you can see that react Query auth has about 500 downloads per week and react Query Firebase has about 30 downloads per week. I should say the auth part of it. You can compare this to around 575,000 downloads per week for react Query. All right. So to conclude this talk, I just want to reiterate that the reason that this merited an entire talk is because there are three main players when it comes to user data. There's react Query, which can maintain the state of the data on the server. There's auth functions, which can be in charge of retrieving the initial data. And then there's the persistence across sessions. So that can be local storage or other persistence tools. Any complete solution needs to address all three of these. So thank you so much for coming to my talk. Thank you to react advanced for having me and for making that amazing Steampunk avatar.
19 min
25 Oct, 2021

Check out more articles and videos

We constantly think of articles and videos that might spark Git people interest / skill us up or help building a stellar career

Workshops on related topic