[Feature Request]: Anonymous/Guest Sessions

[oscarhermoso]

Package

lucia

Description

Many authentication frameworks offer "Guest" or "Anonymous" sessions to track user actions. For examples:

• Django
• Firebase

Use cases include multi-page sign-up flows, shopping carts for users without accounts, and temporary permissions for guest users (such as access to a conference call or whiteboard collaboration session).

Currently, Lucia sessions are tightly coupled to users. It might already be possible to represent anonymous sessions by creating "guest users", but I believe the most ergonomic developer experience would be having the Lucia library allow creating a session without an associated user.

Considerations:

• Does Lucia actually want this feature?
• Can/should this be solved with documentation instead of code?
• Can/should this be a separate package to lucia
  • Might also need a major version bump if in core package
• Support for converting anonymous sessions into full users?

[pilcrowOnPaper]

My big question here is that does the session for authenticated users and unauthenticated/guest/anonymous users need to be the same? Take GitHub for example. It maintains 2 types of sessions: _gh_sess and user_session.

[oscarhermoso]

Personal preference would definitely be a single sessionId cookie.

Having multiple sessionId cookies would increases risk of implementation errors, there's a lot of places in Lucia already where developers need to handle cookies, and it would be easy to forget in one place (eg. need to manage both cookies on log-in, log-out, sign-up, and OAuth callbacks).

Plus, more cookies = slower requests.

With a single sessionId, you could still have separate session data for the authenticated/anonymous users though - with separate Lucia functions and/or database tables... but overall I believe it would be simpler to have a single session.

[oscarhermoso]

One possible implementation - if Lucia's createSession no longer required a userId argument, and adapter.getSessionAndUser was allowed to return a session without a user, I think that would achieve a lot of what's needed.

lucia/packages/lucia/src/core.ts

Lines 123 to 126 in 12d4da4

	const [databaseSession, databaseUser] = await this.adapter.getSessionAndUser(sessionId);
	if (!databaseSession) {
	return { session: null, user: null };
	}

Before SvelteKit & Lucia - my experience was with Django. Over there, the session middleware can be installed without auth middleware, and auth gets plugged in afterwards. All sessions are anonymous by default.

This is actually a really nice architecture, as the session middleware is primarily concerned with data storage/access. Then, the session middleware provides methods that the auth middleware hooks into.

• https://github.com/django/django/blob/main/django/contrib/sessions/backends/base.py
• https://github.com/django/django/blob/main/django/contrib/auth/__init__.py

I don't think this is far from Lucia's current implementation... Lucia's adapters are kind of like Django's session middleware, and Lucia's core package is kind of like Django's auth middleware.

To set session attributes for anonymous users, we could reimplement Lucia V2's auth.updateSessionAttributes, but as an "upsert" operation instead of throwing if the session does not exist.

The session type signature would be something like this:

type Session = infer typeof user !== undefined ? DatabaseSessionAttributes : Partial<DatabaseSessionAttributes>

[frederichoule]

That would be a nice addition to Lucia.

[pilcrowOnPaper]

I think an easier answer would be to just remove users from Lucia #1516

[frederichoule]

I think an easier answer would be to just remove users from Lucia #1516

That would probably be the best way to do it.