ADR - Use NextAuth

[brandon-lent]

Ticket

#179

Changes

Created a new ADR that:

1. Weighs the pros and cons of using NextAuth in platform projects
2. Provides an example implementation and guidance
3. Helps us align on if this is the right solution

Context for reviewers

Most projects at Nava eventually require integration with an authentication provider. Using NextAuth simplifies this for us as it allows us to easily integrate authentication into Next.js applications.

For more context, we have a thread about this in slack here.

[brandon-lent]

I left an example in here. It's not a true implementation, in that I didn't verify it works as I don't have access to Login.gov API's. Assuming you have the proper secrets and domains in the content below, I don't see why it wouldn't work though. A potential improvement is mapping all of the login.gov attributes to typescript values to use in the return function.

[brandon-lent]

LMK if we should scrap it, keep it, or move it somewhere else.

[lorenyu]

on the fence / don't feel super strongly about it.

[sawyerh]

I think it's a useful reference, but I think we should mention in here that it's pseudo-code/untested.

[brandon-lent]

ℹ️ Will update based on feedback and decisions.

[lorenyu]

@brandon-lent sorry for the late review, and thanks for putting this together!

after reading through and thinking about it more, i feel like i can't really recommend a solution until we have some proof of concepts.

some possible paths forward, we could explicitly call out next steps in the ADR to implement some proof of concepts and merge the ADR as an in progress / proposed state.

and then we can update the ADR in the future once we have more info from the technical spikes.

or alternatively we can put this on the backburner for now and have somebacklog tickets to do some spikes.

[lorenyu]

not sure i agree with the part about

It isn't uncommon for authentication providers to be changed during the lifecycle of a project.

i think the goal is less about making it easy to switch auth providers, and more about eliminating the dependency of the rest of the template on any particular auth provider, so that project teams can use the Next.js application template even if they use a non-default provider by simply implementing a new adapter rather than needing to refactor the parts of the application that rely on auth functionality.

[lorenyu]

on the fence / don't feel super strongly about it.

[lorenyu]

also curious for @sawyerh 's opinion on this too

[sawyerh]

I agree with Loren's comment on the problem statement. I think we should probably update that part before merging.

we could explicitly call out next steps in the ADR to implement some proof of concepts and merge the ADR as an in progress / proposed state.

I like this idea too. I feel pretty good about recommending NextAuth, so merging this ADR as "proposed" + (someone) doing a proof-of-concept in a follow-up PR feels like a good next step.

I think you could potentially repurpose your code example at the bottom as a "Next steps" section, mentioning that we'd like to explore a proof of concept and "here's a pseudo example of what we could try"

[sawyerh]

This used to be true but they've recently pivoted to "Auth.js" and made it framework-agnostic: https://authjs.dev/ — for this template though, we'd still use the next-auth package.

[sawyerh]

I think it's a useful reference, but I think we should mention in here that it's pseudo-code/untested.

[sawyerh]

Update: proof-of-concept created #243