React Query and Auth: Who is Responsible for What?

Hi, thanks for coming to this talk on React, Query, and Auth. So React, Query, and Auth overlap somewhat, and this talk is going to discuss who's responsible for what. So first I'd like to introduce myself with this amazing steampunk avatar that React Advanced made for me. It's my new favorite thing. My name is Bonnie Shulkin, and I've been in the software industry around 20 years. I've held a lot of roles, but currently I am a developer and trainer. You can find me at bonnie.dev, which is in the lower right of all of these slides. Twitter, I'm at bonnie.dev with the dot spelled out, and I am incredibly proud to hold the at Bonnie handle on GitHub. To introduce this talk, I want to just give a few notes. The first one is that here I'm going to talk about concepts and I'm not really going to introduce code. If you're interested in the code, I'll have a link to the code example at the end. The approach here is actually making my own system to handle all of the players that are interested in user information and off. And this way we can understand all the pieces. But at the end, I will talk about a couple of npm libraries you can use. And then finally, if you're somebody who likes to click links from talks or if you like to follow along with the slides you can get these slides in my bany.dev site slash talks and you can just look for the React advanced talk. I have made some puns in some of the images that you can look out for if you like that kind of thing.

So here's a table for the table of contents. First, I'm going to be introducing React query for people who don't know about this amazing library. Then I'll talk about the app for this talk and what kind of authentication assumptions it uses.

I'll talk about the solution I have to merge React query and auth. And then I'll talk about those NPM libraries I mentioned.

So let's start by talking about React query. React query is a library whose job it is to maintain server state on the client. So it uses this by making a cache of server data on the client. One of the main tools from React query is the use query hook. And this hook takes a query function that's responsible for actually getting the data from the server. In order to subscribe to that data, the React code runs the use query hook. Now part of React queries job is to make sure that the data is in sync with the server. So use query actually updates the data from the server. It pulls new data from the server depending on some triggers. Some of them are automatic like a network reconnect or if the page is focused. You can also manually invalidate the data in the cache and the reason I'm bringing that up is because we'll talk about that later in this talk.

When you manually invalidate the data in the cache, then use query goes to the server and fetches fresh data. I have some small print here. It's a simplification. React query is a pretty sophisticated app so I'm not talking about a lot of concepts like stale data and expiring the cache and so forth. There are a couple other React query concepts that I'd like to talk about that are relevant to this talk. One is mutations. So use query is if you simply want to fetch data from the server. Mutations are if you want to update data on the server and so React query has a use mutation hook in addition to a use query hook. There's also a concept of dependent queries. So these are queries that you can turn on or off based on the value of an expression. So if the expression evaluates to truthy, then the query will be on and it will do all of those data refetches as it does in order to keep the data fresh. If it's off if that value is falsy, then the data is off and is not going to be communicating with the server. I should say the query is off, I think I said the data is off.

Now I'd like to talk about the app that I wrote this solution for.

So this is a day spa app where you can reserve massages or facials or scrubs, you can tell what was on my mind when I wrote this up. So it has available treatments that it needs to get from the server. It also has staff that it needs to get from the server and a calendar of appointments. And it does all of this through React query. This is pretty basic server data for React query. But it also has a sign in feature, a user needs to be signed in in order to reserve appointments. And so it has a use off hook that allows the user or that manages the sign in, sign up and sign out. The use off hook returns sign in, sign up and sign out functions that can be used. And the server uses JSON web token authentication.

So those sign in and sign up functions in the use off hook actually receive a token and the user data in the response from the server. And the question is, who owns this data? So now we're starting to get into the overlap between off and react query. Is this client data or server data? Well, I think you could argue that the user who is signed in, the particular user who signed into this client, that is client data. But the details of the user, their name, their email address, their authorization, that is server data. I'm really sorry if you can hear chainsaws. There is tree work being done in the neighborhood. So user data has actually a lot of parties that have an interest. Use auth is receiving that user data when it makes the calls to the server. And then the user data also needs to be persisted in local storage because we want to make sure if the user refreshes the page, for example, that they aren't automatically logged out. There's also something interesting about use query here. The query function is going to need to use the ID. It's going to need that user ID in order to tell the server whose data to fetch. But it needs the data in order to know the ID. That's why I have this chicken egg graphic here. You need the ID to get the data, but you need the data to get the ID. This is a complication that may make you ask, why would we even want to involve React query at all? Why not just store the user data in a context and leave React query out of the picture? I have a couple of reasons that I think React query is a good idea when comes to user data. The first is mutations. The user can update their data, they can update their name or their e-mail, and we want to make sure that the client is showing accurate data from the server. Imagine this situation. Imagine a user updates their data and then there's a problem, there's a network error or heaven forbid, there's a programming error on the server and it prevents an update. The user needs to know what the actual state of data is on the server. With React Query, we can manage that by invalidating that cache value after the mutation. Then React Query will go and fetch the actual data from the server. This will update the data for anybody subscribed to this React Query cache, including say, if you have the username on the navbar. Any components are going to have the most up-to-date data. The second reason I think it's a good idea to involve React Query is for app startup. The app is going to use local storage or some browser storage to maintain the login across sessions so that the user can refresh the page. What if the user updated the data from another browser? Let's say yesterday, they went to a different browser at their friend's house and they updated the data. Our app is going to look clumsy if we don't have that updated data when they log back in from their new browser. I should say when they log back in from their browser that they were in before they went to their friend's house.

That's something that will just make the app look more sophisticated, but there's also a security issue here. What if we had some user at the spa who was allowed to update the treatments, and they did something really wrong, and they got fired. We want to make sure that if they go back into the application, that we update their user data so that they are no longer authorized to update those treatments. It's really hard to get rid of a token in local storage, but React Query can make it so that we can update data, and we can make sure that we have updated data on startup.

Now, maybe you've swung over to the React Query should manage everything. However, we do need to look after a use auth in local storage. We need to hook those in somehow. Do we want those to subscribe and update the React Query cache individually? Then we've also got that chicken and egg situation for the user ID in the query function.

The solution that I have come up with is to decentralize everything with a used user hook. This is the source of truth. It tracks user data with an internal user state that's exposed as a return value of the hook and that is the canonical user data. We'll use local storage to maintain data not only across sessions, but also whenever a used user is initialized. We'll also keep the user data up to date with the server by using use query so that any of those triggers that I mentioned will update the data. We can take care of that chicken and egg situation by disabling that query if user is falsy. Whenever user data updates, it will go through this used user hook. In order to make sure that the data is maintained everywhere it needs to be in the internal user state, in the query cache, and in local storage.

Because I like visuals, here's the use user hook. It will both receive data from react query, when react query gets updated data from the server, and will also set data in the cache when it gets user data from other sources. Another source it might get user data from is the use auth hook, which receives data from sign in and sign out. Local storage is both getting set anytime user data is updated, and it's also providing the initial value for the use user hook. To get into that a little bit more, the use user hook is going to return that user state for people who want to subscribe to that user data, and then it's also going to return update user, an update user function that takes user data and updates the data for all three players. It will also have a clear user, which updates the data for all three players to be there is no user. Update user. And all of the updates, any user data updates go through use user. So when React query updates the data, it uses the update user function from the use user hook. Same with the use auth hook.

All right, so that's my brief introduction to how I solve this issue. If you'd like to look at the code, you can go to this GitHub repository and you can go to completed apps, lazy day spa, and client as far as the directory tree goes. I'll conclude this talk by talking a little bit about npm libraries that exist. The first one is React query auth.

And here's a link to it. This is a fairly lightweight wrapper around React query. So as a user of React query auth, you initialize it by giving it sign in, sign out, and sign up functions. And then it uses a separate auth provider that takes your config and React query functions and provides a bunch of both data and functions for you. So it gives you the user data and whether or not there was an error. Then it gives you functions to refetch the user, to log in, log out, and register, which is what I've been calling sign up. And then it also gives you data on whether or not events are currently occurring.

The way it uses React query is it treats sign in and sign up as mutation functions. It uses use mutation for that because use mutation allows you to run the function later. And then it has a callback on success of these mutation functions to update the cache. This does not address persistence in the browser.

And here, if you wanna take a look at the code, like I said, it's fairly lightweight, it's actually not that many lines of code. There's also a Firebase library. And here you go. This actually uses useQuery for all of the auth calls and the useQuery takes Firebase functions as the query functions. It stores all of the data directly in the React Query Cache. And Firebase itself, through those Firebase functions, manages the persistence in the local storage and session storage, and has other options as well. And if you'd like to look at the code for this, I have a link to that here.

As of earlier this month, both of these libraries are still finding traction. So you can see that React Query Auth has about 500 downloads per week and React Query Firebase has about 30 downloads per week, I should say the auth part of it. You can compare this to around 575,000 downloads per week for React Query. All right, so to conclude this talk, I just want to reiterate that the reason that this merited an entire talk is because there are three main players when it comes to user data. There's React Query, which can maintain the state of the data on the server. There's Auth Functions, which can be in charge of retrieving the initial data. And then there's the persistence across sessions. So that can be local storage or other persistence tools. Any complete solution needs to address all three of these. So thank you so much for coming to my talk.