Back to overview

Setting up authentication in Astro with Prisma and Planetscale

Phone with passcode screen
| 4 min read
View count:

I’ve been wanting to add authentication to my personal website for a while now to see how it works in Astro. With Prisma and PlanetScale already running for comments on my blogs, I decided to store my account information in PlanetScale. Because it’s just used for my own account, and I’m not storing any other sensitive information in my database, I decided to store the credentials in plain text for now. I changed my Prisma schema to make this possible:

model Account {
  id Int @id @default(autoincrement())
  username String @unique
  password String

Once the model is updated in the code, running npx prisma db push propagates the changes to PlanetScale, so the schema is updated in the actual database.

I used an existing package called @astro-auth to handle all the authentication on my site. For this to work, I needed to add 2 environment variables to my application: ASTROAUTH_URL (the URL my site is hosted on) and ASTROAUTH_SECRET (a self chosen secret key).

Because I stored the credentials in PlanetScale, I needed to use the CredentialProvider to enable logging in with username and password. There are many other providers available on @astro-auth, go check out the package if you’re interested. The code needed to set this up with @astro-auth looks like this:

import AstroAuth from "@astro-auth/core";
import { CredentialProvider } from "@astro-auth/providers";
import { prisma } from "../../../lib/prisma";

export const all = AstroAuth({
  authProviders: [
      authorize: async (properties) => {
        const account = await prisma?.account.findFirst({
          where: {
            username: properties.username,
            AND: {
              password: properties.password,
          select: {
            id: true,
        if (account?.id) {
          return properties.username;
        return null;

Creating a login page was very easy. I just created a form, calling the signIn() method from @astro-auth on submit, and BOOM: logged in! The code for the login page:

      import { signIn } from "@astro-auth/client";

      document.addEventListener("DOMContentLoaded", () => {
          ?.addEventListener("submit", async (e) => {
            const form =;
            if (form) {
              const formData = new FormData(form as HTMLFormElement);
              const data = Object.fromEntries(formData);
              await signIn({
                provider: "credential",
                login: data,
              window.location.href = "/";
      <label for="username">Name</label>
      <input type="text" name="username" />

      <label for="password">Password</label>
      <input type="password" name="password" />

      <input type="submit" value="Submit" />

After submitting the form, the user’s signed in and is redirected to the homepage. Protecting a page with authentication is easy, just checking the logged in user with the getUser() function from @astro-auth. Here’s an example of a page where I used this check:

import { getUser } from "@astro-auth/core";
import Layout from "../layouts/Layout.astro";
import { prisma } from "../lib/prisma";
import CommentsOverviewWrapper from "../components/CommentOverviewWrapper";
const user = getUser({ client: Astro });
if (!user) {
  return Astro.redirect("/", 307);
const commentsWithPost = await prisma?.comment.findMany({
  include: {
    post: {
      select: { url: true },

  description="Overview of comments"
  title="Thomas Ledoux | Comment overview"
  <CommentsOverviewWrapper commentsWithPost={commentsWithPost} client:load />

If the user is not logged in, the user will be redirected to the homepage with a 307 status code. I also have an API route to delete comments on my blog posts, which I want to fence off so only authenticated user can use this API. It’s possible to use the getUser() function from @astro-auth for this too, but this time we’re going to pass the request instead of the Astro object. Example of using this code:

export const del: APIRoute = async ({ request }) => {
  const user = getUser({ server: request });
  if (user) {
    const body = await request.json();
    const deleteComment = await prisma?.comment.delete({
      where: {
    return new Response(
        message: `Comment with id ${deleteComment?.id} deleted`,
      { status: 200 },
  return new Response(null, { status: 403 });

So when the user is not authenticated, a 403 response will be returned.

Hope this was helpful! Source code can be found on my Github as always.

Did you like this post? Check out my latest blog posts:

Screenshot of an analytics dashboard
16 Jan 2024

Basic analytics with Vercel Postgres - Drizzle - Astro

10 min reading time

  • vercel
  • databases
  • typescript
  • astro
Page of a dictionary
15 Nov 2023

A minimal dependency-free translation system for Next.js

6 min reading time

  • nextjs
  • react
  • javascript
Chrome logo repeated in a grid
4 Sept 2023

Developing a Chrome extension to convert the current url to localhost in 1 click

4 min reading time

  • javascript
  • chrome extension
  • html