Remix Auth Form Strategy

3.0.0 · active · verified Wed Apr 22

remix-auth-form is a specialized strategy for the Remix Auth library, designed to handle authentication via any HTML form. It provides the `FormData` instance and the original `Request` object directly to the `verify` callback, enabling flexible input handling beyond traditional username/password schemes. This allows developers to include additional fields as needed for their authentication flow. The package is currently at v3.0.0, having recently updated to support Remix Auth v4. Releases appear to be driven by breaking changes in `remix-auth` or `Remix` itself, ensuring compatibility with the latest ecosystem features. It supports both Node.js and Cloudflare runtimes, making it versatile for various deployment targets.

Common errors

```
TypeError: FormStrategy is not a constructor
```
cause Attempting to use `new FormStrategy()` after importing it incorrectly, often due to CommonJS `require` or incorrect named vs. default import in an ESM context.

fix Ensure you are using `import { FormStrategy } from 'remix-auth-form';` and that your project is configured for ESM, especially if using `remix-auth-form` v2.0.0 or higher.
```
Cannot find module 'remix-auth-form' or its corresponding type declarations.
```
cause The package is not installed, the import path is wrong, or TypeScript cannot resolve types, possibly due to mismatched module systems (ESM/CJS).

fix Run `npm install remix-auth-form` or `yarn add remix-auth-form`. Verify the import path is exactly `remix-auth-form`. For TypeScript, ensure your `tsconfig.json` is configured for `"moduleResolution": "bundler"` or `"node16"` for modern Remix setups.
```
A strategy with the name 'form' is already in use.
```
cause You have called `authenticator.use()` with the default name ('form') more than once, or you've forgotten to provide a unique name for multiple instances of `FormStrategy`.

fix When using `authenticator.use()`, provide a unique string as the second argument if you're registering multiple strategies or multiple instances of the same strategy (e.g., `authenticator.use(new FormStrategy(...), "my-custom-form-strategy");`).

Warnings

breaking Version 3.0.0 upgrades the peer dependency to `remix-auth@^4.0.0`. Projects still on `remix-auth` v3.x or earlier will need to upgrade `remix-auth` to a compatible v4.x version.
Fix: Ensure your project's `remix-auth` dependency is updated to `^4.0.0` or higher to match the peer dependency requirements.
breaking Version 2.0.0 migrated the package to ESM (ECMAScript Modules) and modernized its setup. This means `remix-auth-form` is no longer compatible with CommonJS (`require()`) environments. Attempting to import it in a CJS project will lead to errors.
Fix: Migrate your Remix project to use ESM or ensure your build configuration correctly transpiles `remix-auth-form` for CJS compatibility, if possible. The recommended approach is to embrace ESM for Remix applications.
breaking Version 2.0.0 removed the `pre-read FormData` option. If your authentication logic relied on this specific option for accessing form data, your code will break.
Fix: Adjust your `FormStrategy`'s `verify` callback to directly access `form` (the `FormData` instance) and `request` (the `Request` object) from its parameters, as demonstrated in the current documentation.
gotcha The package was updated to support Remix 2.0 in version 1.4.0. While typically backward compatible, using newer versions of `remix-auth-form` with very old Remix versions might lead to unexpected behavior or require specific polyfills/configurations.
Fix: For optimal compatibility and to leverage the latest features, ensure your Remix project is updated to a modern version, preferably Remix 2.0 or higher.

Install

npm install remix-auth-form npm
yarn add remix-auth-form yarn
pnpm add remix-auth-form pnpm

Imports

FormStrategy
wrong:
```
import FormStrategy from 'remix-auth-form';
const FormStrategy = require('remix-auth-form').FormStrategy;
```
correct:
```
import { FormStrategy } from 'remix-auth-form';
```
remix-auth-form is an ESM-only package since v2.0.0. Using CommonJS `require` will result in errors. It is a named export, not a default export.
Authenticator
wrong:
```
import { Authenticator } from 'remix-auth-form';
```
correct:
```
import { Authenticator } from 'remix-auth';
```
The `Authenticator` class is the core component of the `remix-auth` library, not `remix-auth-form`. Confusing the import source is a common mistake.
ActionFunctionArgs
wrong:
```
import type { ActionFunction } from 'remix';
```
correct:
```
import type { ActionFunctionArgs } from '@remix-run/node';
```
Remix route types like `ActionFunction` were deprecated in favor of `ActionFunctionArgs` in Remix v1.3.0/v1.4.0, which became the standard in Remix 2.0. Ensure correct type imports for modern Remix applications.

Quickstart

This quickstart demonstrates how to set up `remix-auth-form` with `remix-auth`, define a custom authentication logic using form data, and integrate it into a Remix `action` function for handling user login. It showcases form data access, basic validation, and redirection upon success or failure.

import { Authenticator } from "remix-auth";
import { sessionStorage } from "~/services/session.server";
import { FormStrategy } from "remix-auth-form";
import { redirect, type ActionFunctionArgs } from "@remix-run/node";

// Placeholder for your User type and database logic
interface User { id: string; username: string; }
async function findOrCreateUser(username: string, hashedPassword: string): Promise<User> {
  console.log(`Finding or creating user: ${username} with hashed password: ${hashedPassword}`);
  // In a real app, you'd interact with your database here.
  // For this example, we'll just return a dummy user.
  return { id: 'some-user-id', username: username };
}

// This would typically come from a utility, e.g., 'bcrypt'
async function hash(password: string): Promise<string> {
  return `hashed-${password}`;
}

// You would define your session storage here
export let authenticator = new Authenticator<User>(sessionStorage);

authenticator.use(
  new FormStrategy(async ({ form, request }) => {
    let username = form.get("username");
    let password = form.get("password");

    // Basic validation (use a library like Zod for robust validation)
    if (typeof username !== "string" || username.length === 0) {
      throw new Error("Username must be a non-empty string");
    }
    if (typeof password !== "string" || password.length === 0) {
      throw new Error("Password must be a non-empty string");
    }

    let hashedPassword = await hash(password);
    let user = await findOrCreateUser(username, hashedPassword);

    return user;
  }),
  // Optional: provide a custom name for the strategy if using multiple form strategies
  "user-pass"
);

export async function action({ request }: ActionFunctionArgs) {
  try {
    let user = await authenticator.authenticate("user-pass", request, {
      successRedirect: "/dashboard",
      failureRedirect: "/login?error=true",
      throwOnError: true,
    });
    // If successful, user is authenticated and session is set.
    // The successRedirect handles the actual redirect.
    return user; // Should not be reached if successRedirect is set
  } catch (error) {
    // If throwOnError is true, strategy errors will be re-thrown here.
    // Handle authentication failures, e.g., log the error or return a specific response.
    console.error("Authentication error:", error);
    // The failureRedirect would handle the UI redirect to login page.
    return redirect("/login?error=true");
  }
}

view raw JSON →