docs: Document serverpod_auth_email setup and migrating from serverpod_auth to the new provider using serverpod_auth_migration

Closes serverpod/serverpod#3663

Author: tp

docs/06-concepts/11-authentication/01-setup_new.md

@@ -0,0 +1,197 @@
+# Setup (`serverpod_auth_*`)
+
+Serverpod comes with built-in support for authentication. It is possible to build a [custom authentication implementation](custom-overrides), but the recommended way to authenticate users is to use one of the provided `serverpod_auth_*` modules. The modules make it easy to authenticate with email or social sign-ins and currently supports signing in with email, Google, Apple, and Firebase.
+
+Future versions of the authentication module will include more options. If you write another authentication module, please consider [contributing](/contribute) your code.
+
+We provide the following packages of ready-to use authentication providers. They all include a basic user profile courtesy of `serverpod_auth_profile`, and session management through `serverpod_auth_session`.
+
+|Package|Functionality|
+|-|-|
+|`serverpod_auth_email`|Ready to use email authentication.|
+|`serverpod_auth_apple`|Ready to use "Sign in with Apple" authentication.|
+|`serverpod_auth_google`|Ready to use "Sign in with Google authentication.|
+
+If you would like the basic authentication offered by these package, but combine them with a different approach to session management or another kind of user profile have [a look at the underlying packages below](#low-level-building-blocks).
+
+## Sessions
+
+When using any of the "ready-to-use" authentication providers listed above, session management based on `serverpod_auth_session` is already included.
+
+Just follow any of the individual authentication provider guides to set the `AuthSessions`' `authenticationHandler` on your `Serverpod` instance.
+
+## Email
+
+To get started with email based authentications, add `serverpod_auth_email` to your project. This will add a sign-up flow with email verification, and support logins and session management (through `serverpod_auth_session`). By default this adds user profiles for each registration through `serverpod_auth_profile`.
+
+The only requirement for using this module is having a way to send out emails, so users can receive the initial verification email and also request a password reset later on.
+
+
+### Server setup
+
+Add the module as a dependency to the server project's `pubspec.yaml`.
+
+```sh
+$ dart pub add serverpod_auth_email_server
+```
+
+
+As the email auth module does not expose any endpoint by default, but rather just an [`abstract` endpoint](../working-with-endpoints#endpoint-method-inheritance), a subclass of the default implementation has to be added to the current project in order to expose its APIs to outside client.
+
+For this add an `email_account_endpoint.dart` file to the project:
+
+```dart
+import 'package:serverpod_auth_email_server/serverpod_auth_email_server.dart'
+    as email_account;
+
+/// Endpoint for email-based authentication.
+class EmailAccountEndpoint extends email_account.EmailAccountEndpoint {}
+```
+
+In this `class` `@override`s could be used to augment the default endpoint implementation.
+
+Next, add the authentication handler to the Serverpod instance.
+
+```dart
+import 'package:serverpod_auth_email_server/serverpod_auth_email_server.dart';
+
+void run(List<String> args) async {
+  var pod = Serverpod(
+    args,
+    Protocol(),
+    Endpoints(),
+    authenticationHandler: AuthSessions.authenticationHandler, // Add this line
+  );
+
+  ...
+}
+```
+
+In order to generate server and client the code for the newly added endpoint, run:
+
+```bash
+$ serverpod generate
+```
+
+Additionally the database schema will need to be extended to add new tables for the email accounts. Create a new migration using the `create-migration` command.
+
+```bash
+$ serverpod create-migration
+```
+
+As the last step, the email authentication package needs to be configured.  
+For this set the `EmailAccounts.config` (from package `serverpod_auth_email_account_server`), which contains the business logic used by the endpoint. This configuration should be added before the `await pod.start();` call. Callbacks need to be provided for at least `sendRegistrationVerificationCode` and `sendPasswordResetVerificationCode`, while the rest can be left to their default values.
+
+```dart
+import 'package:serverpod_auth_email_server/serverpod_auth_email_server.dart';
+
+  EmailAccounts.config = EmailAccountConfig(
+    sendRegistrationVerificationCode: (
+      final session, {
+      required final email,
+      required final accountRequestId,
+      required final verificationCode,
+      required final transaction,
+    }) {
+      // Send out actual email with the verification code
+    },
+    sendPasswordResetVerificationCode: (
+      final session, {
+      required final email,
+      required final passwordResetRequestId,
+      required final transaction,
+      required final verificationCode,
+    }) {
+      // Send out actual email with the verification code
+    },
+);
+```
+
+If you're not hosting on Serverpod Cloud, you might consider an email sendout provider like [Mailjet](https://www.mailjet.com/) or [SendGrid](https://sendgrid.com/en-us).
+
+It is up to the application to decide how to use the callbacks. Basically there are 2 primary approaches possible:
+- Send out the `verificationCode` and require that the client initiating the request completes the operation (account creation or password reset). In that case the user could copy/paste or retype the (short) verification into a form on the client.
+- Alternatively emails could contain a deep link with both the respective request ID and the verification code, which would then even support them being opened on any device (e.g. on a desktop, even if the original request was made on mobile).
+
+Additionally you need to update the `passwords.yaml` file to include secrets for both `serverpod_auth_session_sessionKeyHashPepper` and `serverpod_auth_email_account_passwordHashPepper`.  
+These should be random and at least 10 characters long. These pepper values must not be changed after the initial deployment of the server, as they are baked into every session key and stored password, and thus a roatation would invalidate previously created credentials.
+
+After a restart of the Serverpod the new endpoints will be usable from the client.
+
+### Client setup
+
+First, add a dependency on `serverpod_auth_session_flutter` to your app's `pubspec.yaml`, to be able to make use of the sessions generated by the newly created email endpoint.
+
+```yaml
+dependencies:
+  flutter:
+    sdk: flutter
+  serverpod_flutter: ^3.0.0
+  auth_example_client: # You generated client, name may differ
+    path: ../auth_example_client
+  
+  serverpod_auth_session_flutter: ^3.0.0 # Add this line
+``` 
+
+Next, add the `SessionManager` to your app, passing it to the generated Serverpod `Client`.
+
+```dart
+import 'package:serverpod_auth_session_flutter/serverpod_auth_session_flutter.dart' show SessionManager;
+
+late SessionManager sessionManager;
+late Client client;
+
+void main() async {
+  // Need to call this as we are using Flutter bindings before runApp is called.
+  WidgetsFlutterBinding.ensureInitialized();
+
+  // The session manager keeps track of the signed-in state of the user. You
+  // can query it to see if the user is currently signed in and get information
+  // about the user.
+  sessionManager = SessionManager();
+  await sessionManager.init();
+
+  // The android emulator does not have access to the localhost of the machine.
+  // const ipAddress = '10.0.2.2'; // Android emulator ip for the host
+
+  // On a real device replace the ipAddress with the IP address of your computer.
+  const ipAddress = 'localhost';
+
+  // Sets up a singleton client object that can be used to talk to the server from
+  // anywhere in our app. The client is generated from your server code.
+  // The client is set up to connect to a Serverpod running on a local server on
+  // the default port. You will need to modify this to connect to staging or
+  // production servers.
+  client = Client(
+    'http://$ipAddress:8080/',
+    authenticationKeyManager: sessionManager,
+  )..connectivityMonitor = FlutterConnectivityMonitor();
+
+  runApp(MyApp());
+}
+```
+
+### User consolidation
+
+<!-- TODO: Explain how to connect with other providers -->
+<!-- Other providers should just refer to this section, as the setup will be similar -->
+
+## Low-level building blocks
+
+### Session Management
+
+|Package|Functionality|
+|-|-|
+|`serverpod_auth_session`|Database-backed session handling, with flexible configuration per session.|
+|`serverpod_auth_jwt`|JWT-based session implemented, which can also generate access token with public/private key cryptography to use with 3rd party services.|
+
+### Authentication
+
+The following package provide the core authentication functionality, but without providing a default `Endpoint` base implementation. Thus they can be combined with another session package and include further modification, like for example a custom user profile.
+
+|Package|Functionality|
+|-|-|
+|`serverpod_auth_email_account`|Basic email authentication.|
+|`serverpod_auth_apple_account`|Basic "Sign in with Apple" authentication.|
+|`serverpod_auth_google_account`|Basic "Sign in with Google authentication.|
+

docs/08-upgrading/06-upgrading-from-serverpod_auth.md

@@ -0,0 +1,139 @@
+# Upgrading from `serverpod_auth`
+
+With the release of Serverpod 3.0, the single legacy `serverpod_auth` package was replaced with a set of modular packages providing flexible modules for users, authentication providers, profiles, and session management.
+
+For an existing Serverpod application which makes use of `serverpod_auth` (which also still works with Serverpod 3.0) to upgrade to the new package, there exists `serverpod_auth_migration` to facilitate moving over all authentication- and user-related data into the new modules.  
+Once the migration is complete, the legacy `serverpod_auth` module and the `serverpod_auth_migration` dependencies can be removed, which will also remove the then obsolete tables from the database.
+
+Due to the modular approach, each used authentication provider (email, Apple, Google, etc.) needs to be configured individually for the migration.  
+No matter through which authentication provider(s) a user is migrated, their profile will always be migrated as well by default.
+
+## General timeline
+
+The suggested migration timeline applies to all auth providers.
+
+1. Add and configure the new auth modules for the desired providers, e.g. [email](../concepts/authentication/setup_new#email)
+2. Add the migration module and configure each auth provider and set up a background migration job <!-- TODO: Build and document Future call for migration -->
+3. Switch over all clients to use the new authentication endpoints
+4. After a sufficient percentage of the userbase has migrated to the new endpoints, disable sign-ups throught the legacy package <!-- TODO: Build and showcase "off switch" in legacy package -->
+5. Later on also disable logins and password resets on the `serverpod_auth` APIs
+6. Once all users have been migrated (some of them via the background processes, albeit without passwords) remove the dependency on `serverpod_auth` and `serverpod_auth_migration` and delete all obsolete code
+7. The next migration will then also remove obsolete tables
+
+If the Serverpod application stores data with a relation to the `int` `UserInfo` ID, this needs to be migrated to the new `UUID` id of the `AuthUser`.  
+To support this the `serverpod_auth_migration` packages provides a single hooks which is run for each user migration in which any related entities from your app can be migrated as well.
+
+## Sessions
+
+In order to support both sessions created by the legacy `serverpod_auth` and through the new `serverpod_auth_session` package, the `authenticationHandler` has to be updated to try both of them.  
+Since an invalid/unknown session key just yields a `null` result, they can be chained like this:
+
+```dart
+import 'package:serverpod_auth_server/serverpod_auth_server.dart' as auth;
+import 'package:serverpod_auth_email/serverpod_auth_email.dart' show AuthSessions;
+
+
+final pod = Serverpod(
+  args,
+  Protocol(),
+  Endpoints(),
+  authenticationHandler: (session, key) async {
+    return await AuthSessions.authenticationHandler(session, key) ??
+        await auth.authenticationHandler(session, key);
+  },
+);
+```
+
+<!-- TODO: Explain how all default modules use the new `serverpod_auth_session` and thus this only need to be configured once -->
+
+<!-- Explain how to configure `authenticationHandler` to use both the old and new ones -->
+
+## Migrating Email Authentications
+
+Before starting with the email account migration, the email authentication from `serverpod_auth_email` must be [set up as described](../concepts/authentication/setup_new#email).
+
+Since the password storage format changed between the legacy and new modules, and because we only have access to the plain text password during `login` (when it's sent from the client), there are 2 scenarios of migrating user accounts and the email authentication.
+
+During a login we can verify the incoming credentials, and then migrate the entire account including the password.  
+In all other cases (e.g. a password reset or a background migration job) we can migrate the user profile and account, but not set its password. The password could be set on a subsequent login (if it matches the one from the legacy module), or in case the user did not log in during the migration phase, they will have to resort to a password reset.
+
+In order to avoid creating duplicate accounts for the "same" user in both the legacy and new system, one needs to ensure that the migration is always called before the new module would attempt any user lookups or creations.  
+To support this in the new endpoint, which now exists as a subclass in the Serverpod application, the migration methods need to each affected endpoint.
+
+```dart
+class EmailAccountEndpointWithMigration
+    extends email_account.EmailAccountEndpoint {
+  @override
+  Future<String> login(
+    final Session session, {
+    required final String email,
+    required final String password,
+  }) async {
+    // Add this before the call to `super` in the endpoint subclass
+    await AuthMigrationEmail.migrateOnLogin(
+      session,
+      email: email,
+      password: password,
+    );
+
+    return super.login(session, email: email, password: password);
+  }
+
+  @override
+  Future<void> startRegistration(
+    final Session session, {
+    required final String email,
+    required final String password,
+  }) async {
+    // Add this before the call to `super` in the endpoint subclass
+    await AuthMigrationEmail.migrateOnLogin(
+      session,
+      email: email,
+      password: password,
+    );
+
+    return super.startRegistration(session, email: email, password: password);
+  }
+
+  @override
+  Future<void> startPasswordReset(
+    final Session session, {
+    required final String email,
+  }) async {
+    // Add this before the call to `super` in the endpoint subclass
+    await AuthMigrationEmail.migrateWithoutPassword(session, email: email);
+
+    return super.startPasswordReset(session, email: email);
+  }
+}
+```
+
+After this modification, the endpoint will always attempt a migration first, because then proceeding with the desired request (eg. registering a new account if none exists yet).
+
+The migration works fully out of the box. But in case the existing `UserInfo` should not be moved to a new `serverpod_auth_profile` `UserProfile`, this can be disabled through the `AuthMigrationEmailConfig`.
+
+```dart
+AuthMigrationEmail.config = AuthMigrationConfig(
+  importProfile: false,
+  userMigrationHook: (session, {required newAuthUserId, required oldUserId, transaction}) => …,
+);
+```
+
+## User ID Migration
+
+<!-- TODO: Explain how a look up can be made during the transition, but finally any foreign keys need to be migrated. 
+     Depending on the project scale this might be easiest to do "at once", if possible.
+     We should probably showcase a full example here, and figure out how to integrate that into the migration that will drop the final tables.
+
+     Maybe add optional AuthUser relation, and then in the end make it required (while dropping the `serverpod_auth` `UserInfo`)
+     -->
+
+<!-- 2 migration approaches:
+- create a new, nullable column for the auth user and then migrate over time
+  - seem easier to update queries to use either the old or new ID
+  - be careful to not use `onDelete=Cascade` on the old UserInfo references
+    - we should take a look to see how table / columns are dropped in this case
+- create a second table, and copy the data over upon migration
+
+- Old user clean up possible (maybe even advisable to catch outdated reads), but otherwise can just wait until the old package & migration is removed at which point the tables will be dropped.
+-->