Session handling sharpened since 3.0.

lucia-auth ships a well-documented threat model and defaults that embody it. A mid-release scope change introduced one rough edge around adapter contracts; otherwise, read the code and sleep well.

Desh Patel

staff reviewer · 15 min read · published 14:00 UTC · Apr 12, 2026

↓ signed manifest ⌘ copy link

lucia-auth@3.2 B

lucia-auth ships a well-documented threat model and defaults that embody it. A mid-release scope change introduced one rough edge around adapter contracts; otherwise, read the code and sleep well.

87 / 100·0 high·1 med·npm

auth A

Axis score 90 / 100.

auth

crypto A

Axis score 90 / 100.

crypto

supply B

Axis score 80 / 100.

supply

docs A

Axis score 92 / 100.

docs

§1 · Context

Lucia is the rare auth library that reads like it was written by someone
who has been on call during a credential-stuffing event. The API forces
you to think about session lifecycles, regeneration, and revocation — it
does not let you skip those concerns to save three lines.

§2 · Findings

One medium finding: the adapter contract for getSessionAndUser is
underspecified in the docs and two community adapters returned slightly
different error shapes; the library's reconciliation of those shapes is
correct but surprising.

Five low findings are doc nits.

§3 · Bottom line

Use it. The 3.2 release is the one to pin to.

dispatch · Apr 12, 2026 · 15 min read

corrections: corrections@secnull · signed

Session handling sharpened since 3.0.

§1 · Context

§2 · Findings

§3 · Bottom line

navigate

appearance

signals

subscribe

§1 · Context

§2 · Findings

§3 · Bottom line

Keep reading