-
Notifications
You must be signed in to change notification settings - Fork 14
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Example 4 - With FaunaDB Authentication #12
base: with-magic-link-auth
Are you sure you want to change the base?
Conversation
This pull request is being automatically deployed with Vercel (learn more). 🔍 Inspect: https://vercel.com/ambroise-dhenain/poc-nextjs-reaflow/ERoxbkr8NmfXBkeu2HbmB9mjYLze |
…lidate" on the didToken
…r if it exist + generate a personal token for the user and store it in the user session (cookie)
fql/setup.js
Outdated
name: 'canvas_by_owner', | ||
source: Collection('Canvas'), | ||
// Needs permission to read the Users, because "owner" is specified in the "terms" and is a Ref to the "Users" collection | ||
permissions: { read: Collection('Users') }, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
here you are mixing the legacy permissions sub-system and bellow you are using the new ABAC roles, we don't recommend mixing both systems.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for your feedback, I wasn't aware I was mixing both systems.
I only did that because without it the index doesn't work, but I don't really understand what I should do instead using ABAC. I basically followed what someone else told me to and it worked well.
I understand anything that's not using a Query
is using the old permissions sub-system? Or am I mistaken? (how do you tell what's ABAC and what isn't?)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ABAC will be evaluated every time you use a token, all roles membership will be evaluated to detect which one contains a resource collection of the same type of your instance in the token, after this the privileges will be evaluated, I saw you have a Editor
role that contains the collection Users
on membership.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okay, what I want is to allow authenticated users to use the index canvas_by_owner
. It's used there:
rwa-faunadb-reaflow-nextjs-magic/src/utils/canvasStream.ts
Lines 155 to 160 in 7625102
const findUserCanvas = Paginate( | |
Match( | |
Index('canvas_by_owner'), | |
Ref(Collection('Users'), user.id), | |
), | |
); |
Only the editors have the right to use the canvas_by_owner
index.
I don't really understand what I should change, I don't see any issue with the current setup, it seems secure to me. 🤔
|
||
// Inspiration from https://github.com/fauna-brecht/faunadb-auth-skeleton-frontend/blob/default/fauna-queries/helpers/fql.js | ||
|
||
export const DeleteIfExists = (ref: ExprArg) => If(Exists(ref), false, Delete(ref)); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
you are actually deleting something that doesn't exist, you are calling Delete on the "false" branch
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added this from https://github.com/fauna-brecht/faunadb-auth-skeleton-frontend/blob/default/fauna-queries/helpers/fql.js#L14-L16 but I didn't use it myself.
I understand it should rather be:
function DeleteIfExists(ref) {
return If(Exists(ref), Delete(ref), false)
}
fql/setup.js
Outdated
CreateRole({ | ||
name: 'Public', | ||
// The public role is meant to be used to generate a token which allows anyone (unauthenticated users) to update the canvas | ||
membership: {}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you create tokens, you must pass an instance ref, given this, that role will be discarded because it doesn't contains any membership predicate.
Membership-less roles are meant to be used with JWT tokens (see Access Providers)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
…ply an array of refs) (cherry picked from commit 34f6e98)
# Conflicts: # fql/setup.js
# Conflicts: # .env.local.example # README.md # src/components/AuthFormModal.tsx # src/components/editor/CanvasContainer.tsx # src/components/hooks/useUser.ts # src/components/nodes/EndNode.tsx # src/lib/auth/userSession.ts # src/lib/faunadb/faunadbClient.ts # src/pages/api/login.ts # src/pages/api/logout.ts # src/pages/api/user.ts # src/pages/index.tsx
The canvas dataset is stored in FaunaDB.
Changes to the canvas are real-time and shared with everyone when not authenticated.
Changes to the canvas are real-time and shared with yourself when being authenticated. (open 2 tabs to see it in action)
Users can create an account and login using Magic Link, they'll automatically load their own document.
This branch is meant to be kept as an example. It is automatically deployed on Vercel, which allows us to have a dedicated deployment for this variant.
Demo: https://poc-nextjs-reaflow-git-with-faunadb-auth-ambroise-dhenain.vercel.app/