Example 4 - With FaunaDB Authentication #12
Conversation
|
This pull request is being automatically deployed with Vercel (learn more). 🔍 Inspect: https://vercel.com/ambroise-dhenain/poc-nextjs-reaflow/ERoxbkr8NmfXBkeu2HbmB9mjYLze |
Vadorequest
changed the base branch from
with-faunadb-real-time
to
with-magic-link-auth
…lidate" on the didToken
…r if it exist + generate a personal token for the user and store it in the user session (cookie)
fql/setup.js
Outdated
| name: 'canvas_by_owner', | ||
| source: Collection('Canvas'), | ||
| // Needs permission to read the Users, because "owner" is specified in the "terms" and is a Ref to the "Users" collection | ||
| permissions: { read: Collection('Users') }, |
There was a problem hiding this comment.
here you are mixing the legacy permissions sub-system and bellow you are using the new ABAC roles, we don't recommend mixing both systems.
There was a problem hiding this comment.
Thanks for your feedback, I wasn't aware I was mixing both systems.
I only did that because without it the index doesn't work, but I don't really understand what I should do instead using ABAC. I basically followed what someone else told me to and it worked well.
I understand anything that's not using a Query is using the old permissions sub-system? Or am I mistaken? (how do you tell what's ABAC and what isn't?)
There was a problem hiding this comment.
ABAC will be evaluated every time you use a token, all roles membership will be evaluated to detect which one contains a resource collection of the same type of your instance in the token, after this the privileges will be evaluated, I saw you have a Editor role that contains the collection Users on membership.
There was a problem hiding this comment.
Okay, what I want is to allow authenticated users to use the index canvas_by_owner. It's used there:
rwa-faunadb-reaflow-nextjs-magic/src/utils/canvasStream.ts
Lines 155 to 160 in 7625102
Only the editors have the right to use the canvas_by_owner index.
I don't really understand what I should change, I don't see any issue with the current setup, it seems secure to me. 🤔
|
|
||
| // Inspiration from https://github.com/fauna-brecht/faunadb-auth-skeleton-frontend/blob/default/fauna-queries/helpers/fql.js | ||
|
|
||
| export const DeleteIfExists = (ref: ExprArg) => If(Exists(ref), false, Delete(ref)); |
There was a problem hiding this comment.
you are actually deleting something that doesn't exist, you are calling Delete on the "false" branch
There was a problem hiding this comment.
I added this from https://github.com/fauna-brecht/faunadb-auth-skeleton-frontend/blob/default/fauna-queries/helpers/fql.js#L14-L16 but I didn't use it myself.
I understand it should rather be:
function DeleteIfExists(ref) {
return If(Exists(ref), Delete(ref), false)
}
fql/setup.js
Outdated
| CreateRole({ | ||
| name: 'Public', | ||
| // The public role is meant to be used to generate a token which allows anyone (unauthenticated users) to update the canvas | ||
| membership: {}, |
There was a problem hiding this comment.
If you create tokens, you must pass an instance ref, given this, that role will be discarded because it doesn't contains any membership predicate.
Membership-less roles are meant to be used with JWT tokens (see Access Providers)
There was a problem hiding this comment.
I guess I used the wrong wording, the Public role isn't using a token, but a key.
…ply an array of refs) (cherry picked from commit 34f6e98)
# Conflicts: # fql/setup.js
# Conflicts: # .env.local.example # README.md # src/components/AuthFormModal.tsx # src/components/editor/CanvasContainer.tsx # src/components/hooks/useUser.ts # src/components/nodes/EndNode.tsx # src/lib/auth/userSession.ts # src/lib/faunadb/faunadbClient.ts # src/pages/api/login.ts # src/pages/api/logout.ts # src/pages/api/user.ts # src/pages/index.tsx
The canvas dataset is stored in FaunaDB.
Changes to the canvas are real-time and shared with everyone when not authenticated.
Changes to the canvas are real-time and shared with yourself when being authenticated. (open 2 tabs to see it in action)
Users can create an account and login using Magic Link, they'll automatically load their own document.
This branch is meant to be kept as an example. It is automatically deployed on Vercel, which allows us to have a dedicated deployment for this variant.
Demo: https://poc-nextjs-reaflow-git-with-faunadb-auth-ambroise-dhenain.vercel.app/