Email in return results is inconsistent when using auth-refresh when an expand option is used

[dschissler]

If email visibility is not set for the record then /api/collections/users/auth-refresh will return the authenticated user for that token. This record will contain the email.

However if /api/collections/users/auth-refresh?expand=users_sites(user).user is called then the top record will not contain the email. But the expanded relation record for user will contain the email.

However, If I turn on email visibility for this user record then it will appear in both places (in top level record and in expand section.

So there is a bug relating to both the variables together which check email visibility and if expand is happening. Also this might be a good time to check if you're being overly protective of email visibility, or if it could slip through with other API calls.

[ganigeorgiev]

I've tested it locally and I'm not able to reproduce the issue.

The authenticated user should always have access to their email, no matter of the emailVisibility flag.

Or in other words, it is expected to see the email of the authenticated user in the auth-refresh call, as well as in the expand result (if the same user is listed there).

If that's not what you are experiencing, please export your collections (Admin UI > Settings > Export collections) and I'll try to investigate it.

[jmar910]

So I just ran into this bug and am able to reproduce it with my set up. I have confirmed that removing the expand params from the auth refresh call will show email regardless of emailVisibility but once I set the expand params, the email disappears when emailVisibility is false.

Maybe this is something specific to the way permissions/filters are set up? Happy to share any info.

[ganigeorgiev]

@jmar910 As mentioned above I wasn't able to reproduce the issue.

If you are not able to identify the cultprit please provide at least some steps to reproduce, for example more details about your collections structure (you can export your collections from the Admin UI > Settings > Export collections) and a code sample showing how you are sending the request.

[ganigeorgiev]

@jmar910 Also note that if you use Next.js it could be cache related.
To rule out issue with other applications, please try to test with a static html in pb_public or by directly sending a request via curl, Postman, Insomnia, etc.

[jmar910]

We use Ember, so I dont think that's it BUT I will double check that it isn't related to ember by trying curl or postman (AFAIK our version of ember doesn't do anything special with request caching)

How the request is being made:

import PocketBase from 'pocketbase';

// how we set it up
export default class PocketbaseService {
  //...
  pb = null;

  constructor(pb) {
    super(...arguments);

    this.pb = pb;
  }

  async refreshUser() {
    await this.pb.collection('users').authRefresh({ expand: 'roles' });
  }
  //...
}

// we initialize once for our app
const pb = new Pocketbase("/")
const ps = new PocketbaseService(pb)

// how we call it
await ps.refreshUser();

We initialize the PocketbaseService once, and then call refreshUser in our app, all using the pocketbase SDK under the hood.

Will get you collection export shortly.

[ganigeorgiev]

@jmar910 I'm not able to reproduce it. To test it on your own, please create the following pb_public/index.html file:

<!DOCTYPE html />
<html>
<head>
    <meta charset="utf-8" />
    <title>Expanded user email test</title>
</head>
<body>
    <script type="module">
        import PocketBase from "https://cdn.jsdelivr.net/gh/pocketbase/js-sdk@0.21.1/dist/pocketbase.es.mjs"

        const pb = new PocketBase("http://127.0.0.1:8090");

        const result1 = await pb.collection("users").authWithPassword("test@example.com", "1234567890")
        console.log("user after auth:", result1.record.email)

        const result2 = await pb.collection("users").authRefresh({ expand: "roles" });
        console.log("user after refresh:", result2.record.email)
    </script>
</body>
</html>

Navigate to http://127.0.0.1:8090 in your browser and check the browser console.

Edit: Tested with PocketBase v0.21.1 and JS SDK v0.21.1.

[jmar910]

pb_schema.json

Was able to reproduce the issue using your example and this set of collections. My guess is it has something to do with our roles/permission/permissionSets in relation to API filters, but I still wouldn't expect the field to just disappear from the collection I do have access to.

[ganigeorgiev]

Thank you for the json. I was able to reproduce it (it is a side effect from the fields resolver). Will submit a fix sometime later today.

[jmar910]

Thank you! Not urgent as we have worked around it for my case, but glad we could get to the bottom of it. Totally appreciate your quick and helpful responses/examples.

[ganigeorgiev]

I've updated the field resolver tests and pushed a small fix as part of PocketBase v0.21.2 release.

If you are still experiencing the issue, feel free to let me know and I'll try to investigate it in more details tomorrow.