doc: guide for custom auth

[ymc9]

Summary by CodeRabbit

• New Features
  • Introduced a comprehensive guide for integrating ZenStack with custom authentication systems.
  • Added sections on access control requirements, fetching user data, and enhancing PrismaClient.
• Documentation
  • New documentation file custom.md created with detailed instructions and examples for users.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
zenstack-new-site	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Nov 24, 2024 6:34pm

[coderabbitai]

Walkthrough

This pull request introduces a new documentation file, custom.md, which serves as a guide for integrating ZenStack with custom authentication systems. It details the requirements for access control, the structure of the auth() function, and the process for defining user models. The document also covers runtime user data fetching and concludes with instructions on enhancing the PrismaClient to enforce access policies.

Changes

File Path	Change Summary
docs/guides/authentication/custom.md	- Added new documentation for integrating ZenStack with custom authentication systems.
	- Included sections on access control requirements, fetching current user information, and enhancing PrismaClient.

Possibly related PRs

• doc: add Lucia Auth doc #323: Documentation added for integrating ZenStack with Lucia Auth, focusing on data models and Prisma client creation.
• docs: release 2.8.0 #381: Updates documentation for Lucia, noting its deprecation while retaining integration details relevant to authentication.

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

‼️ IMPORTANT
Auto-reply has been disabled for this repository in the CodeRabbit settings. The CodeRabbit bot will not respond to your replies unless it is explicitly tagged.

• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 1

🧹 Outside diff range and nitpick comments (5)

docs/guides/authentication/custom.md (5)

37-37: Fix typo in explanation

Change "any thing" to "anything" for better grammar.

-Just remember that any thing that you access from `auth().` must be resolved.
+Just remember that anything that you access from `auth().` must be resolved.

---

18-24: Add explanatory comments to code examples

Consider adding comments to explain the purpose of each field in the models.

 model User {
+  // Unique identifier for the user
   id          String @id
+  // User's role for RBAC
   role        String
+  // Array of fine-grained permissions
   permissions String[]
   ...
 }

 type Auth {
+  // Unique identifier for the user (matches JWT or external auth system)
   id          String @id
+  // User's role for access control
   role        String
+  // List of specific permissions assigned to the user
   permissions String[]
   @@auth
 }

Also applies to: 29-35

---

41-46: Enhance the runtime implementation section

Consider the following improvements:

1. Add concrete code examples for JWT token validation and authentication service integration
2. Make the security warning more prominent, possibly in a dedicated "Security Considerations" section

Example additions:

// JWT token example
import jwt from 'jsonwebtoken';

async function getCurrentUser(token: string) {
  try {
    // Verify and decode the JWT token
    const decoded = jwt.verify(token, process.env.JWT_SECRET);
    return {
      id: decoded.sub,
      role: decoded.role,
      permissions: decoded.permissions
    };
  } catch (error) {
    throw new Error('Invalid or expired token');
  }
}

// Authentication service example
async function getCurrentUser(sessionId: string) {
  const response = await authService.validateSession(sessionId);
  if (!response.valid) {
    throw new Error('Invalid session');
  }
  return {
    id: response.userId,
    role: response.userRole,
    permissions: response.permissions
  };
}

---

52-55: Enhance the client example with error handling and types

The example could be improved with proper error handling and TypeScript types.

 ```ts
-const user = await getCurrentUser(); // your implementation
-const db = enhance(prisma, { user });
+interface AuthUser {
+  id: string;
+  role: string;
+  permissions: string[];
+}
+
+try {
+  const user: AuthUser = await getCurrentUser(); // your implementation
+  const db = enhance(prisma, { 
+    user,
+    onError: (error) => {
+      console.error('Access policy violation:', error);
+      // Handle error appropriately
+    }
+  });
+} catch (error) {
+  // Handle authentication errors
+  console.error('Failed to get current user:', error);
+}

---

`55-55`: **Consider adding important missing sections**

The guide would benefit from additional sections:
1. Testing Access Policies
   - How to write tests for custom authentication
   - Examples of mocking the auth context
2. Troubleshooting
   - Common issues and solutions
   - Debugging access policy violations

Would you like me to help draft these additional sections?

</blockquote></details>

</blockquote></details>

<details>
<summary>📜 Review details</summary>

**Configuration used: CodeRabbit UI**
**Review profile: CHILL**

<details>
<summary>📥 Commits</summary>

Reviewing files that changed from the base of the PR and between 450eb4c094d6364eae456a4477614840f7730991 and 6d46b546c3b5e459d91894b7991099abe57a24f4.

</details>

<details>
<summary>📒 Files selected for processing (1)</summary>

* `docs/guides/authentication/custom.md` (1 hunks)

</details>

</details>

<!-- This is an auto-generated comment by CodeRabbit for review status -->

[coderabbitai]

💡 Codebase verification

Sidebar position should be adjusted to maintain documentation order

The high sidebar_position: 100 appears to be inconsistent with the sequence of other authentication guides which use values 1-6. Since this is a custom authentication guide, it should be positioned appropriately within the sequence, likely after the specific auth provider guides.

• Consider adjusting sidebar_position to 7 to maintain a logical sequence after auth0 (6) and other specific providers
• Current sequence: next-auth (1), clerk (2), supabase (3), lucia (5), auth0 (6), custom (100)

🔗 Analysis chain

Verify the sidebar position value

The sidebar_position: 100 seems unusually high. Please confirm if this is intentional or if it should be adjusted to match the sequence of other authentication guides.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Check other authentication guide positions
fd -e md . docs/guides/authentication -x grep -l "sidebar_position" {} \; | xargs grep "sidebar_position"

Length of output: 452