Why auth request can be accessed only by guests? #1494
-
|
Hi! I'm trying to create an |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 10 replies
-
|
The
There is no easy way to change it. One workaround could be to register a middleware and intercept the
It just seems logical to me. Additionally it also prevents accidentally "overwriting" your I can change it, but I'm not sure that I understand the use case. Could you elaborate a little more what you are trying to do and what is the end goal (pseudo-code is also ok)? |
Beta Was this translation helpful? Give feedback.
-
|
My use case is the transition between "anonymous" user and an authenticated user in e-commerce app. When anonymous user logs in, I want to transfer its shopping cart & orders data to the new account. In order to do that, I need to extract the information about the current user (if it exists at all): app.OnRecordAuthRequest().Add(func(e *core.RecordAuthEvent) error {
// Extract current user.
user, _ := e.HttpContext.Get(apis.ContextAuthRecordKey).(*models.Record)
if user == nil {
return nil
}
if user.Id != e.Record.Id {
log.Printf("MOVING FROM USER %s TO USER %s\n", user.Id, e.Record.Id)
}
return nil
}) |
Beta Was this translation helpful? Give feedback.
-
|
The support for sending the existing auth token with the |
Beta Was this translation helpful? Give feedback.
-
|
You're right, I completely forgot to update |
Beta Was this translation helpful? Give feedback.
-
|
@ganigeorgiev, on further tackling, it seems like Here is what I'm doing in my login action on frontend: await pb
.collection(Collections.Users)
.authWithPassword(values.email, values.password);
// For SSR
const cookie = pb()!.authStore.exportToCookie({ httpOnly: false });
cookies.set(AUTH_COOKIE_KEY, cookie, { path: "/", expires: 30 });
window.location.href = "/";And here is how I'm trying to handle it on backend: app.OnRecordAuthRequest().Add(func(e *core.RecordAuthEvent) error {
// Extract current user.
user, _ := e.HttpContext.Get(apis.ContextAuthRecordKey).(*models.Record)
// For debug purposes
if user != nil {
log.Printf("Previous user is %s, current user id %s", user.Id, e.Record.Id)
}
if user == nil || user.Id == e.Record.Id || user.Email() != "" {
return nil
}
// ...
})This debug print shows me that |
Beta Was this translation helpful? Give feedback.
-
|
I'm sorry, I don't understand what await pb.collection('users').authWithPassword('old@example.com', '123456')
// the second auth request will have Authorization: TOKEN with it
await pb.collection('users').authWithPassword('new@example.com', '123456')Then in the |
Beta Was this translation helpful? Give feedback.
-
|
I created a small client-only demo and it works. Looks like I messed up with the SSR. Sorry again, I will try to do more research before writing here in the future. |
Beta Was this translation helpful? Give feedback.
The
/apis/collections/:collection/auth-with-passwordendpoint requires the user to be "guest", aka. to NOT haveAuthorization: TOKENheader with the request.There is no easy way to change it. One workaround could be to register a middleware and intercept the
/auth-with-passwordaction.It just seems logical to me. Additionally it also prevents accidentally "overwriting" your
pb.authStorestate after a successful auth call.I can change it, but I'm not sure that I understand the use case. Could you elaborate a little more what you are trying to do and what is the end goal (pseudo-code is also ok)?