#+title: Auth Notes * starting the pocketbase as framework https://pocketbase.io/docs/go-overview/ * plan ** DONE start pocketbase ** DONE add middlewares for cookie session ** DONE add index page, that will have either "current user" or 'login' link *** DONE let's add some content that only opens up when person is authed *** DONE also, how do i logout? separate route that deleted the cookie i guess. since auth is a jwt which would expire on its own and htmx get thingy, and reload i guess? ** DONE 'login' link should open dialog with oauth providers so, i want a window with available oauth providers, to trigger the js code from example https://pocketbase.io/docs/authentication/ ( all in one, recommended ) let's get configured providers in the go code, add as slice of strings, and in template create buttons for each of those with js code from the example *** DONE in template range over enabled providers to create buttons for each *** DONE make dialog show on click of some element https://developer.mozilla.org/en-US/docs/Web/HTML/Element/dialog ** DONE i guess i would also like to send htmx event for reloading the page on successful auth? now, why would logout work, and login not work? eh, let's go back on body doing the hx-get on event? maybe this is because of open dialog *** wait, maybe then returning from other auth middlewares will work no. for some reason #+begin_src go e.HttpContext.Response().Header().Add("HX-Trigger", "auth-change-event") #+end_src this header when returned with response to request triggered by js, doesn't result in event being triggered, ok, i guess *** so yeah, uglier that i wanted wanted to have hx-get="/" hx-trigger="auth-change-event" and send these events from all auth middleware methods https://htmx.org/docs/#response-headers but on auth success, even though header is present in the response, no event is triggered ( checked with event listener in console ) so, yup. coupling between js code of oauth, middlewares and body tag. this seems like too much. but it somewhat works ** DONE add one more page that checks auth and let's use existing middleware from framework documentation with hx-boost things are well, but i also need header as fragment, so that opening in new tab would work. and all js imports and libraries that are required by all pages, should be in all templates ** DONE i suppose there has to be a base template then and now all since base template has Nav, i need to provide attibutes which are used there, huh well. hmmmmm. yeah, i guess ** DONE add tailwind styling and wgo command should move from wgo -file=.gohtml -file=.go go run . serve to wgo -verbose -file=.go -file=.gohtml -file=tailwind.config.js tailwindcss -i ./pages/input.css -o pages/static/public/out.css :: go run . serve *** DONE style pages *** DONE style dialog ** DONE i guess i'll want a makefile? then wgo could be build with makefile and run and nix packaging could be more straightforward, and not too prohibitive to those who don't use nix *** it seems that with MakeFile i could have go code depend on tailwind output and not have other way around, it should speed up the restart of the service in cases where only go code has changed. also - i think i can have different build and run for go code, so yeah *** allright, it looks like people also do that https://www.alexedwards.net/blog/a-time-saving-makefile-for-your-go-projects *** some helpful things: https://makefiletutorial.com/ example of things for go https://earthly.dev/blog/golang-makefile/ https://www.alexedwards.net/blog/a-time-saving-makefile-for-your-go-projects and i guess i could also search online for tailwindcss Makefile examples and tips ** DONE package static into single binary i guess already done? ** DONE write nix build and it should be even easier with a Makefile? https://ryantm.github.io/nixpkgs/stdenv/stdenv/ simple stdenv.mkDerivation calls generic builder which uses Makefile now i have a problem with using go build in a homeless-shelter > failed to initialize build cache at /homeless-shelter/.cache/go-build: mkdir /homeless-shelter: permission denied *** well, especially with go.mod dependencies i'd need to use buildGoModule but [efim@chunky:~/Documents/personal/go-learning/auth-pocketbase-attempt]$ ./result/bin/auth-pocketbase-attempt serve 2023/10/07 04:05:56 mkdir result/bin/pb_data: read-only file system so, i need to pass some place in tmp? this is probably pocketbase settings, hopefully as command line argument https://nixos.org/manual/nixpkgs/stable/#sec-language-go https://nixos.wiki/wiki/Go so, if i call executable from somewhere, it looks for pb_data in current directory but then for some reason [efim@chunky:~/Documents/personal/go-learning/auth-pocketbase-attempt]$ ./result/bin/auth-pocketbase-attempt serve 2023/10/08 06:37:19 mkdir result/bin/pb_data: read-only file system here it tries to init pb_data near the binary this works: [efim@chunky:~/Documents/personal/go-learning/auth-pocketbase-attempt]$ ./result/bin/auth-pocketbase-attempt serve --dir=./pb_data *** oh, i don't need to specify location of migrations. because they are static. and should be just present in the nix store and --dir is already built in. nice well, i don't see any pb_migrations in my project directory even though, i'm creating and updating the table maybe it's all in pb_data now? if now - i'll need to add something like #+begin_src nix postBuild = '' cp pb_migration $out/bin/pb_migration ''; #+end_src *** so, if using as framework migrations are not automatically enabled? https://github.com/pocketbase/pocketbase/discussions/2218 https://pocketbase.io/docs/go-migrations/#enable-go-migrations The prebuilt executable enables the migrate command by default, but when you are extending PocketBase with Go you have to enable it manually *** now `nix build` produces the binary capable to run the site and #+begin_src bash ./result/bin/auth-pocketbase-attempt serve --dir=./pb_data #+end_src is what i need for it to pick up pb_data from work directory, cool ** DONE write nixos module need to pass data and migration location as params and address on which to serve, cool i suppose but also nginx settins at the same time *** this is behavior of specifying the host and port: [efim@chunky:~/Documents/personal/go-learning/auth-pocketbase-attempt]$ sudo ./result/bin/auth-pocketbase-attempt serve --https=127.0.0.1:8090 --dir=./pb_data 2023/10/08 12:58:04 Server started at https://127.0.0.1:8090 ├─ REST API: https://127.0.0.1:8090/api/ └─ Admin UI: https://127.0.0.1:8090/_/ ^C [efim@chunky:~/Documents/personal/go-learning/auth-pocketbase-attempt]$ sudo ./result/bin/auth-pocketbase-attempt serve 127.0.0.1:8090 --dir=./pb_data 2023/10/08 12:58:15 Server started at https://127.0.0.1:8090 ├─ REST API: https://127.0.0.1:8090/api/ └─ Admin UI: https://127.0.0.1:8090/_/ ^C [efim@chunky:~/Documents/personal/go-learning/auth-pocketbase-attempt]$ sudo ./result/bin/auth-pocketbase-attempt serve --http=127.0.0.1:8090 --dir=./pb_data 2023/10/08 12:58:20 Server started at http://127.0.0.1:8090 ├─ REST API: http://127.0.0.1:8090/api/ └─ Admin UI: http://127.0.0.1:8090/_/ *** by default - if host is present, serving on https. cool oh, but if i'm using nginx i'll need my own certificate, that makes sence *** maybe things are ok? let's try to plaintext deploy? *** quoting of the '' in multiline string https://nixos.org/manual/nix/stable/language/values.html *** not accessible still sudo journalctl -u nginx --since "1 day ago" *** oh, i forgot to add subname in gandi ui now works *** now i need a way to pass in the hostname because front-end is setting up js 'new PocketBase' with 127.0.0.1 connection *** adding a custom flag: https://github.com/pocketbase/pocketbase/discussions/1900 ** DONE change some additional config to option : ${optionalString config.proxyWebsockets '' proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; ''} ( also in planning poker repo ) https://github.com/NixOS/nixpkgs/blob/nixos-23.05/nixos/modules/services/web-servers/nginx/default.nix#L428 ** TODO add docker image from nix *** CANCELLED add cli for port and host ** DONE add readme and comments *** DONE pupose of the code *** DONE how to build, install with and without nix *** DONE development things 'make run/live' *** DONE main parts: **** DONE auth middleware **** DONE using js auth **** DONE pages **** DONE error pages *** DONE links to main documentation: - [X] adding new auth providers - [X] adding middlewares and working with collections *** DONE things which aren't good here: - [X] error pages, i guess module in pages, but exposing before error hook themselves - [X] rendering full pages, not doing 'just main' for hx requests - [X] maybe serving js pocketbase from own static files? *** DONE comments on all main modules ** DONE configure tls / ssl / https on franzk deployment https://nixos.org/manual/nixos/stable/#module-security-acme-nginx ( and also same here https://nixos.wiki/wiki/Nginx ) can it be configured on render.com? omg line 112 & 113 in project config: http://git.sunshine.industries/efim/go-ssr-pocketbase-oauth-attempt/commit/875de35177462f21732e3ba108a94d77a543da05 and this in my server config: https://github.com/efim/dotfiles/commit/b3695148082d8c9850a781aaa7a88920bdb1fa7f this is all that's needed to enable tls mind blown ** DONE somehow set cookie to httpOnly & secure with ability to disable for development session *** a complication since i'm under the nginx, i can't just match on the serving address : #+begin_src [efim@franzk:~]$ systemctl status pb-auth-example-app.service ● pb-auth-example-app.service - Exercise app auth-pocketbase-attempt Loaded: loaded (/etc/systemd/system/pb-auth-example-app.service; enabled; preset: enabled) Active: active (running) since Mon 2023-10-09 04:29:20 UTC; 1min 17s ago Main PID: 411857 (auth-pocketbase) Tasks: 13 (limit: 629145) Memory: 28.3M CPU: 148ms CGroup: /system.slice/pb-auth-example-app.service └─411857 /nix/store/czq95bjhwszasncp8f04d9yn4m0xf4kw-auth-pocketbase-attempt-0.0.1/bin/auth-pocketbase-attempt serve --http 127.0.0.1:45001 --dir=/home/pb-auth-example-app-user Oct 09 04:29:20 franzk systemd[1]: Started Exercise app auth-pocketbase-attempt. Oct 09 04:29:20 franzk auth-pocketbase-attempt[411857]: 2023/10/09 04:29:20 Warning: starting server with cookie Secure = false! Oct 09 04:29:20 franzk auth-pocketbase-attempt[411857]: 2023/10/09 04:29:20 Server started at http://127.0.0.1:45001 Oct 09 04:29:20 franzk auth-pocketbase-attempt[411857]: ├─ REST API: http://127.0.0.1:45001/api/ Oct 09 04:29:20 franzk auth-pocketbase-attempt[411857]: └─ Admin UI: http://127.0.0.1:45001/_/ #+end_src *** so, custom arg is required, hello https://github.com/pocketbase/pocketbase/discussions/1900 *** holy cow, Firefox and later Chrome will accept Secure cookie on localhost https://stackoverflow.com/questions/62307431/firefox-sends-secure-cookies-to-localhost see: except on localhost : https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie ** DONE prettying up server responses for "we show html" land let's do this also, yes *** DONE logout should push root url in htmx *** DONE lets make 404 page and return it *** DONE lets make 401 page and return it *** DONE and let's make NavInfo init common for reuse ** TODO get icons for the auth providers. surely they are accessible from the pocketbase itself? http://localhost:8090/_/images/oauth2/apple.svg yes. ** TODO read and add ok logging ** TODO figure out and enbale migrations https://pocketbase.io/docs/go-migrations/#enable-go-migrations if i understood correctly, when i enable migration generation i would be able to modify locally run instance via admin interface, go files with migration would be generated, i'll have to import them somewhere in my main module, and then after building/packaging when i run `serve` on production the migrations would run on the production data ** adding google oauth support article : https://developers.google.com/identity/sign-in/web/sign-in settings are in : https://console.cloud.google.com/apis/credentials