efim
/
go-ssr-pocketbase-oauth-attempt
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
go-ssr-pocketbase-oauth-att.../auth-notes.org

12 KiB
Raw Permalink Blame History

Auth Notes

starting the pocketbase as framework

https://pocketbase.io/docs/go-overview/

plan

DONE start pocketbase

DONE add middlewares for cookie session

DONE add index page, that will have either "current user" or 'login' link

DONE let's add some content that only opens up when person is authed

DONE also, how do i logout?

separate route that deleted the cookie i guess. since auth is a jwt which would expire on its own and htmx get thingy, and reload i guess?

DONE 'login' link should open dialog with oauth providers

so, i want a window with available oauth providers, to trigger the js code from example https://pocketbase.io/docs/authentication/ ( all in one, recommended )

let's get configured providers in the go code, add as slice of strings, and in template create buttons for each of those with js code from the example

DONE in template range over enabled providers to create buttons for each

DONE make dialog show on click of some element

https://developer.mozilla.org/en-US/docs/Web/HTML/Element/dialog

DONE i guess i would also like to send htmx event for reloading the page

on successful auth? now, why would logout work, and login not work?

eh, let's go back on body doing the hx-get on event?

maybe this is because of open dialog

wait, maybe then returning from other auth middlewares will work

no. for some reason

e.HttpContext.Response().Header().Add("HX-Trigger", "auth-change-event")

this header when returned with response to request triggered by js, doesn't result in event being triggered, ok, i guess

so yeah, uglier that i wanted

wanted to have hx-get="/" hx-trigger="auth-change-event" and send these events from all auth middleware methods

https://htmx.org/docs/#response-headers

but on auth success, even though header is present in the response, no event is triggered ( checked with event listener in console ) so, yup. coupling between js code of oauth, middlewares and body tag. this seems like too much.

but it somewhat works

DONE add one more page that checks auth

and let's use existing middleware from framework documentation

with hx-boost things are well, but i also need header as fragment, so that opening in new tab would work. and all js imports and libraries that are required by all pages, should be in all templates

DONE i suppose there has to be a base template then

and now all since base template has Nav, i need to provide attibutes which are used there, huh well. hmmmmm. yeah, i guess

DONE add tailwind styling

and wgo command should move from wgo -file=.gohtml -file=.go go run . serve

to wgo -verbose -file=.go -file=.gohtml -file=tailwind.config.js tailwindcss -i ./pages/input.css -o pages/static/public/out.css :: go run . serve

DONE style pages

DONE style dialog

DONE i guess i'll want a makefile?

then wgo could be build with makefile and run and nix packaging could be more straightforward, and not too prohibitive to those who don't use nix

it seems that with MakeFile i could have go code depend on tailwind output

and not have other way around, it should speed up the restart of the service in cases where only go code has changed.

also - i think i can have different build and run for go code, so yeah

allright, it looks like people also do that

https://www.alexedwards.net/blog/a-time-saving-makefile-for-your-go-projects

some helpful things:

https://makefiletutorial.com/

example of things for go https://earthly.dev/blog/golang-makefile/ https://www.alexedwards.net/blog/a-time-saving-makefile-for-your-go-projects and i guess i could also search online for tailwindcss Makefile examples and tips

DONE package static into single binary

i guess already done?

DONE write nix build

and it should be even easier with a Makefile?

https://ryantm.github.io/nixpkgs/stdenv/stdenv/

simple stdenv.mkDerivation calls generic builder which uses Makefile

now i have a problem with using go build in a homeless-shelter > failed to initialize build cache at homeless-shelter.cache/go-build: mkdir /homeless-shelter: permission denied

well, especially with go.mod dependencies i'd need to use buildGoModule

but [efim@chunky:~/Documents/personal/go-learning/auth-pocketbase-attempt]$ ./result/bin/auth-pocketbase-attempt serve 2023/10/07 04:05:56 mkdir result/bin/pb_data: read-only file system

so, i need to pass some place in tmp? this is probably pocketbase settings, hopefully as command line argument

https://nixos.org/manual/nixpkgs/stable/#sec-language-go https://nixos.wiki/wiki/Go

so, if i call executable from somewhere, it looks for pb_data in current directory

but then for some reason [efim@chunky:~/Documents/personal/go-learning/auth-pocketbase-attempt]$ ./result/bin/auth-pocketbase-attempt serve 2023/10/08 06:37:19 mkdir result/bin/pb_data: read-only file system

here it tries to init pb_data near the binary

this works: [efim@chunky:~/Documents/personal/go-learning/auth-pocketbase-attempt]$ ./result/bin/auth-pocketbase-attempt serve dir=./pb_data

oh, i don't need to specify location of migrations.

because they are static. and should be just present in the nix store

and dir is already built in. nice

well, i don't see any pb_migrations in my project directory even though, i'm creating and updating the table maybe it's all in pb_data now?

if now - i'll need to add something like

            postBuild = ''
              cp pb_migration $out/bin/pb_migration
            '';

so, if using as framework migrations are not automatically enabled?

https://github.com/pocketbase/pocketbase/discussions/2218

https://pocketbase.io/docs/go-migrations/#enable-go-migrations The prebuilt executable enables the migrate command by default, but when you are extending PocketBase with Go you have to enable it manually

now `nix build` produces the binary capable to run the site

and

./result/bin/auth-pocketbase-attempt serve --dir=./pb_data

is what i need for it to pick up pb_data from work directory, cool

DONE write nixos module

need to pass data and migration location as params and address on which to serve, cool i suppose but also nginx settins at the same time

this is behavior of specifying the host and port:

[efim@chunky:~/Documents/personal/go-learning/auth-pocketbase-attempt]$ sudo ./result/bin/auth-pocketbase-attempt serve --https=127.0.0.1:8090 --dir=./pb_data 2023/10/08 12:58:04 Server started at https://127.0.0.1:8090 ├─ REST API: https://127.0.0.1:8090/api/ └─ Admin UI: https://127.0.0.1:8090/_/ ^C [efim@chunky:~/Documents/personal/go-learning/auth-pocketbase-attempt]$ sudo ./result/bin/auth-pocketbase-attempt serve 127.0.0.1:8090 dir=./pb_data 2023/10/08 12:58:15 Server started at https://127.0.0.1:8090 ├─ REST API: https://127.0.0.1:8090/api/ └─ Admin UI: https://127.0.0.1:8090/_/ ^C [efim@chunky:~/Documents/personal/go-learning/auth-pocketbase-attempt]$ sudo ./result/bin/auth-pocketbase-attempt serve http=127.0.0.1:8090 dir=./pb_data 2023/10/08 12:58:20 Server started at http://127.0.0.1:8090 ├─ REST API: http://127.0.0.1:8090/api/ └─ Admin UI: http://127.0.0.1:8090/_/

by default - if host is present, serving on https.

cool

oh, but if i'm using nginx i'll need my own certificate, that makes sence

maybe things are ok?

let's try to plaintext deploy?

quoting of the '' in multiline string

https://nixos.org/manual/nix/stable/language/values.html

not accessible still

sudo journalctl -u nginx since "1 day ago"

oh, i forgot to add subname in gandi ui

now works

now i need a way to pass in the hostname

because front-end is setting up js 'new PocketBase' with 127.0.0.1 connection

adding a custom flag:

https://github.com/pocketbase/pocketbase/discussions/1900

DONE change some additional config to option :

${optionalString config.proxyWebsockets '' proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; ''} ( also in planning poker repo )

https://github.com/NixOS/nixpkgs/blob/nixos-23.05/nixos/modules/services/web-servers/nginx/default.nix#L428

TODO add docker image from nix

CANCELLED add cli for port and host

DONE add readme and comments

DONE pupose of the code

DONE how to build, install

with and without nix

DONE development things 'make run/live'

DONE main parts:

DONE auth middleware
DONE using js auth
DONE pages
DONE error pages

DONE links to main documentation:

  • adding new auth providers
  • adding middlewares and working with collections

DONE things which aren't good here:

  • error pages, i guess module in pages, but exposing before error hook themselves
  • rendering full pages, not doing 'just main' for hx requests
  • maybe serving js pocketbase from own static files?

DONE comments on all main modules

DONE configure tls / ssl / https on franzk deployment

https://nixos.org/manual/nixos/stable/#module-security-acme-nginx ( and also same here https://nixos.wiki/wiki/Nginx )

can it be configured on render.com? omg line 112 & 113 in project config: http://git.sunshine.industries/efim/go-ssr-pocketbase-oauth-attempt/commit/875de35177462f21732e3ba108a94d77a543da05

and this in my server config: https://github.com/efim/dotfiles/commit/b3695148082d8c9850a781aaa7a88920bdb1fa7f

this is all that's needed to enable tls mind blown

DONE somehow set cookie to httpOnly & secure

with ability to disable for development session

a complication

since i'm under the nginx, i can't just match on the serving address :

[efim@franzk:~]$ systemctl status pb-auth-example-app.service
● pb-auth-example-app.service - Exercise app auth-pocketbase-attempt
     Loaded: loaded (/etc/systemd/system/pb-auth-example-app.service; enabled; preset: enabled)
     Active: active (running) since Mon 2023-10-09 04:29:20 UTC; 1min 17s ago
   Main PID: 411857 (auth-pocketbase)
      Tasks: 13 (limit: 629145)
     Memory: 28.3M
        CPU: 148ms
     CGroup: /system.slice/pb-auth-example-app.service
             └─411857 /nix/store/czq95bjhwszasncp8f04d9yn4m0xf4kw-auth-pocketbase-attempt-0.0.1/bin/auth-pocketbase-attempt serve --http 127.0.0.1:45001 --dir=/home/pb-auth-example-app-user

Oct 09 04:29:20 franzk systemd[1]: Started Exercise app auth-pocketbase-attempt.
Oct 09 04:29:20 franzk auth-pocketbase-attempt[411857]: 2023/10/09 04:29:20 Warning: starting server with cookie Secure = false!
Oct 09 04:29:20 franzk auth-pocketbase-attempt[411857]: 2023/10/09 04:29:20 Server started at http://127.0.0.1:45001
Oct 09 04:29:20 franzk auth-pocketbase-attempt[411857]: ├─ REST API: http://127.0.0.1:45001/api/
Oct 09 04:29:20 franzk auth-pocketbase-attempt[411857]: └─ Admin UI: http://127.0.0.1:45001/_/

so, custom arg is required, hello

https://github.com/pocketbase/pocketbase/discussions/1900

holy cow, Firefox and later Chrome will accept Secure cookie on localhost

https://stackoverflow.com/questions/62307431/firefox-sends-secure-cookies-to-localhost

see: except on localhost : https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie

DONE prettying up server responses for "we show html" land

let's do this also, yes

DONE logout should push root url in htmx

DONE lets make 404 page and return it

DONE lets make 401 page and return it

DONE and let's make NavInfo init common for reuse

TODO get icons for the auth providers. surely they are accessible from the pocketbase itself?

http://localhost:8090/_/images/oauth2/apple.svg yes.

TODO read and add ok logging

TODO figure out and enbale migrations

https://pocketbase.io/docs/go-migrations/#enable-go-migrations

if i understood correctly, when i enable migration generation i would be able to modify locally run instance via admin interface, go files with migration would be generated, i'll have to import them somewhere in my main module, and then after building/packaging when i run `serve` on production the migrations would run on the production data

adding google oauth

support article : https://developers.google.com/identity/sign-in/web/sign-in settings are in : https://console.cloud.google.com/apis/credentials