256 lines
11 KiB
Org Mode
256 lines
11 KiB
Org Mode
#+title: Auth Notes
|
|
* starting the pocketbase as framework
|
|
https://pocketbase.io/docs/go-overview/
|
|
* plan
|
|
** DONE start pocketbase
|
|
** DONE add middlewares for cookie session
|
|
** DONE add index page, that will have either "current user" or 'login' link
|
|
*** DONE let's add some content that only opens up when person is authed
|
|
*** DONE also, how do i logout?
|
|
separate route that deleted the cookie i guess.
|
|
since auth is a jwt which would expire on its own
|
|
and htmx get thingy, and reload i guess?
|
|
** DONE 'login' link should open dialog with oauth providers
|
|
so, i want a window with available oauth providers,
|
|
to trigger the js code from example
|
|
https://pocketbase.io/docs/authentication/
|
|
( all in one, recommended )
|
|
|
|
let's get configured providers in the go code,
|
|
add as slice of strings, and in template create buttons for each of those
|
|
with js code from the example
|
|
*** DONE in template range over enabled providers to create buttons for each
|
|
*** DONE make dialog show on click of some element
|
|
https://developer.mozilla.org/en-US/docs/Web/HTML/Element/dialog
|
|
** DONE i guess i would also like to send htmx event for reloading the page
|
|
on successful auth?
|
|
now, why would logout work, and login not work?
|
|
|
|
eh, let's go back on body doing the hx-get on event?
|
|
|
|
maybe this is because of open dialog
|
|
*** wait, maybe then returning from other auth middlewares will work
|
|
no.
|
|
for some reason
|
|
#+begin_src go
|
|
e.HttpContext.Response().Header().Add("HX-Trigger", "auth-change-event")
|
|
#+end_src
|
|
|
|
this header when returned with response to request triggered by js, doesn't result in event being triggered,
|
|
ok, i guess
|
|
*** so yeah, uglier that i wanted
|
|
wanted to have hx-get="/" hx-trigger="auth-change-event"
|
|
and send these events from all auth middleware methods
|
|
|
|
https://htmx.org/docs/#response-headers
|
|
|
|
but on auth success, even though header is present in the response, no event is triggered
|
|
( checked with event listener in console )
|
|
so, yup. coupling between js code of oauth, middlewares and body tag. this seems like too much.
|
|
|
|
but it somewhat works
|
|
|
|
** DONE add one more page that checks auth
|
|
and let's use existing middleware from framework documentation
|
|
|
|
with hx-boost things are well,
|
|
but i also need header as fragment, so that opening in new tab would work.
|
|
and all js imports and libraries that are required by all pages, should be in all templates
|
|
|
|
** DONE i suppose there has to be a base template then
|
|
and now all since base template has Nav,
|
|
i need to provide attibutes which are used there, huh
|
|
well. hmmmmm. yeah, i guess
|
|
** DONE add tailwind styling
|
|
and wgo command should move from
|
|
wgo -file=.gohtml -file=.go go run . serve
|
|
|
|
to
|
|
wgo -verbose -file=.go -file=.gohtml -file=tailwind.config.js tailwindcss -i ./pages/input.css -o pages/static/public/out.css :: go run . serve
|
|
*** DONE style pages
|
|
*** DONE style dialog
|
|
|
|
** DONE i guess i'll want a makefile?
|
|
then wgo could be build with makefile and run
|
|
and nix packaging could be more straightforward, and not too prohibitive to those who don't use nix
|
|
*** it seems that with MakeFile i could have go code depend on tailwind output
|
|
and not have other way around,
|
|
it should speed up the restart of the service in cases where only go code has changed.
|
|
|
|
also - i think i can have different build and run for go code, so yeah
|
|
*** allright, it looks like people also do that
|
|
https://www.alexedwards.net/blog/a-time-saving-makefile-for-your-go-projects
|
|
*** some helpful things:
|
|
https://makefiletutorial.com/
|
|
|
|
example of things for go
|
|
https://earthly.dev/blog/golang-makefile/
|
|
https://www.alexedwards.net/blog/a-time-saving-makefile-for-your-go-projects
|
|
and i guess i could also search online for tailwindcss Makefile examples and tips
|
|
|
|
** DONE package static into single binary
|
|
i guess already done?
|
|
** DONE write nix build
|
|
and it should be even easier with a Makefile?
|
|
|
|
https://ryantm.github.io/nixpkgs/stdenv/stdenv/
|
|
|
|
simple stdenv.mkDerivation calls generic builder which uses Makefile
|
|
|
|
now i have a problem with using go build in a homeless-shelter
|
|
> failed to initialize build cache at /homeless-shelter/.cache/go-build: mkdir /homeless-shelter: permission denied
|
|
*** well, especially with go.mod dependencies i'd need to use buildGoModule
|
|
but
|
|
[efim@chunky:~/Documents/personal/go-learning/auth-pocketbase-attempt]$ ./result/bin/auth-pocketbase-attempt serve
|
|
2023/10/07 04:05:56 mkdir result/bin/pb_data: read-only file system
|
|
|
|
so, i need to pass some place in tmp? this is probably pocketbase settings, hopefully as command line argument
|
|
|
|
https://nixos.org/manual/nixpkgs/stable/#sec-language-go
|
|
https://nixos.wiki/wiki/Go
|
|
|
|
so, if i call executable from somewhere, it looks for pb_data in current directory
|
|
|
|
but then for some reason
|
|
[efim@chunky:~/Documents/personal/go-learning/auth-pocketbase-attempt]$ ./result/bin/auth-pocketbase-attempt serve
|
|
2023/10/08 06:37:19 mkdir result/bin/pb_data: read-only file system
|
|
|
|
here it tries to init pb_data near the binary
|
|
|
|
this works:
|
|
[efim@chunky:~/Documents/personal/go-learning/auth-pocketbase-attempt]$ ./result/bin/auth-pocketbase-attempt serve --dir=./pb_data
|
|
|
|
*** oh, i don't need to specify location of migrations.
|
|
because they are static. and should be just present in the nix store
|
|
|
|
and --dir is already built in. nice
|
|
|
|
well, i don't see any pb_migrations in my project directory even though,
|
|
i'm creating and updating the table
|
|
maybe it's all in pb_data now?
|
|
|
|
if now - i'll need to add something like
|
|
#+begin_src nix
|
|
postBuild = ''
|
|
cp pb_migration $out/bin/pb_migration
|
|
'';
|
|
#+end_src
|
|
|
|
*** so, if using as framework migrations are not automatically enabled?
|
|
https://github.com/pocketbase/pocketbase/discussions/2218
|
|
|
|
https://pocketbase.io/docs/go-migrations/#enable-go-migrations
|
|
The prebuilt executable enables the migrate command by default, but when you are extending PocketBase with Go you have to enable it manually
|
|
*** now `nix build` produces the binary capable to run the site
|
|
and
|
|
#+begin_src bash
|
|
./result/bin/auth-pocketbase-attempt serve --dir=./pb_data
|
|
#+end_src
|
|
is what i need for it to pick up pb_data from work directory, cool
|
|
|
|
** DONE write nixos module
|
|
need to pass data and migration location as params
|
|
and address on which to serve, cool
|
|
i suppose
|
|
but also nginx settins at the same time
|
|
*** this is behavior of specifying the host and port:
|
|
[efim@chunky:~/Documents/personal/go-learning/auth-pocketbase-attempt]$ sudo ./result/bin/auth-pocketbase-attempt serve --https=127.0.0.1:8090 --dir=./pb_data
|
|
2023/10/08 12:58:04 Server started at https://127.0.0.1:8090
|
|
├─ REST API: https://127.0.0.1:8090/api/
|
|
└─ Admin UI: https://127.0.0.1:8090/_/
|
|
^C
|
|
[efim@chunky:~/Documents/personal/go-learning/auth-pocketbase-attempt]$ sudo ./result/bin/auth-pocketbase-attempt serve 127.0.0.1:8090 --dir=./pb_data
|
|
2023/10/08 12:58:15 Server started at https://127.0.0.1:8090
|
|
├─ REST API: https://127.0.0.1:8090/api/
|
|
└─ Admin UI: https://127.0.0.1:8090/_/
|
|
^C
|
|
[efim@chunky:~/Documents/personal/go-learning/auth-pocketbase-attempt]$ sudo ./result/bin/auth-pocketbase-attempt serve --http=127.0.0.1:8090 --dir=./pb_data
|
|
2023/10/08 12:58:20 Server started at http://127.0.0.1:8090
|
|
├─ REST API: http://127.0.0.1:8090/api/
|
|
└─ Admin UI: http://127.0.0.1:8090/_/
|
|
*** by default - if host is present, serving on https.
|
|
cool
|
|
|
|
oh, but if i'm using nginx i'll need my own certificate, that makes sence
|
|
*** maybe things are ok?
|
|
let's try to plaintext deploy?
|
|
*** quoting of the '' in multiline string
|
|
https://nixos.org/manual/nix/stable/language/values.html
|
|
*** not accessible still
|
|
sudo journalctl -u nginx --since "1 day ago"
|
|
*** oh, i forgot to add subname in gandi ui
|
|
now works
|
|
*** now i need a way to pass in the hostname
|
|
because front-end is setting up js 'new PocketBase' with 127.0.0.1 connection
|
|
*** adding a custom flag:
|
|
https://github.com/pocketbase/pocketbase/discussions/1900
|
|
** DONE change some additional config to option :
|
|
${optionalString config.proxyWebsockets ''
|
|
proxy_http_version 1.1;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection $connection_upgrade;
|
|
''}
|
|
( also in planning poker repo )
|
|
|
|
https://github.com/NixOS/nixpkgs/blob/nixos-23.05/nixos/modules/services/web-servers/nginx/default.nix#L428
|
|
|
|
|
|
** TODO add docker image from nix
|
|
*** CANCELLED add cli for port and host
|
|
** TODO add readme and comments
|
|
** DONE configure tls / ssl / https on franzk deployment
|
|
https://nixos.org/manual/nixos/stable/#module-security-acme-nginx
|
|
( and also same here https://nixos.wiki/wiki/Nginx )
|
|
|
|
can it be configured on render.com?
|
|
omg
|
|
line 112 & 113 in project config:
|
|
http://git.sunshine.industries/efim/go-ssr-pocketbase-oauth-attempt/commit/875de35177462f21732e3ba108a94d77a543da05
|
|
|
|
and this in my server config:
|
|
https://github.com/efim/dotfiles/commit/b3695148082d8c9850a781aaa7a88920bdb1fa7f
|
|
|
|
this is all that's needed to enable tls
|
|
mind blown
|
|
** DONE somehow set cookie to httpOnly & secure
|
|
with ability to disable for development session
|
|
*** a complication
|
|
since i'm under the nginx, i can't just match on the serving address :
|
|
#+begin_src
|
|
[efim@franzk:~]$ systemctl status pb-auth-example-app.service
|
|
● pb-auth-example-app.service - Exercise app auth-pocketbase-attempt
|
|
Loaded: loaded (/etc/systemd/system/pb-auth-example-app.service; enabled; preset: enabled)
|
|
Active: active (running) since Mon 2023-10-09 04:29:20 UTC; 1min 17s ago
|
|
Main PID: 411857 (auth-pocketbase)
|
|
Tasks: 13 (limit: 629145)
|
|
Memory: 28.3M
|
|
CPU: 148ms
|
|
CGroup: /system.slice/pb-auth-example-app.service
|
|
└─411857 /nix/store/czq95bjhwszasncp8f04d9yn4m0xf4kw-auth-pocketbase-attempt-0.0.1/bin/auth-pocketbase-attempt serve --http 127.0.0.1:45001 --dir=/home/pb-auth-example-app-user
|
|
|
|
Oct 09 04:29:20 franzk systemd[1]: Started Exercise app auth-pocketbase-attempt.
|
|
Oct 09 04:29:20 franzk auth-pocketbase-attempt[411857]: 2023/10/09 04:29:20 Warning: starting server with cookie Secure = false!
|
|
Oct 09 04:29:20 franzk auth-pocketbase-attempt[411857]: 2023/10/09 04:29:20 Server started at http://127.0.0.1:45001
|
|
Oct 09 04:29:20 franzk auth-pocketbase-attempt[411857]: ├─ REST API: http://127.0.0.1:45001/api/
|
|
Oct 09 04:29:20 franzk auth-pocketbase-attempt[411857]: └─ Admin UI: http://127.0.0.1:45001/_/
|
|
#+end_src
|
|
*** so, custom arg is required, hello
|
|
https://github.com/pocketbase/pocketbase/discussions/1900
|
|
*** holy cow, Firefox and later Chrome will accept Secure cookie on localhost
|
|
https://stackoverflow.com/questions/62307431/firefox-sends-secure-cookies-to-localhost
|
|
|
|
see: except on localhost : https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie
|
|
|
|
|
|
** TODO maybe add middleware so that 401 would be a page, and not json
|
|
** TODO get icons for the auth providers. surely they are accessible from the pocketbase itself?
|
|
http://localhost:8090/_/images/oauth2/apple.svg
|
|
yes.
|
|
** TODO read and add ok logging
|
|
** TODO figure out and enbale migrations
|
|
https://pocketbase.io/docs/go-migrations/#enable-go-migrations
|
|
|
|
if i understood correctly, when i enable migration generation
|
|
i would be able to modify locally run instance via admin interface,
|
|
go files with migration would be generated, i'll have to import them somewhere in my main module, and then after building/packaging when i run `serve` on production the migrations would run on the production data
|