Coding to handle Admins + Auth Records

[VictorioBerra]

The concept that an Admin and Auth Record cause me a lot of confusion. Why are they separate things entirely?

It adds a lot of extra work if we have to code PB as a framework to handle if someone wants to login as an admin, or an auth record for example:

// https://github.com/pocketbase/pocketbase/discussions/3447#discussioncomment-7193058
routerUse((next) => {
  
  return (c) => {
  const utils = require(`${__hooks}/utils.js`);
    try {
      const token = c.request().cookie(utils.userAuthCookieName)?.value;
      if (token) {
        const record = $app
          .dao()
          .findAuthRecordByToken(token, $app.settings().recordAuthToken.secret);
        c.set("authRecord", record);
      }
    } catch (error) {
      console.error(error);
      $app.logger().error(error);
    }

    return next(c);
  };
});

routerUse((next) => {
  const utils = require(`${__hooks}/utils.js`);
  return (c) => {
    try {
      const token = c.request().cookie(utils.adminAuthCookieName)?.value;
      if (token) {
        const record = $app
          .dao()
          .findAdminByToken(token, $app.settings().adminAuthToken.secret);
        c.set("admin", record);
      }
    } catch (error) {
      console.error(error);
      $app.logger().error(error);
    }

    return next(c);
  };
});

onRecordAuthRequest((e) => {
  const utils = require(`${__hooks}/utils.js`);
  try {
    const maxAge = $app.settings().recordAuthToken.duration;
      e.httpContext.setCookie(
        new Cookie({
          name: utils.userAuthCookieName,
          value: e.token,
          path: "/",
          sameSite: "Strict",
          httpOnly: true,
          maxAge: maxAge,
        })
      );
    $app.logger().info("Set cookie for record auth token", "maxAge", maxAge);
  } catch (error) {
    console.error(error);
    $app.logger().error(error);
  }
});

onAdminAuthRequest((e) => {
  const utils = require(`${__hooks}/utils.js`);
  try {
    const now = new Date();
    const expires = now.setSeconds($app.settings().adminAuthToken.duration);
    e.httpContext.setCookie(
      new Cookie({
        name: utils.adminAuthCookieName,
        value: e.token,
        expires: expires,
        path: "/",
        sameSite: http.SameSiteStrictMode,
      })
    );
    $app.logger().info("Set cookie for record auth token", "expires", expires);
  } catch (error) {
    console.error(error);
    $app.logger().error(error);
  }
});

We have to handle findAdminByToken and findAuthRecordByToken and a bunch of other APIs that handle admins VS auth records.

If they were the same, or at least abstracted to a single API there would be a LOT less code to handle.

I am considering in my app to NOT let the admin login, and instead they can create a regular user account and then gain some role through some other mechanism just to prevent juggling 2 sets of cookies, 2 APIs, mapping two different kinds of users throughout the system.

[ganigeorgiev]

Why are they separate things entirely?

They are 2 separate entities because it makes the internals easier to work with.

Note that API rules doesn't apply for admins and they can access and do everything (including deleting other admins).

There are plans to convert the admins into a special system auth collection (aka. the admin model will be models.Record) as part of the upcoming refactoring but I haven't experimented with this yet (I'm currently restructuring the hooks and the router).

[VictorioBerra]

@ganigeorgiev how much will the hooks and router change? Is the restructure just for go or also JavaScript?

[ganigeorgiev]

The changes will affect both Go and the JSVM, how much - it is difficult to say exactly at the moment.

The restructuring is intended to simplify the userland code but it will definitely introduce breaking changes (slightly different order of arguments, different field names, etc.). There is no feasible workaround for this other than preparing a migration guide similar to the v0.7 -> v0.8+ migration.