User management

[simondmansson]

As a dev I want to user management tools So can manage my users

Use Pocket base?

[namatoj]

I have dug into and tested the authentication in PocketBase.

I'm a bit concerned that PocketBase might be a bit too advanced for htmx. I've realized that PocketBase relies solely on having an Authorization header set to a JWT, so no session cookie. :(

I tried to find ways to work around it. It seems possible to define an "hx-headers" attribute in htmx, but it will need to be set (which might not be too tricky but also not very elegant), and moreover, it might be problematic if you refresh a page as the header won't be set.

I also came across this quote from one of the htmx essays: "The best way to do authentication with htmx is using cookies." [Link: https://htmx.org/essays/web-security-basics-with-htmx/#secure-your-cookies]

Right now, I'm a bit skeptical about PocketBase.

[namatoj]

I found this thread mentioning that we could manually in PocketBase make sure to set a cookie containing the JWT. And then extract the JWT from the cookie (server side) to use in the "normal" authentication flow. https://github.com/pocketbase/pocketbase/discussions/989

I'm back on the PocketBase horse!

[namatoj]

I think this is the way to go: https://github.com/efim/go-ssr-pocketbase-oauth-attempt/blob/main/middleware/auth.go

[simondmansson]

Without digging into this I think what we want do for the web app is something like the following

• User logs in
• we store the jwt in a table with a session id
• we send Set-Cookie: token=asd8234nsdfp982; Secure; HttpOnly; SameSite=Lax in the response the token id is a session identifier
• On requests to protected routes we extract the token id from the cookie.
• fetch the token mapped to that session id
• pass the extracted jwt down to the next handler(s) in the context
• validate the claims on an operation e.g add link to collection.

How we set it up needs further investigation.

[namatoj]

I'm not sure we need to take the detour of storing the jwt in a table. We could just set the jwt as the content of the cookie. But other than that I agree on the steps.

[namatoj]

I was thinking something along these lines: https://github.com/namatoj/sociallink/blob/a57dee8cfbbe0ebc77c4699e9187b6ca4d26f7ef/cmd/web/main.go#L25-L53

What do you think?

[namatoj]

Note that since the cookie is secure it will not be set when using a non https connection.