After authentication how to change the key or role?

gregor · December 22, 2020, 10:51pm

Hi, I’m new to faunadb and started with some simple tutorials. But now I got stuck… I achieved to create a collection with users and authenticate them. I did this with a GUEST key and a GUEST role, that have only rights for the loginFn

Query(
  Lambda(["data"], {
    response: Login(
      Match(Index("user_by_email"), Select("eMail", Var("data"))),
      { password: Select("password", Var("data")) }
    )
  })
)

const faunaClient = new faunadb.Client({
  secret: 'FAUNA_GUEST_KEY',
})

return await faunaClient
      .query(q.Call(q.Function('login_user'), { eMail, password }))
      .then(({ response }) => {
        console.log(response) // I get a secret
      })

After authentication the user should get more rights, like creating an item in a collection.

I created for that another role “loggedIn”: Then I created a new key “FAUNA_LOOGEDIN_KEY” with the role “loogedIn”. But how can I change the current secret “FAUNA_GUEST_KEY” with the “FAUNA_LOOGEDIN_KEY”? Or is the secret from the response my new key and I don’t need to create a separate “FAUNA_LOOGEDIN_KEY”? But the question is the same how can I update the secret?

And if I need to use the secret from the response how can I link it to the role “loggedIn” or where I have to define an UDF that the role can get applied to that secret?

gregor

Luigi_Servini · December 23, 2020, 9:54am

Hi @gregor and welcome!

Once you issue Login() with the right password for the user, you get back a secret.
You can then use this secret to login as the user.

To grant privileges to users, you have to create a role as documented here.

To access the database as a user, you have to create a new connection with the key returned by the Login() function.

Roles are linked to users (documents) through the membership field in role.

CreateRole({
  name: "access_todos",
  membership: [
    { 
        resource: Collection("users") 
    }
  ],
  privileges: [{
    resource: Collection("todos"),
    actions: {
      create: true,
      delete: true,
      write: true
    }
  }]
})

In the example above, all users (documents) in collection “users” that are authenticated, are granted to create,delete and write on collection todos.

Hope this answer your question.
If you have any doubt, let me know.

Luigi

gregor · December 24, 2020, 10:49am

Hi thanks for your replay

With “new connection” do you mean something like this

  return await faunaClient
    .query(q.Call(q.Function('login_user'), { eMail, password }))
    .then(({ secret }) => {
      //reasign new secret 
      faunaClient = new faunadb.Client({
        secret: secret
      })
    })

Where I don’t get my head around is the role thing. How does fauna know that it should apply this role with privileges only to authenticated users and not all users?

Update

I got everything running.

But my question is still, does fauna check the identity for me automatically, if the user, who is bound to the new secret, exists in the collection “users” and if yes the new role gets applied?

And one more question when the new role is applied, do I have to set all privileges again from “public” for “loggedIn”? Because the initial key, which was bound to the role “public”, has been replaced by the new secret(key)?