After authentication how to change the key or role?

gregor · December 22, 2020, 10:48pm

Hi, I’m new to faunadb and started with some simple tutorials. But now I got stuck… I achieved to create a collection with users and authenticate them. I did this with a GUEST key and a GUEST role, that have only rights for the loginFn

Query(
  Lambda(["data"], {
    response: Login(
      Match(Index("user_by_email"), Select("eMail", Var("data"))),
      { password: Select("password", Var("data")) }
    )
  })
)

const faunaClient = new faunadb.Client({
  secret: 'FAUNA_GUEST_KEY',
})

return await faunaClient
      .query(q.Call(q.Function('login_user'), { eMail, password }))
      .then(({ response }) => {
        console.log(response) // I get a secret
      })

After authentication the user should get more rights, like creating an item in a collection.

I created for that another role “loggedIn”: Then I created a new key “FAUNA_LOOGEDIN_KEY” with the role “loogedIn”. But how can I change the current secret “FAUNA_GUEST_KEY” with the “FAUNA_LOOGEDIN_KEY”? Or is the secret from the response my new key and I don’t need to create a separate “FAUNA_LOOGEDIN_KEY”? But the question is the same how can I update the secret?

And if I need to use the secret from the response how can I link it to the role “loggedIn” or where I have to define an UDF that the role can get applied to that secret?

gregor

Luigi_Servini · December 23, 2020, 9:54am

Hi @gregor and welcome!

Once you issue Login() with the right password for the user, you get back a secret.
You can then use this secret to login as the user.

To grant privileges to users, you have to create a role as documented here.

To access the database as a user, you have to create a new connection with the key returned by the Login() function.

Roles are linked to users (documents) through the membership field in role.

CreateRole({
  name: "access_todos",
  membership: [
    { 
        resource: Collection("users") 
    }
  ],
  privileges: [{
    resource: Collection("todos"),
    actions: {
      create: true,
      delete: true,
      write: true
    }
  }]
})

In the example above, all users (documents) in collection “users” that are authenticated, are granted to create,delete and write on collection todos.

Hope this answer your question.
If you have any doubt, let me know.

Luigi

gregor · December 23, 2020, 3:15pm

Hi thanks for your replay

With “new connection” do you mean something like this

  return await faunaClient
    .query(q.Call(q.Function('login_user'), { eMail, password }))
    .then(({ secret }) => {
      //reasign new secret 
      faunaClient = new faunadb.Client({
        secret: secret
      })
    })

Where I don’t get my head around is the role thing. How does fauna know that it should apply this role with privileges only to authenticated users and not all users?

Update

I got everything running.

But my question is still, does fauna check the identity for me automatically, if the user, who is bound to the new secret, exists in the collection “users” and if yes the new role gets applied?

And one more question when the new role is applied, do I have to set all privileges again from “public” for “loggedIn”? Because the initial key, which was bound to the role “public”, has been replaced by the new secret(key)?

Topic		Replies	Views
I can't seem to login into fauna with an existing user Help authentication	8	557	July 17, 2021
Authenticated user doesn't have permission to create documents Help	3	1521	April 18, 2023
Serving secrets Help authentication , best-practices	2	391	June 3, 2021
Unauthorized FaunaDB with valid secret key Help authentication	3	1925	September 6, 2021
Problems with unauthorized error Help authentication , javascript	3	317	January 28, 2024

After authentication how to change the key or role?

Related topics