Use Singleton using User secret

n44ps · April 5, 2021, 8:17am

Hello !

I’ve been trying to use a simple query with a user secret (this query is made simple, I’m actually not using Get/Singleton to get a Ref data !

const response = await fauna.query(
  q.Get(
    q.Singleton(q.Ref(q.Collection('lessons'), '259055206731350528')),
  ),
  { secret },
);

And end up with {"message":"Insufficient privileges to perform the action."}.

If I remove the secret & use the server or admin, it is working fine. Is there any privileges I need to give to the user to Get | Paginate over Singleton ? Thanks

ewan · April 5, 2021, 4:12pm

Tokens do not provide any privileges by default, whereas an admin or server key would. Likely, you need to create a role that grants the appropriate privileges to the token being used.

For the query example that you included, the Singleton function isn’t doing anything for you. A specific ref doesn’t need to be turned into a set before Get can be used to fetch the ref’s contents. If you do have a set with multiple items, Get can be used to fetch the first item from the set (first is based on the set’s lexical ordering). For example, Get(Documents(Collection("users"))).

n44ps · April 5, 2021, 6:05pm

Thanks for your answer @ewan, the user already has privileges to the lessons collection & the used Indexes. The issue is really about Singleton, I will try to show the full example.

const match = req.query.id
 ? q.Singleton(q.Ref(q.Collection('lessons'), req.query.id))
 : q.Match(q.Index('lessonsFilterByPublished'), true);

const data = await fauna.query(
  Paginate(
    Join(
      match,
      lesson => Match(Index("itemsByLesson"), [q.CurrentIdentity(), lesson])
    )
  ),
  { secret }
)

The match changes depending on giving an id or not.
So I’m using Singleton to transform the Ref into a SetRef that Join can consume.

The query itself works if I’m giving the userRef instead of secret + CurrentIdentity().
I ended up showing that even a simple query like :

q.Get(
  q.Singleton(q.Ref(q.Collection('lessons'), '259055206731350528')),
)

Was not working with a secret. Even if the user has the privilege to read the lessons Collection.

Any idea to proceed ? Thanks

ewan · April 5, 2021, 10:59pm

I’ve been able to reproduce the problem, which seems like it might be a bug, or limitation, of Roles interacting with Singleton sets. I’m asking our engineering team about this, and hope to be able to report something useful soon.