CD
Cloudflare Developers5w ago
Silvan

i just realized this could be used as a

i just realized this could be used as a centralized auth server no? have an array of allowed service names (for the stub) and voila anyways i should probably add docs on better-auth for this. no more d1 just for auth
17 Replies
dan
dan5w ago
not sure i have context on what the service names/sub are but yeah it does seem a bit heavy to have an auth db in every DO when there's likely just gonna be one row in it
Silvan
SilvanOP5w ago
*stub sorry
dan
dan5w ago
you mean an array of authorized stub ids?
Silvan
SilvanOP5w ago
basically yes
dan
dan5w ago
yeah i was thinking about this the other day, i think the DOs themselves should have no knowledge of any auth just call them in an authenticated context i'm about to implement this actually, shipping an agent to my app that users can spin up, i'll just keep a record of users_agents with user_ids and the DO stub ids and do my authorization that way
Silvan
SilvanOP5w ago
was actually considering this too lol how exactly do you mean this?
dan
dan5w ago
like i think the DO itself should just run without any context of auth auth just happens before
Silvan
SilvanOP5w ago
oh as in the client does worker -> DO and the worker decides if you are allowed or not
dan
dan5w ago
yeah
Silvan
SilvanOP5w ago
yea thats how my current Ai app works too
plgingras88
plgingras885w ago
Weird I was about to tackle this exact same scenario with worker and DO and better auth and i was thinking pretty much the same : the worker should manage auth then allow or block DO calls. I however may need to pass a permissions object to the DO to manage granular level actions on the DO end though. Thanks for sharing your discoveries and experiments !
Silvan
SilvanOP5w ago
Yea most likely smarter. this was my simple solution to it 
app.use('*', async (c, next) => {
  const session = await auth(drizzle(c.env.DB)).api.getSession({
    headers: c.req.raw.headers,
  });

  if (!session) {
    c.set('user', null);
    c.set('session', null);
    return next();
  }

  c.set('user', session.user);
  c.set('session', session.session);

  return next();
});

app.on(['POST', 'GET'], '/api/auth/**', (c) =>
  auth(drizzle(c.env.DB)).handler(c.req.raw)
);

app.use(
  '*',
  createMiddleware(
    async (c, next) =>
      await agentsMiddleware({
        options: {
          onBeforeConnect: () => {
            if (!c.get('user'))
              return new Response('Unauthorized', { status: 401 });
          },
        },
        onError: (error) => {
          console.error(error);
        },
      })(c, next)
  )
);
app.use('*', async (c, next) => {
  const session = await auth(drizzle(c.env.DB)).api.getSession({
    headers: c.req.raw.headers,
  });

  if (!session) {
    c.set('user', null);
    c.set('session', null);
    return next();
  }

  c.set('user', session.user);
  c.set('session', session.session);

  return next();
});

app.on(['POST', 'GET'], '/api/auth/**', (c) =>
  auth(drizzle(c.env.DB)).handler(c.req.raw)
);

app.use(
  '*',
  createMiddleware(
    async (c, next) =>
      await agentsMiddleware({
        options: {
          onBeforeConnect: () => {
            if (!c.get('user'))
              return new Response('Unauthorized', { status: 401 });
          },
        },
        onError: (error) => {
          console.error(error);
        },
      })(c, next)
  )
);
plgingras88
plgingras885w ago
This deserves a live pic of my red cat blocking me from coding.
No description
Silvan
SilvanOP5w ago
relatable
No description
plgingras88
plgingras885w ago
No fuckin way, they are all the same loll. And I am a svelte fan too. You clone haha !!
dan
dan5w ago
No description
dan
dan5w ago
no orange but also cat-blocked

Did you find this page helpful?