Custom authentication

I have a new Next.js application that is using magic.link for authentication. I’d like to use thin-backend for my database, but am having trouble determining how to swap out thin-backend’s authentication with my own custom authentication. Are there any guides for how to use your own JWT’s for authenticating user’s?

I think I’ve figured out how to handle this from examples in: thin-backend/thin-backend-react at master · digitallyinduced/thin-backend · GitHub

Now I’m needing better understanding of how to handle creating new user policies though. I want the policy to allow anyone to create a user record upon login through magic.link, and then for them to only be able to read their own record after that.

Thanks for sharing :slight_smile: There’s no docs on this case yet. I’ll write the missing docs by tomorrow and update you right away once done.

Here’s a rough sketch how this should work:

  1. set up the JWT login for magic.link as described in How to use JWTs with Magic | Magic This needs to be implemented inside your next.js app.

  2. The magic.link example uses JWT’s using a single secret key (using HMAC). Thin uses JWT with RSA, which means that we have a private + public key pair. You can find the private key used for the Thin JWT’s inside the Thin project settingsAuthJWTRSA Private Key:


    Use that private key as your secret in the next.js project and follow the docs on https://www.npmjs.com/package/jsonwebtoken to configure the jsonwebtoken package to use RSA instead of the default HMAC:

        let token = jwt.sign(
          {
            ...metadata,
            exp: Math.floor(Date.now() / 1000) + 60 * 60 * 24 * process.env.SESSION_LENGTH_IN_DAYS,
          },
          process.env.JWT_SECRET, // <-- THIS ENV VAR SHOULD CONTAIN THE PRIVATE KEY FROM THIN
          { algorithm: 'RS256' }
        );
    
  3. Now you should have a process that allows the user to log in with magic.link, and exchange the magic.link token for an JWT, that’s signed with the private key of your project. Now you just need to tell the Thin client about that JWT. You can do it like this:

    import { didCompleteAuthentication } from 'thin-backend/auth'
    
    
    async function loginProcess() {
        // Get the JWT:
        const didToken = await doMagicLinkLogin();
        const [jwt, userId] = await getJWTFromDid(didToken); // Our jwt response should also give us the userId, as Thin needs that userId
    
        // Tell thin about the JWT:
        didCompleteAuthentication(userId, jwt);
    }
    

    After didCompleteAuthentication is called, Thin will use the JWT for all API calls.

1 Like

I’m giving up until someone helps. I can’t even create a policy that let’s anyone and every create and update every record ever without running into row level security issues.

Love the thought of this service, but the documentation is inadequate for what may be my stupidity, but it seems like the service simply does not work as expected based upon simply policies like:

Thank you, this makes sense to me haven’t tried it yet though.

I can’t even create a policy that let’s anyone and every create and update every record ever without running into row level security issues.

Can you share what you tried? Did you also run the migration after creating the policies?

Here’s a step by step on how to add a policy that allows anyone to create and update every record in a table:

Thin Create Public Policy