i just realized this could be used as a

Silvan · 2025-03-26T18:27:36.782Z

i just realized this could be used as a centralized auth server no? have an array of allowed service names (for the stub) and voila anyways i should probably add docs on better-auth for this. no more d1 just for auth

D

dan•3/26/25, 6:30 PM

not sure i have context on what the service names/sub are

D

dan•3/26/25, 6:31 PM

but yeah it does seem a bit heavy to have an auth db in every DO

D

dan•3/26/25, 6:31 PM

when there's likely just gonna be one row in it

S

SilvanOP•3/26/25, 6:31 PM

*stub sorry

D

dan•3/26/25, 6:31 PM

you mean an array of authorized stub ids?

S

SilvanOP•3/26/25, 6:32 PM

basically yes

D

dan•3/26/25, 6:32 PM

yeah

D

dan•3/26/25, 6:32 PM

i was thinking about this the other day, i think the DOs themselves should have no knowledge of any auth

D

dan•3/26/25, 6:32 PM

just call them in an authenticated context

D

dan•3/26/25, 6:33 PM

i'm about to implement this actually, shipping an agent to my app that users can spin up, i'll just keep a record of

users_agents

users_agents

users_agents

users_agents with user_ids and the DO stub ids and do my authorization that way

S

SilvanOP•3/26/25, 6:38 PM

was actually considering this too lol

Ddan i was thinking about this the other day, i think the DOs themselves should have ...

S

SilvanOP•3/26/25, 6:39 PM

how exactly do you mean this?

D

dan•3/26/25, 6:40 PM

like i think the DO itself should just run without any context of auth

D

dan•3/26/25, 6:40 PM

auth just happens before

S

SilvanOP•3/26/25, 6:42 PM

oh as in the client does worker -> DO and the worker decides if you are allowed or not

D

dan•3/26/25, 6:43 PM

yeah

S

SilvanOP•3/26/25, 6:43 PM

yea thats how my current Ai app works too

P

plgingras88•3/26/25, 8:07 PM

Weird I was about to tackle this exact same scenario with worker and DO and better auth and i was thinking pretty much the same : the worker should manage auth then allow or block DO calls. I however may need to pass a permissions object to the DO to manage granular level actions on the DO end though. Thanks for sharing your discoveries and experiments !

S

SilvanOP•3/26/25, 8:26 PM

Yea most likely smarter. this was my simple solution to it

app.use('*', async (c, next) => {
  const session = await auth(drizzle(c.env.DB)).api.getSession({
    headers: c.req.raw.headers,
  });

  if (!session) {
    c.set('user', null);
    c.set('session', null);
    return next();
  }

  c.set('user', session.user);
  c.set('session', session.session);

  return next();
});

app.on(['POST', 'GET'], '/api/auth/**', (c) =>
  auth(drizzle(c.env.DB)).handler(c.req.raw)
);

app.use(
  '*',
  createMiddleware(
    async (c, next) =>
      await agentsMiddleware({
        options: {
          onBeforeConnect: () => {
            if (!c.get('user'))
              return new Response('Unauthorized', { status: 401 });
          },
        },
        onError: (error) => {
          console.error(error);
        },
      })(c, next)
  )
);

app.use('*', async (c, next) => {
  const session = await auth(drizzle(c.env.DB)).api.getSession({
    headers: c.req.raw.headers,
  });

  if (!session) {
    c.set('user', null);
    c.set('session', null);
    return next();
  }

  c.set('user', session.user);
  c.set('session', session.session);

  return next();
});

app.on(['POST', 'GET'], '/api/auth/**', (c) =>
  auth(drizzle(c.env.DB)).handler(c.req.raw)
);

app.use(
  '*',
  createMiddleware(
    async (c, next) =>
      await agentsMiddleware({
        options: {
          onBeforeConnect: () => {
            if (!c.get('user'))
              return new Response('Unauthorized', { status: 401 });
          },
        },
        onError: (error) => {
          console.error(error);
        },
      })(c, next)
  )
);

app.use('*', async (c, next) => {
  const session = await auth(drizzle(c.env.DB)).api.getSession({
    headers: c.req.raw.headers,
  });

  if (!session) {
    c.set('user', null);
    c.set('session', null);
    return next();
  }

  c.set('user', session.user);
  c.set('session', session.session);

  return next();
});

app.on(['POST', 'GET'], '/api/auth/**', (c) =>
  auth(drizzle(c.env.DB)).handler(c.req.raw)
);

app.use(
  '*',
  createMiddleware(
    async (c, next) =>
      await agentsMiddleware({
        options: {
          onBeforeConnect: () => {
            if (!c.get('user'))
              return new Response('Unauthorized', { status: 401 });
          },
        },
        onError: (error) => {
          console.error(error);
        },
      })(c, next)
  )
);

app.use('*', async (c, next) => {
  const session = await auth(drizzle(c.env.DB)).api.getSession({
    headers: c.req.raw.headers,
  });

  if (!session) {
    c.set('user', null);
    c.set('session', null);
    return next();
  }

  c.set('user', session.user);
  c.set('session', session.session);

  return next();
});

app.on(['POST', 'GET'], '/api/auth/**', (c) =>
  auth(drizzle(c.env.DB)).handler(c.req.raw)
);

app.use(
  '*',
  createMiddleware(
    async (c, next) =>
      await agentsMiddleware({
        options: {
          onBeforeConnect: () => {
            if (!c.get('user'))
              return new Response('Unauthorized', { status: 401 });
          },
        },
        onError: (error) => {
          console.error(error);
        },
      })(c, next)
  )
);

P

plgingras88•3/26/25, 8:31 PM

This deserves a live pic of my red cat blocking me from coding.