feat(adapter): add PocketBase Adapter

[tajkirkpatrick]

NOTE:

• It's a good idea to open an issue first to discuss potential changes.
• Please make sure that you are NOT opening a PR to fix a potential security vulnerability. Instead, please follow the Security guidelines to disclose the issue to us confidentially.

☕️ Reasoning

PocketBase is a self-hostable BaaS similar to Supabase. Pocketbase offers a deployable executable, as well as easy portability across different environments.

🧢 Checklist

• [x] Documentation
• [x] Tests
• [ ] Ready to be merged

🎫 Affected issues

Please scout and link issues that might be solved by this PR.

Addresses: #5834

📌 Resources

• Security guidelines
• Contributing guidelines
• Code of conduct
• Contributing to Open Source

[vercel[bot]]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
auth-docs	❌ Failed (Inspect)			Jan 26, 2024 0:48am

1 Ignored Deployment

Name	Status	Preview	Comments	Updated (UTC)
next-auth-docs	⬜️ Ignored (Inspect)	Visit Preview		Jan 26, 2024 0:48am

[Lebyy]

Hello! I have a few suggestions that I think might be helpful:

1. Why don't you directly create the collection using pocketbase web api.
2. I think using admin auth to make the requests is a better idea since that will ensure the read/write access is not granted to all users if some malicious user gets the url.

[tajkirkpatrick]

Hello! I have a few suggestions that I think might be helpful:

1. Why don't you directly create the collection using pocketbase web api.
2. I think using admin auth to make the requests is a better idea since that will ensure the read/write access is not granted to all users if some malicious user gets the url.

Hey @Lebyy thanks for the suggestions and feedback!

Tl;dr:

1. I don't think it's possible, but if you point me to PB docs using the Javascript SDK specifically, I'm all for it.
2. This is a great suggestion, and has been minimally implemented with the last 3 commits.

---

Got time, lets read:

1. AFAIK the PocketBase JS SDK doesn't offer collections creation through its API. PocketBase can be extended and used as a framework with the Go SDK, where collection (and the PB app instantiation) can be written from scratch. Whereas the JS SDK assumes that your database, and schemas are "ready-to-go" and the client's step-1 is connecting to the rest api after ./pocketbase serve. That being said, database migrations are being offered within the package and maybe can be automatically copied to the project root with a postinstall.js script, this would ease user need to "setup" the database, although I don't have any experience creating postinstall scripts.

2. This is a great idea to remain as secure as possible right out of the box, and my latest 3 commits applied a working implementation of the changes suggested. IMO it makes declaring the adapter more verbose, and is unnecessary, as well as the benefits of logging these requests as admin are minimal on the PocketBase end (one uninformative field changes from guest to admin), although I can recognize that this change will setup devs for success with an out-of-the-box secure default and that is important. Convenience and Security, opposite sides of a spectrum, am I right?. So you will find that the default migrations now will not allow guest access entries for any API calls, by default (post-migration).

[Lebyy]

Hello! I have a few suggestions that I think might be helpful:

1. Why don't you directly create the collection using pocketbase web api.
2. I think using admin auth to make the requests is a better idea since that will ensure the read/write access is not granted to all users if some malicious user gets the url.

Hey @Lebyy thanks for the suggestions and feedback!

Tl;dr:

1. I don't think it's possible, but if you point me to PB docs using the Javascript SDK specifically, I'm all for it.
2. This is a great suggestion, and has been minimally implemented with the last 3 commits.

Got time, lets read:

1. AFAIK the PocketBase JS SDK doesn't offer collections creation through its API. PocketBase can be extended and used as a framework with the Go SDK, where collection (and the PB app instantiation) can be written from scratch. Whereas the JS SDK assumes that your database, and schemas are "ready-to-go" and the client's step-1 is connecting to the rest api after ./pocketbase serve. That being said, database migrations are being offered within the package and maybe can be automatically copied to the project root with a postinstall.js script, this would ease user need to "setup" the database, although I don't have any experience creating postinstall scripts.
2. This is a great idea to remain as secure as possible right out of the box, and my latest 3 commits applied a working implementation of the changes suggested. IMO it makes declaring the adapter more verbose, and is unnecessary, as well as the benefits of logging these requests as admin are minimal on the PocketBase end (one uninformative field changes from guest to admin), although I can recognize that this change will setup devs for success with an out-of-the-box secure default and that is important. Convenience and Security, opposite sides of a spectrum, am I right?. So you will find that the default migrations now will not allow guest access entries for any API calls, by default (post-migration).

Hello! Thank you so much for implementing the admin login!

And for the collection creation, pocketbase js sdk does have an option create a collection you can find the link to it here: https://pocketbase.io/docs/api-collections/

[tajkirkpatrick]

Hello! I have a few suggestions that I think might be helpful:

1. Why don't you directly create the collection using pocketbase web api.
2. I think using admin auth to make the requests is a better idea since that will ensure the read/write access is not granted to all users if some malicious user gets the url.

@Lebyy thank you for the mental gymnastics and auto migrations are functional finally.

[Lebyy]

Hello! I have a few suggestions that I think might be helpful:

1. Why don't you directly create the collection using pocketbase web api.
2. I think using admin auth to make the requests is a better idea since that will ensure the read/write access is not granted to all users if some malicious user gets the url.

@Lebyy thank you for the mental gymnastics and auto migrations are functional finally.

xD np, thank you so much for implementing it.

Another cool feature would be if the user's can provide their own collection/table names for that ✨ extra ✨ customization. I have tried implementing this in my unofficial pocketbase adapter @ https://github.com/Lebyy/pocketbase-adapter (not the best way of implementation but it works).

[tajkirkpatrick]

Hey @Lebyy! I took a step away from this adapter after life started to pick up. Thank you for the repo example with custom table names. I love your PocketbaseAdapterOptions interface and I'd like to incorporate it into our the existing codebase. Any ideas on how we can combine our implementations? I'd love some collaboration. I'm struggling with how to pass the user's Adapter options of collection names (assuming I'm using your new AdapterOptions interface), gracefully into my initCollections() on first run. Such that my schemas are only called once with a default name prefixed with next_auth_ OR the specified table name.

I conceptualize getting a template string into my schemas' table name field somehow but that's just me thinking out loud.

[AriaFantom]

Any update on this PR?

[tajkirkpatrick]

Any update on this PR?

Hey @AriaFantom ! I saw you reached out here and the pocketbase repo for an update. I put this PR down a while ago to pursue other self hosting interests. I am writing this comment before revisiting my own work to see where I left off although I believe I was passing all tests when I left off. I used this PR to teach myself some javascript although as I'd discover later writing application code is significantly different than writing library code.

@Lebyy had a great working example earlier in this thread, and I last remember working on allowing the user to pass custom table names into the PocketBaseAdapterOptions for more customization. I'd refer to Lebyy's repo above or the existing (Supabase Adapter)[https://github.com/nextauthjs/next-auth/blob/main/packages/adapter-supabase/src/index.ts] as a reference if you'd like to help contribute to integrating PocketBase.

[AriaFantom]

Any update on this PR?

Hey @AriaFantom ! I saw you reached out here and the pocketbase repo for an update. I put this PR down a while ago to pursue other self hosting interests. I am writing this comment before revisiting my own work to see where I left off although I believe I was passing all tests when I left off. I used this PR to teach myself some javascript although as I'd discover later writing application code is significantly different than writing library code.

@Lebyy had a great working example earlier in this thread, and I last remember working on allowing the user to pass custom table names into the PocketBaseAdapterOptions for more customization. I'd refer to Lebyy's repo above or the existing (Supabase Adapter)[https://github.com/nextauthjs/next-auth/blob/main/packages/adapter-supabase/src/index.ts] as a reference if you'd like to help contribute to integrating PocketBase.

What are the things left and what are the things to fix for now? Then i might look into it

[vercel[bot]]

@ThangHuuVu is attempting to deploy a commit to the authjs Team on Vercel.

A member of the Team first needs to authorize it.

[socket-security[bot]]

New, updated, and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Packages	Version	New capabilities	Transitives	Size	Publisher
nodemailer	6.9.8	network, filesystem	+0	499 kB	andris
surrealdb.js	0.9.1	network	+1	258 kB	tobiemh
turbo	1.10.12...1.11.3	None	+0/-0	41.3 kB	turbobot
vitest	1.1.1...1.1.3	None	+1/-2	1.51 MB	oreanno
prisma	5.2.0...5.7.1	eval	+0/-0	15.7 MB	prismabot
edgedb	1.3.6...1.4.1	None	+0/-0	582 kB	1st1
drizzle-kit	0.20.9...0.20.10	None	+0/-0	6.32 MB	dankochetov

🚮 Removed packages: @balazsorban/[email protected], @docusaurus/[email protected], @edgedb/[email protected], @fauna-labs/[email protected], @sveltejs/[email protected], @sveltejs/[email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]

[ThangHuuVu]

hey, @tajkirkpatrick - we finally got to look at this PR, sorry for the delay! I pushed some commits to format, clean up & bring the PR up to date - I also rewrote it a bit so that now it accepts a collections as a parameter instead of having hard-coded collections with IDs and stuff. Let me know what you think. The issue is that the tests are not running yet due to the pocketbase package export being wrong - we'll open an issue for them to see, and after that we'll get this one merged 🙌

[tajkirkpatrick]

hey, @tajkirkpatrick - we finally got to look at this PR, sorry for the delay! [...] The issue is that the tests are not running yet due to the pocketbase package export being wrong - we'll open an issue for them to see, and after that we'll get this one merged 🙌

Hello @ThangHuuVu thank you so much for taking the time with this PR. I put this down a while ago so your changes are well appreciated and extremely welcomed decisions. Excited to offer a helping hand where I can to get this over the finish line. When you get a chance, can you share the issue number that pocketbase would need to resolve?

I'll stay updated on it from that community as well.

[ThangHuuVu]

hi @tajkirkpatrick , so there are a couple of things left that we need to get right before merging. I could really use some help for:

• [ ] add a dockerized test, you can check the other adapters for reference
• [ ] the unlinkAccount test is still failing, I didn't have time to check more of it
• [ ] I get the SyntaxError: Unexpected token 'export' error when running the test with jest. The reason might be that the package's exports are wrong - I think this should be fixed on the pocketbase's end. Let me know if you have any questions!

[tajkirkpatrick]

hi @tajkirkpatrick , so there are a couple of things left that we need to get right before merging. I could really use some help for:

[x]  add a dockerized test, you can check the other adapters for reference

Hey @ThangHuuVu I took an attempt at this. My lack of collaborating experience may have caused some trouble though. I forced pushed changes before starting development on the docker test addition and my fork can't seem to local the @next-auth/adapter-test package within the repo anymore. The missing package means I also can't execute jest locally.

Can you let me know your success with my shell script and Dockerfile?

[tajkirkpatrick]

I fear I may have overwrote your improvements. I sincerely apologize. 😞

Edit: I believe the latest refactor commit, added your changes back into the codebase.

[tajkirkpatrick]

Hey @ThangHuuVu I was revisiting my latest commit and saw that I'm still missing your original collections logic that was provided by the end user. At a high level can you talk me through what you implemented. What I remember vividly was that the Collections array be passed to the function options, we deconstruct the options out of the options parameter before using them directly in the Pocketbase API. Were there any gotchas you ran into that I should know about with this approach?