Files
aewing 42ff3e8f33
Build & Deploy / Test & Lint (push) Has been cancelled
Build & Deploy / Security Scan (push) Has been cancelled
Code Quality / Code Quality Checks (push) Has been cancelled
Code Quality / Dependency Vulnerabilities (push) Has been cancelled
Code Quality / Performance Testing (push) Has been cancelled
Build & Deploy / Build Docker Images (push) Has been cancelled
Build & Deploy / Deploy to Kubernetes (push) Has been cancelled
Add Mode6Test: copy of Mode5Test running on port 3000
2026-01-20 13:43:29 +00:00
..

Universal Auth Module

Overview

This module provides a standardized, immutable authentication and token management system for any web project using PocketBase and Microsoft Graph. It supports user and agent tokens, delegated and app-only flows, and a consistent popup UI for login prompts.

Features

  • Pattern-based: Choose 'pb-user', 'pb-agent', 'graph-user', 'graph-agent', or any combination (e.g., 'pb-user+graph-agent') for your project needs
  • Supports both user and agent tokens for PocketBase and Microsoft Graph
  • Special handling for Valkey/Redis agent login and token storage (for backend/automation flows)
  • Single source of truth for token storage, retrieval, and refresh
  • Consistent, hidden popup for all user login prompts
  • Extracts user info (display name, email) from PocketBase
  • Works in any frontend project with PocketBase

Usage

1. Include in your project

<script src="https://cdn.jsdelivr.net/npm/pocketbase@0.26.5/dist/pocketbase.umd.js"></script>
<script src="auth/auth-universal.js"></script>

2. Initialize the pattern

// Choose your pattern:
// 'pb-user'         - PocketBase user login
// 'pb-agent'        - PocketBase agent/service login
// 'graph-user'      - Microsoft Graph delegated (user) login
// 'graph-agent'     - Microsoft Graph agent/app-only (client credentials)
// Combine as needed: 'pb-user+graph-agent', 'pb-agent+graph-user', etc.
Auth.use('pb-user+graph-agent');

3. Get and use tokens

const pbToken = await Auth.ensureToken('pb');
const graphToken = await Auth.ensureToken('graph');
const userInfo = Auth.getUserInfo();

4. Handle reauthentication

  • If a token is missing or expired, Auth will automatically show a popup for login.
  • The popup is hidden at all other times.

5. Clear tokens (for testing or logout)

Auth.clearToken('pb');
Auth.clearToken('graph');

Secrets and Environment

  • For frontend, all secrets are handled by PocketBase OAuth (no client secrets exposed).
  • For backend/agent flows, use environment variables and server-side code to store secrets securely.
  • The module does not expose or require secrets in the frontend.

Example Test Page

See auth-test.html for a safe way to test all flows without affecting your main app.

Rules for Copilot Instructions

  • Always use Auth.use() to set the pattern before requesting tokens. Supported types: 'pb-user', 'pb-agent', 'graph-user', 'graph-agent', or any combination.
  • Always use Auth.ensureToken(type) to get a valid token; it will handle refresh and prompt if needed.
  • Never store secrets in frontend code; use PocketBase OAuth for user login.
  • All login prompts must use the provided popup, never custom dialogs.
  • Token keys are immutable: 'pbUserToken', 'pbAgentToken', 'graphUserToken', 'graphAgentToken'.
  • User info extraction must use Auth.getUserInfo().
  • For agent/app-only tokens, use backend code, environment variables, and optionally Valkey/Redis for secure storage and retrieval.

FAQ

  • Can I use this in any project? Yes, as long as you include PocketBase and this module.
  • Does it work for both user and agent tokens? Yes, with the correct pattern and backend support for agent tokens (including Valkey/Redis for automation).
  • Is the popup customizable? The style can be changed, but the flow must remain consistent for all projects.
  • How are secrets handled? Only via backend environment variables for agent tokens; never exposed in frontend.

For further integration, see the comments in auth-universal.js and the example test page.