Use request-scoped PocketBase auth for task endpoints

This commit is contained in:
2026-03-29 03:05:41 +00:00
parent 49824ea3c6
commit 006f976f57
+18 -13
View File
@@ -50,6 +50,13 @@ async function validatePbToken(token: string): Promise<void> {
await pb.collection(PB_AUTH_COLLECTION).authRefresh();
}
async function createValidatedPbClient(token: string): Promise<PocketBase> {
const client = new PocketBase(PB_BASE_URL);
client.authStore.save(token, null);
await client.collection(PB_AUTH_COLLECTION).authRefresh();
return client;
}
// ---------------------------------------------------------------------------
// Shared helpers
// ---------------------------------------------------------------------------
@@ -439,20 +446,21 @@ app.get('/api/tasks/users', async (c) => {
const pbToken = c.req.header('x-pb-token');
if (!pbToken) return c.json({ success: false, message: 'Missing x-pb-token' }, 401);
let taskPb: PocketBase;
try {
await validatePbToken(pbToken);
taskPb = await createValidatedPbClient(pbToken);
} catch {
return c.json({ success: false, message: 'Invalid PocketBase token' }, 401);
}
try {
const me = pb.authStore.model;
const me = taskPb.authStore.model;
let meRecord: any = me;
let users: any[] = [];
let warning = '';
if (me?.id) {
try {
meRecord = await pb.collection(PB_AUTH_COLLECTION).getOne(String(me.id), {
meRecord = await taskPb.collection(PB_AUTH_COLLECTION).getOne(String(me.id), {
fields: 'id,email,name,username',
});
} catch {
@@ -460,7 +468,7 @@ app.get('/api/tasks/users', async (c) => {
}
}
try {
users = await pb.collection(PB_AUTH_COLLECTION).getFullList({
users = await taskPb.collection(PB_AUTH_COLLECTION).getFullList({
sort: 'email',
fields: 'id,email,name,username',
});
@@ -487,8 +495,6 @@ app.get('/api/tasks/users', async (c) => {
});
} catch (e) {
return c.json({ success: false, message: (e as Error)?.message || 'Failed to load users' }, 500);
} finally {
clearPbToken();
}
});
@@ -498,19 +504,20 @@ app.get('/api/tasks/list', async (c) => {
const pbToken = c.req.header('x-pb-token');
if (!pbToken) return c.json({ success: false, message: 'Missing x-pb-token' }, 401);
let taskPb: PocketBase;
try {
await validatePbToken(pbToken);
taskPb = await createValidatedPbClient(pbToken);
} catch {
return c.json({ success: false, message: 'Invalid PocketBase token' }, 401);
}
try {
const me = pb.authStore.model;
const me = taskPb.authStore.model;
const meId = String(me?.id || '').trim();
let meRecord: any = me;
if (meId) {
try {
meRecord = await pb.collection(PB_AUTH_COLLECTION).getOne(meId, {
meRecord = await taskPb.collection(PB_AUTH_COLLECTION).getOne(meId, {
fields: 'id,email,name,username',
});
} catch {
@@ -527,7 +534,7 @@ app.get('/api/tasks/list', async (c) => {
const baseFields = 'id,user,title,startDate,dueDate,priority,completed,content,size,status,expand.user.id,expand.user.email,expand.user.name,expand.user.username';
const fetchTasksWithFilter = async (filter: string) => {
return pb.collection(PB_TASKS_COLLECTION).getFullList({
return taskPb.collection(PB_TASKS_COLLECTION).getFullList({
filter,
sort: '-startDate,-created',
expand: 'user',
@@ -536,7 +543,7 @@ app.get('/api/tasks/list', async (c) => {
};
const fetchAllTasks = async () => {
return pb.collection(PB_TASKS_COLLECTION).getFullList({
return taskPb.collection(PB_TASKS_COLLECTION).getFullList({
sort: '-startDate,-created',
expand: 'user',
fields: baseFields,
@@ -637,8 +644,6 @@ app.get('/api/tasks/list', async (c) => {
});
} catch (e) {
return c.json({ success: false, message: (e as Error)?.message || 'Failed to load tasks' }, 500);
} finally {
clearPbToken();
}
});