Search
blogAuth
@postpostscript
Auth for Val Town I've developed a collection of vals that lets you sign into HTTP vals who use its middleware (help me name this?) Example Projects You have an HTTP val that is just for you, because it accesses your sqlite or blob storage or any other sensitive function. Install the @postpostscript/authMiddleware.authMiddlewareCookie middleware for zero-config authentication that makes executing the endpoint exclusive to you. Example: @postpostscript/authIdExampleCookiePrivate You have an HTTP val and you want to gate a feature behind a login form while letting anyone access the site. Use that same middleware but disable the token issuer ( iss ) requirement and set the optional option to true . Example: @postpostscript/authIdExampleComments You have an API and you want to lock it down, with specific scopes giving you access to specific endpoints. Use the authMiddlewareToken middleware with the additional middleware @postpostscript/pathAsScope . Example: @postpostscript/apiProxy @postpostscript/sqliteExplorerApp : a fork of @nbbaier/sqliteExplorerApp gated behind authMiddlewareCookie Make a cool project with this? Let me know and I'll add it to the list! How it Works Every user who wants to use this system is required to set up a JWKS endpoint at @handle/jwks (Instructions: @postpostscript/jwks ). This is the foundation for trusted communication between code executed by different Val Town accounts, and is what enables this system Anyone who wants to sign in must fork the @postpostscript/authId val which provides the sign in mechanism just for you . You can modify this to your liking as long as it provides the same outputs (redirecting back to the Client with token and clientToken query string params) with the same inputs (a Client Token) If I want to require authentication for my HTTP val, I need to use middleware to protect the endpoint(s). The simplest of that is @postpostscript/authMiddleware.authMiddlewareCookie , which will provide a login form for the endpoint and pass through the request once a trusted token is stored in the AUTH_ID_TOKEN cookie. By default, the val's owner is the only one who can sign into it. Here's an example JWT Payload that provides access to @example/exampleApp : {
"jti": "c63a41c9-13d0-4424-b5b4-4a8ec6002610",
"aud": [
"@example/exampleApp",
"@postpostscript/authId"
],
"scope": "@postpostscript/authId/id",
"iss": "@postpostscript/authId",
"sub": "@postpostscript/authId",
"clientTokenId": "12abb6d0-6c88-4d2f-bb56-88f79a2b4503",
"iat": 1709694976,
"exp": 1709698576
} This, once the token is verified against the @postpostscript/jwks endpoint , says: I received this auth token from @postpostscript ( iss : @postpostscript/authId ) I have been given permission to act as them ( scope : @postpostscript/authId/id ) I was authenticated at the request of a trusted client ( clientTokenId : 12abb6d0-6c88-4d2f-bb56-88f79a2b4503 ) @example/exampleApp is the only val that should accept this token ( aud : @example/exampleApp ) I have 1 hour to use this token, after that it will not work ( iat and exp ) Here's how I got to this token I navigated to https://example-exampleapp.web.val.run/ I entered my Val Town username (@postpostscript) I clicked "Go to Your Sign In Page" and was redirected to https://postpostscript-authid.web.val.run/?clientToken=[...] Since I hadn't verified my identity on my sign in page in an hour, I needed to do that by clicking "Send Sign In Link to My Email" and clicking the link in that email. Now the @postpostscript/authId endpoint knew I was @postpostscript! Next I reviewed the list of scopes @example/exampleApp was requesting. In this case, it was only the required scope of @postpostscript/authId/id , the one proving I am me. In other apps, I may see other scopes that the apps have requested that I can optionally accept I clicked Provide Access to @example/exampleApp and was redirected to https://example-exampleapp.web.val.run/?token=[...]&clientToken[...]. If the app is happy with those tokens, I am now authenticated. If it were locked down to only be available to @example, I'd see an error here Next Steps Try it out, give me feedback, and help out with improvements if you'd like! Right now @handle/authId is the only trusted sign-in provider but that's just for simplicity, there could be @handle/authIdV2 or @handle/iamme or @handle/whatever , as long as the outputs are the same I have started working on a permissioned callback system (run someone else's code as you without needing to fork anything) that uses this, but I'm not 100% sure yet how to guarantee that code you have whitelisted has not changed. Either way, that should be coming in the near future! Let me know if you have any ideas for that or anything else! Glossary Scope A permission that has been granted to a token, for example @example/blog/deleteComment or @example/apiProxy/request/v1/*:GET . Vals can self-describe their scopes like this: export const SCOPES = {
deleteComment: "lets you delete a comment",
"request/v1/*": "makes an API request as you",
} Client Token A token @postpostscript/authMiddleware.authMiddlewareCookie generates to represent a sign-in request. It is passed to a user's sign-in page and then passed back afterwards to ensure both parties trust each other Out of the box, @postpostscript/jwks.verify enforces the maximum number of times a token can be validated when the field maxUses is present in its payload. Client Tokens use this to ensure that 1 sign-in request = 1 sign-in attempt, successful or not JWT (JSON Web Token) A key giving permission to the token-holder to do an action JWKS (JSON Web Key Sets) A standard for the public verification of JWTs
HTTP (deprecated)
Every user who wants to use this system is required to set up a JWKS endpoint at `@handle/jwks` (Instructions: [@postpostscript/jwks](https://val.town/v/postpostscript/jwks)). This is the foundation for trusted communication between code executed by different Val Town accounts, and is what enables this system
Anyone who wants to _sign in_ must fork the [@postpostscript/authId](https://val.town/v/postpostscript/authId) val which provides the sign in mechanism _just for you_. You can modify this to your liking as long as it provides the same outputs (redirecting back to the Client with `token` and `clientToken` query string params) with the same inputs (a Client Token)
If I want to require authentication for my HTTP val, I need to use middleware to protect the endpoint(s). The simplest of that is [@postpostscript/authMiddleware.authMiddlewareCookie](https://postpostscript-modulehighlightvaluelink.web.val.run/?module=@postpostscript/authMiddleware&name=authMiddlewareCookie), which will provide a login form for the endpoint and pass through the request once a trusted token is stored in the AUTH_ID_TOKEN cookie. By default, the val's owner is the only one who can sign into it. Here's an example JWT Payload that provides access to `@example/exampleApp`:
"sub": "@postpostscript/authId",
"clientTokenId": "12abb6d0-6c88-4d2f-bb56-88f79a2b4503",
"iat": 1709694976,
- I have been given permission to act as them (`scope`: `@postpostscript/authId/id`)
- I was authenticated at the request of a trusted client (`clientTokenId`: `12abb6d0-6c88-4d2f-bb56-88f79a2b4503`)
- `@example/exampleApp` is the only val that should accept this token (`aud`: `@example/exampleApp`)
- I entered my Val Town username (@postpostscript)
- I clicked "Go to Your Sign In Page" and was redirected to https://postpostscript-authid.web.val.run/?clientToken=[...]
- Since I hadn't verified my identity on my sign in page in an hour, I needed to do that by clicking "Send Sign In Link to My Email" and clicking the link in that email. Now the `@postpostscript/authId` endpoint knew I was @postpostscript!
- Next I reviewed the list of scopes `@example/exampleApp` was requesting. In this case, it was only the required scope of `@postpostscript/authId/id`, the one proving I am me. In other apps, I may see other scopes that the apps have _requested_ that I can optionally accept
- I clicked Provide Access to `@example/exampleApp` and was redirected to https://example-exampleapp.web.val.run/?token=[...]&clientToken[...]. If the app is happy with those tokens, I am now authenticated. If it were locked down to only be available to @example, I'd see an error here
## Next Steps
"request/v1/*": "makes an API request as you",
### Client Token
A token [@postpostscript/authMiddleware.authMiddlewareCookie](https://postpostscript-modulehighlightvaluelink.web.val.run/?module=@postpostscript/authMiddleware&name=authMiddlewareCookie) generates to represent a sign-in request. It is passed to a user's sign-in page and then passed back afterwards to ensure both parties trust each other
Out of the box, [@postpostscript/jwks.verify](https://postpostscript-modulehighlightvaluelink.web.val.run/?module=@postpostscript/jwks&name=verify) enforces the maximum number of times a token can be validated when the field `maxUses` is present in its payload. Client Tokens use this to ensure that 1 sign-in request = 1 sign-in attempt, successful or not
### JWT (JSON Web Token)
slackScout
@nickaggarwal
Slack scout sends a slack notification every time your keywords are mentioned on Twitter, Hacker News, or Reddit. Get notified whenever you, your company, or topics of interest are mentioned online. Built with Browserbase . Inspired by f5bot.com . Full code tutorial . Getting Started To run Slack Scout, you’ll need a Browserbase API key Slack Webhook URL: setup here Twitter Developer API key Browserbase Browserbase is a developer platform to run, manage, and monitor headless browsers at scale. We’ll use Browserbase to navigate to, and scrape our different news sources. We’ll also use Browserbase’s Proxies to ensure we simulate authentic user interactions across multiple browser sessions . Get started with Browserbase for free here . Twitter We’ve decided to use the Twitter API to include Twitter post results. It costs $100 / month to have a Basic Twitter Developer account. If you decide to use Browserbase, we can lend our token. Comment below for access. Once you have the SLACK_WEBHOOK_URL , BROWSERBASE_API_KEY , and TWITTER_BEARER_TOKEN , input all of these as Val Town Environment Variables . Project created by Sarah Chieng and Alex Phan 💌
Cron
### Browserbase
[Browserbase](https://www.browserbase.com/) is a developer platform to run, manage, and monitor headless browsers at scale. We’ll use Browserbase to navigate to, and scrape our different news sources. We’ll also use [Browserbase’s Proxies](https://docs.browserbase.com/features/stealth-mode#proxies-and-residential-ips) to ensure we simulate authentic user interactions across multiple [browser sessions](https://docs.browserbase.com/features/sessions).
Get started with Browserbase for free [here](https://www.browserbase.com/sign-up).
graphQLYogaDeferAndStream
@dthyresson
GraphQL Yoga Server with Defer and Stream GraphQL Yoga from The Guild is a batteries-included cross-platform GraphQL over HTTP spec-compliant GraphQL server
powered by Envelop
and GraphQL Tools focused on easy setup, performance and great developer experience. This is an example of a GraphQL Yoga val with defer and stream features. Defer and Stream Defer and stream are directives that allow you to improve latency for clients by sending the most important data as soon as it’s ready. Usage To access GraphiQL - the GraphQL Playground - visit the / route.
That's what you see in the preview pane below. Defer The @defer directive allows you to post-pone the delivery of one or more (slow) fields grouped in an inlined or spread fragment.
Visit / and paste the following operation into the left panel. query SlowAndFastFieldWithDefer {
... on Query @defer {
slowField
}
fastField
} Stream The @stream directive allows you to stream the individual items of a field of the list type as the items are available.
Visit / and paste the following operation into the left panel. query MyStream {
alphabet @stream
} Configuration and Documentation See the GraphQL Yoga documentation for configuration and all the bells and whistles. Endpoint For this example, we'll set to / to make it easier to demo. However, by default, the GraphQL route is configured to be on /graphql which is more common. const yoga = createYoga({
schema,
}) You can set a custom endpoint: const yoga = createYoga({
schema,
graphqlEndpoint: "/my-gql",
}) Landing Page A landing page is shown be default whenever a 404 is hit. You can disable it via the landingPage option. const yoga = createYoga({
schema,
landingPage: false
})
HTTP
## Defer and Stream
[Defer and stream](https://the-guild.dev/graphql/yoga-server/docs/features/defer-stream) are directives that allow you to improve latency for clients by sending the most important data as soon as it’s ready.
## Usage
joinMatrixRoom
@dm3agv
An interactive, runnable TypeScript val by dm3agv
Script
roomId: string,
serverUrl: string = "https://matrix.org",
const url = `${serverUrl}/_matrix/client/v3/rooms/${
encodeURIComponent(roomId)
}/join`;
projectsSection
@iamseeley
An interactive, runnable TypeScript val by iamseeley
Script
</div>
<div class="tech-stack">${project.keywords && project.keywords.map(tech => `<p>${tech}</p>`).join('') || ''}</div>
<aside>${project.description || ''}</aside>
<div class="highlights">
${project.highlights && project.highlights.map(desc => `<p class="highlight-item">${desc}</p>`).join('') || ''}
spaceximage
@moe
@jsxImportSource https://esm.sh/react
HTTP (deprecated)
/** @jsxImportSource https://esm.sh/react */
import { ogImage } from "https://esm.town/v/moe/ogImage"
export default async function(req: Request): Promise<Response> {
litExample
@tmcw
lit Lit is kind of like Google's answer to React: it's a little more reliant on browser APIs like custom elements and the shadow DOM, a little less 'magic', like using JSX. This is an example of using Lit and rendering it straight to a string, which is something that's recently popular. It works pretty well, right off the bat: Lit provides nice ESM modules and a pretty smooth workflow!
Script
# lit
[Lit](https://lit.dev/docs/ssr/server-usage/) is kind of like Google's answer to React: it's a little more reliant on browser APIs like custom elements and the shadow DOM, a little less 'magic', like using JSX.
This is an example of using Lit and rendering it straight to a string, which is something that's recently popular. It works pretty well, right off the bat: Lit provides nice ESM modules and a pretty smooth workflow!
notion_paperpile_detail_filler
@nerdymomocat
An interactive, runnable TypeScript val by nerdymomocat
Cron
import process from "node:process";
import { Client } from "npm:@notionhq/client";
import { fetch } from "npm:cross-fetch";
export default async function(interval: Interval) {
throw new Error("Please fill in your API key and database ID");
let dont_update = [];
const notion = new Client({ auth: NOTION_API_KEY });
const databaseId = PAPERPILE_DB_ID;
const queryResponse = await notion.databases.query({
slackScout
@ewinney
Slack scout sends a slack notification every time your keywords are mentioned on Twitter, Hacker News, or Reddit. Get notified whenever you, your company, or topics of interest are mentioned online. Built with Browserbase . Inspired by f5bot.com . Full code tutorial . Getting Started To run Slack Scout, you’ll need a Browserbase API key Slack Webhook URL: setup here Twitter Developer API key Browserbase Browserbase is a developer platform to run, manage, and monitor headless browsers at scale. We’ll use Browserbase to navigate to, and scrape our different news sources. We’ll also use Browserbase’s Proxies to ensure we simulate authentic user interactions across multiple browser sessions . Get started with Browserbase for free here . Twitter We’ve decided to use the Twitter API to include Twitter post results. It costs $100 / month to have a Basic Twitter Developer account. If you decide to use Browserbase, we can lend our token. Comment below for access. Once you have the SLACK_WEBHOOK_URL , BROWSERBASE_API_KEY , and TWITTER_BEARER_TOKEN , input all of these as Val Town Environment Variables . Project created by Sarah Chieng and Alex Phan 💌
Cron
### Browserbase
[Browserbase](https://www.browserbase.com/) is a developer platform to run, manage, and monitor headless browsers at scale. We’ll use Browserbase to navigate to, and scrape our different news sources. We’ll also use [Browserbase’s Proxies](https://docs.browserbase.com/features/stealth-mode#proxies-and-residential-ips) to ensure we simulate authentic user interactions across multiple [browser sessions](https://docs.browserbase.com/features/sessions).
Get started with Browserbase for free [here](https://www.browserbase.com/sign-up).
greenHornet
@bandr123
An interactive, runnable TypeScript val by bandr123
HTTP (deprecated)
const postgres = await import("https://deno.land/x/postgres/mod.ts");
const client = new postgres.Client(Deno.env.get("neon_url"));
await client.connect();
export const testPostgres = await client.queryObject`select CURRENT_TIME;`;
wateryPeachEarwig
@danielchalef
Slack scout sends a slack notification every time your keywords are mentioned on Twitter, Hacker News, or Reddit. Get notified whenever you, your company, or topics of interest are mentioned online. Built with Browserbase . Inspired by f5bot.com . Full code tutorial . Getting Started To run Slack Scout, you’ll need a Browserbase API key Slack Webhook URL: setup here Twitter Developer API key Browserbase Browserbase is a developer platform to run, manage, and monitor headless browsers at scale. We’ll use Browserbase to navigate to, and scrape our different news sources. We’ll also use Browserbase’s Proxies to ensure we simulate authentic user interactions across multiple browser sessions . Get started with Browserbase for free here . Twitter We’ve decided to use the Twitter API to include Twitter post results. It costs $100 / month to have a Basic Twitter Developer account. If you decide to use Browserbase, we can lend our token. Comment below for access. Once you have the SLACK_WEBHOOK_URL , BROWSERBASE_API_KEY , and TWITTER_BEARER_TOKEN , input all of these as Val Town Environment Variables . Project created by Sarah Chieng and Alex Phan 💌
Cron
### Browserbase
[Browserbase](https://www.browserbase.com/) is a developer platform to run, manage, and monitor headless browsers at scale. We’ll use Browserbase to navigate to, and scrape our different news sources. We’ll also use [Browserbase’s Proxies](https://docs.browserbase.com/features/stealth-mode#proxies-and-residential-ips) to ensure we simulate authentic user interactions across multiple [browser sessions](https://docs.browserbase.com/features/sessions).
Get started with Browserbase for free [here](https://www.browserbase.com/sign-up).
MADBOTS
@jonbo
MAD BOTS (Multi-functional Alerting & Diagnostics Bot Operations Tracking System) This val runs every two minutes and makes sure a supabase realtime websocket listener is still alive. on spawn, checks to see if acknowledged_by_server == true if not, send a message to discord update the row (id=1) in supabase with acknowledged_by_server: false to reset for next run this will be responded to by the supabase handler. code snippet below: .on(
"postgres_changes",
{
event: "UPDATE",
schema: "public",
table: "uptime",
},
async (payload) => {
// this means we just acknowledged it
if (payload.new.acknowledged_by_server) {
console.log('uptime check already acknowledged - skipping');
return;
};
console.log('incoming uptime check request', payload);
if (!payload.new.acknowledged_by_server) {
await supabaseAdminClient.from('uptime').update({ acknowledged_by_server: true, acknowledged_at: new Date() }).eq('id', payload.new.id);
console.log('uptime check acknowledged');
}
}
)
note: this will keep alerting every two minutes until acknowledged. something to resolve in the next version.
Cron
if (!payload.new.acknowledged_by_server) {
await supabaseAdminClient.from('uptime').update({ acknowledged_by_server: true, acknowledged_at: new Date() }).eq('id', payload.new.id);
console.log('uptime check acknowledged');
import { createClient } from "https://esm.sh/@supabase/supabase-js@2";
const DISCORD_WEBHOOK = Deno.env.get("DISCORD_TANAKI_WEBHOOK");
export default async function(interval: Interval) {
const supabase = createClient(
Deno.env.get("TANAKI_SUPABASE_URL"),
slackScout
@pochetes
Slack scout sends a slack notification every time your keywords are mentioned on Twitter, Hacker News, or Reddit. Get notified whenever you, your company, or topics of interest are mentioned online. Built with Browserbase . Inspired by f5bot.com . Full code tutorial . Getting Started To run Slack Scout, you’ll need a Browserbase API key Slack Webhook URL: setup here Twitter Developer API key Browserbase Browserbase is a developer platform to run, manage, and monitor headless browsers at scale. We’ll use Browserbase to navigate to, and scrape our different news sources. We’ll also use Browserbase’s Proxies to ensure we simulate authentic user interactions across multiple browser sessions . Get started with Browserbase for free here . Twitter We’ve decided to use the Twitter API to include Twitter post results. It costs $100 / month to have a Basic Twitter Developer account. If you decide to use Browserbase, we can lend our token. Comment below for access. Once you have the SLACK_WEBHOOK_URL , BROWSERBASE_API_KEY , and TWITTER_BEARER_TOKEN , input all of these as Val Town Environment Variables . Project created by Sarah Chieng and Alex Phan 💌
Cron
### Browserbase
[Browserbase](https://www.browserbase.com/) is a developer platform to run, manage, and monitor headless browsers at scale. We’ll use Browserbase to navigate to, and scrape our different news sources. We’ll also use [Browserbase’s Proxies](https://docs.browserbase.com/features/stealth-mode#proxies-and-residential-ips) to ensure we simulate authentic user interactions across multiple [browser sessions](https://docs.browserbase.com/features/sessions).
Get started with Browserbase for free [here](https://www.browserbase.com/sign-up).
slackScout
@fahadakhan2
Slack scout sends a slack notification every time your keywords are mentioned on Twitter, Hacker News, or Reddit. Get notified whenever you, your company, or topics of interest are mentioned online. Built with Browserbase . Inspired by f5bot.com . Full code tutorial . Getting Started To run Slack Scout, you’ll need a Browserbase API key Slack Webhook URL: setup here Twitter Developer API key Browserbase Browserbase is a developer platform to run, manage, and monitor headless browsers at scale. We’ll use Browserbase to navigate to, and scrape our different news sources. We’ll also use Browserbase’s Proxies to ensure we simulate authentic user interactions across multiple browser sessions . Get started with Browserbase for free here . Twitter We’ve decided to use the Twitter API to include Twitter post results. It costs $100 / month to have a Basic Twitter Developer account. If you decide to use Browserbase, we can lend our token. Comment below for access. Once you have the SLACK_WEBHOOK_URL , BROWSERBASE_API_KEY , and TWITTER_BEARER_TOKEN , input all of these as Val Town Environment Variables . Project created by Sarah Chieng and Alex Phan 💌
Cron
### Browserbase
[Browserbase](https://www.browserbase.com/) is a developer platform to run, manage, and monitor headless browsers at scale. We’ll use Browserbase to navigate to, and scrape our different news sources. We’ll also use [Browserbase’s Proxies](https://docs.browserbase.com/features/stealth-mode#proxies-and-residential-ips) to ensure we simulate authentic user interactions across multiple [browser sessions](https://docs.browserbase.com/features/sessions).
Get started with Browserbase for free [here](https://www.browserbase.com/sign-up).
