Bug: Using 3rd party tokens results in "IAM error: Not enough permissions to perform this action" for create actions

Question

Bug: Using 3rd party tokens results in "IAM error: Not enough permissions to perform this action" for create actions

thyaravind opened this issue a year ago · 1 comments

Describe the bug

We have defined a custom token using a public key on Namespace level and we are issuing jwt tokens to the users signed with corresponding private key. Each user is associated with their own database. Everything is working fine if we are performing queries using http sql method. However, when we try to use js SDK, insert or create operations are resulting in the following error while select operation works fine.

{
    "error": {
        "code": -32000,
        "message": "There was a problem with the database: IAM error: Not enough permissions to perform this action"
    },
    "id": "23"
}

I am not sure if its because we can't use db.authenticate() with 3rd party tokens. I tried searching on discord and docs but unable to diagnose this issue.

Token definition query

USE NS TIDYDEV;
DEFINE TOKEN tokenone
  ON NAMESPACE
  TYPE RS384
  VALUE "---public key that we used---";

JWT payload and headers:

HEADERS:
{
  "alg": "RS384",
  "typ": "JWT",
  "kid": "tokenone"
}


PAYLOAD:
{
  "user": "xxx",
  "iat": 1698844986,
  "exp": 1698880986,
  "audience": "xxx",
  "issuer": "xxx",
  "NS": "TIDYDEV",
  "TK": "tokenone",
  "aud": "xxx",
  "iss": "xxx"
}

JS code

    await this.db.connect(`${this.instance}/rpc`, {
      namespace: import.meta.env.VITE_SURREAL_USER_NS,
      database: this.userId,
    });
    return await this.db.authenticate(this.token);

Steps to reproduce

Create a sample namespace and define a custom token scoped to that namespace using public-private key pair
Create a database inside that namespace
Generate a jwt token using the corresponding private key and payload containing NS details
Use the token to perform create, select etc operations using http endpoint sql on the created NS and DB. This will work fine.
Use the same token from SDK to perform create or insert operation. These operation fails with permission issue. However,select operation succeeds.

Expected behaviour

SDK should also allow write operations as the token is scoped to NS level.

SurrealDB version

Surreal 1.0.0

SurrealDB.js version

0.11.0

Contact Details

samalaaravind02@gmail.com

Is there an existing issue for this?

I have searched the existing issues

Code of Conduct

I agree to follow this project's Code of Conduct

Answer 1 · 2023-11-01T16:40:44.000Z

Closing this issue as this issue is happening not with the SDK itself but with the specific version of Surreal.
I am facing no issues regarding permissions using Surreal 1.0.0-beta.9-20230402