Query database with explicit user object

thomasv · December 28, 2022, 3:12am

Hey there!

So, I have a node.js backend that logs in to Moralis with username and password, this returns a user object. But because it’s node.js the user is not saved in Moralis.User.current() which means that the subsequent queries all fail because the backend is not authenticated. (note: I also don’t want to use the masterKey)

From the documentation I get that I can use Moralis.User.enableUnsafeCurrentUser() to bypass that but I’d rather not to stay stateless.

So my question is, is there any way to execute a query with the user object returned by the logIn function without having it in Moralis.User.current()

johnversus · June 22, 2022, 10:13am

If you assign the authentication function to a constant then that can be used to get the logged in user data.
const user = await Moralis.authenticate({})
You can try this and check if it works in nodejs.

cryptokid · June 22, 2022, 10:53am

you can look on how the request looks like when an authenticated user makes the request in front-end, and then you can try to provide the same request parameters, this is a more complicated way to do it

thomasv · June 22, 2022, 12:26pm

@johnversus The authentication part is not the problem, I already have a user.
It’s the next step, how to make an authenticated call, that I’m usure about.

thomasv · June 22, 2022, 12:27pm

@cryptokid
Hm, that is troublesome, if you don’t know the answer to that I’m not sure I should continue further and maybe find an alternative way instead.

cryptokid · June 22, 2022, 12:40pm

why do you need to make a call as an user in the first place from backend?

thomasv · June 22, 2022, 1:27pm

@cryptokid That’s a good question.

I have a backend that I use for api calls and it needs the proper rights to make changes in the database.

I’d prefer not to use cloud functions and instead go via my own server and also not use the master key because, we’ll, it’s the master key and it would suck if it leaked.

It would have been nice to have api-keys of sort that can easily be generated and revoked if needed but that doesn’t exist unfortunately.

The closest way I have found to mimic api-keys is using Roles and users, which brings me to the current problem that when I log in with a user on a node.js backend I can’t seem to make calls with it.

— without enableUnsafeUser, which as the name says it, is unsafe.

So yeah, it would be nice if I could make a call from my node.js backend and explicitly use the logged in User object or it’s sessionKey to authenticate.

If you know of a better way to do it feel free to let me know!