Authentication

Ro'yxatdan o'tish, kirish, tokenlar bilan ishlash va foydalanuvchilarni boshqarish. Email tasdiqlash, parol tiklash va RLS roli asosidagi kirish.

Asosiy Tushunchalar

StorageDB Supabase-ga o'xshash JWT-based autentifikatsiyadan foydalanadi. Har bir loyiha o'zining jwtSecret'i bilan ta'minlanadi va shu orqali tokenlar imzolangan.

Ikkita API kalit turi mavjud: anon_key (ommaviy, client-side) va service_key (maxfiy, server-side). Service kalit RLS shurutlarini chetlab o'tadi, admin operatsiyalar uchun zarur.

Autentifikatsiya apikey headerda yoki Authorization: Bearer formatida token bilan yuboriladi. Access token 1 soat amal qiladi va refresh_token bilan yangilansa bo'ladi.

Ro'yxatdan O'tish

Yangi foydalanuvchi POST /v1/<REF>/auth/v1/signup orqali ro'yxatdan o'tadi. Email va kamida 6 belgili parol talab qilinadi.

Agar AUTH_AUTOCONFIRM=true bo'lsa, email darhol tasdiqlanadi va sessiya beriladi. Aks holda tasdiqlash havolasi email'ga yuboriladi, session esa null bo'ladi.

Response'da user va session (agar tasdiqlansa) qaytariladi. user_metadata isteghna orqali qo'shimcha ma'lumot saqlanadi.

cURL - ro'yxatdan o'tish

curl -X POST https://storage.identify.uz/v1/<REF>/auth/v1/signup \
  -H "apikey: <ANON_KEY>" \
  -H "Content-Type: application/json" \
  -d '{
    "email": "user@example.com",
    "password": "MySecurePassword123",
    "data": {
      "full_name": "John Doe"
    }
  }'

SDK - ro'yxatdan o'tish

import { createClient } from '@storagedb/client';

const db = createClient('https://storage.identify.uz/v1/<REF>', '<ANON_KEY>');

const { data, error } = await db.auth.signUp({
  email: 'user@example.com',
  password: 'MySecurePassword123',
  data: { full_name: 'John Doe' }
});

if (error) console.error('Xatolik:', error.message);
else console.log('Foydalanuvchi yaratildi:', data.user.id);

Kirish va Tokenlar

Email va parol bilan kirish POST /v1/<REF>/auth/v1/token?grant_type=password orqali amalga oshiriladi. Email tasdiqlanmagan bo'lsa yoki akkaunt bloklangan bo'lsa, kirish rad etiladi.

Muvaffaqiyatli kirishda access_token, refresh_token, expires_in (3600 sekund) va user ma'lumoti qaytariladi.

Access token 1 soat amal qiladi va refresh_token bilan yangilansa bo'ladi: grant_type=refresh_token query parametri bilan yangi sessiya olinadi. Eski refresh token bekor qilinadi (rotatsiya).

Har bir so'rovda Authorization: Bearer <access_token> yoki apikey: <access_token> header bilan token yuboriladi.

cURL - kirish (password grant)

curl -X POST https://storage.identify.uz/v1/<REF>/auth/v1/token?grant_type=password \
  -H "apikey: <ANON_KEY>" \
  -H "Content-Type: application/json" \
  -d '{
    "email": "user@example.com",
    "password": "MySecurePassword123"
  }'

cURL - sessiyani yangilash (refresh token)

curl -X POST https://storage.identify.uz/v1/<REF>/auth/v1/token?grant_type=refresh_token \
  -H "apikey: <ANON_KEY>" \
  -H "Content-Type: application/json" \
  -d '{
    "refresh_token": "<REFRESH_TOKEN>"
  }'

SDK - kirish va sessiya boshqaruvi

import { createClient } from '@storagedb/client';

const db = createClient('https://storage.identify.uz/v1/<REF>', '<ANON_KEY>');

// Kirish
const { data: session, error } = await db.auth.signInWithPassword({
  email: 'user@example.com',
  password: 'MySecurePassword123'
});

if (session) {
  console.log('Access token:', session.access_token);
  // Access token avtomatik ravishda keyingi so'rovlarda foydalaniladi
}

// Sessiyani yangilash
const { data: newSession } = await db.auth.refreshSession();
console.log('Yangi access token:', newSession?.access_token);

Email Tasdiqlash va Parol Tiklash

Ro'yxatdan o'tishda email tasdiqlash kerak bo'lsa, tasdiqlash havolasi email'ga yuboriladi. Havola GET /v1/<REF>/auth/v1/verify?token=<TOKEN>&type=signup formatida.

Foydalanuvchi havolaga kirganida token email'ga tasdiqlanadi va sessiya beriladi. Bundan keyin email'ga kirish mumkin.

Parolni unutgan foydalanuvchi POST /v1/<REF>/auth/v1/recover orqali tiklash so'rovi jo'natadi (email mavjud bo'lsa havola yuboriladi, yo'q bo'lsa jim qoladi).

Recovery havola GET /v1/<REF>/auth/v1/verify?token=<TOKEN>&type=recovery ga borib, foydalanuvchi POST /v1/<REF>/auth/v1/reset bilan yangi parol o'rnatadi. Recovery token 1 soat amal qiladi.

Parol yangilanganida barcha eski refresh tokenlar bekor qilinadi (barcha qurilmalardan chiqish).

cURL - parolni tiklash so'rovi

curl -X POST https://storage.identify.uz/v1/<REF>/auth/v1/recover \
  -H "apikey: <ANON_KEY>" \
  -H "Content-Type: application/json" \
  -d '{
    "email": "user@example.com"
  }'
# Response: { "message": "Agar email mavjud bo'lsa, havola yuborildi" }

cURL - yangi parol o'rnatish

curl -X POST https://storage.identify.uz/v1/<REF>/auth/v1/reset \
  -H "apikey: <ANON_KEY>" \
  -H "Content-Type: application/json" \
  -d '{
    "token": "<RECOVERY_TOKEN>",
    "password": "NewPassword123"
  }'
# Response: { "message": "Parol yangilandi" }

SDK - parol tiklash

import { createClient } from '@storagedb/client';

const db = createClient('https://storage.identify.uz/v1/<REF>', '<ANON_KEY>');

// Tiklash havolasini yuborish
const { error: recoverError } = await db.auth.resetPasswordForEmail('user@example.com');

if (!recoverError) {
  console.log('Tiklash havolasi email'ga yuborildi');
}

Joriy Foydalanuvchi va Chiqish

Access token bilan GET /v1/<REF>/auth/v1/user so'rovi jo'natib joriy foydalanuvchi haqida ma'lumot olsa bo'ladi.

Chiqish uchun POST /v1/<REF>/auth/v1/logout chaqiriladi. Bu barcha refresh tokenlarni bekor qiladi va 204 javob qaytaradi.

Client-side'da db.auth.signOut() chaqirish sessiyani tozalaydi va server'da logout amalga oshadi (xato bo'lsa ham, sessiya tozalanadi).

cURL - joriy foydalanuvchi

curl -X GET https://storage.identify.uz/v1/<REF>/auth/v1/user \
  -H "Authorization: Bearer <ACCESS_TOKEN>"

cURL - chiqish

curl -X POST https://storage.identify.uz/v1/<REF>/auth/v1/logout \
  -H "Authorization: Bearer <ACCESS_TOKEN>"

SDK - joriy foydalanuvchi va chiqish

import { createClient } from '@storagedb/client';

const db = createClient('https://storage.identify.uz/v1/<REF>', '<ANON_KEY>');

// Joriy foydalanuvchi
const { data: user, error } = await db.auth.getUser();
if (user) {
  console.log('Foydalanuvchi ID:', user.id);
  console.log('Email:', user.email);
}

// Chiqish
const { error: signOutError } = await db.auth.signOut();
if (!signOutError) {
  console.log('Muvaffaqiyatli chiqildi');
}

Admin Operatsiyalari

Admin operatsiyalar service_key bilan bajariladi (apikey header'da JWT sifatida). Ular RLS shurutlarini chetlab o'tadi va foydalanuvchilarni to'liq boshqarish imkonini beradi.

Foydalanuvchilar ro'yxati: GET /v1/<REF>/auth/v1/admin/users?limit=100&offset=0. Pagination'i limit va offset bilan boshqarsa bo'ladi.

Yangi foydalanuvchi yaratish: POST /v1/<REF>/auth/v1/admin/users bilan email, parol va isteghna metadata beriladi. Email darhol tasdiqlanadi.

Foydalanuvchini yangilash: PUT /v1/<REF>/auth/v1/admin/users/:id orqali parol, ban holati yoki metadata o'zgartiriladi. banned: true bu akkauntni 100 yil bloklaydi.

Foydalanuvchini o'chirish: DELETE /v1/<REF>/auth/v1/admin/users/:id.

cURL - foydalanuvchilar ro'yxati

curl -X GET 'https://storage.identify.uz/v1/<REF>/auth/v1/admin/users?limit=10&offset=0' \
  -H "apikey: <SERVICE_KEY>"

cURL - yangi foydalanuvchi yaratish

curl -X POST https://storage.identify.uz/v1/<REF>/auth/v1/admin/users \
  -H "apikey: <SERVICE_KEY>" \
  -H "Content-Type: application/json" \
  -d '{
    "email": "admin-created@example.com",
    "password": "SecurePassword123",
    "user_metadata": {
      "role": "moderator"
    }
  }'

cURL - foydalanuvchini bloklash

curl -X PUT https://storage.identify.uz/v1/<REF>/auth/v1/admin/users/<USER_ID> \
  -H "apikey: <SERVICE_KEY>" \
  -H "Content-Type: application/json" \
  -d '{
    "banned": true
  }'

SDK - admin amallar

import { createClient } from '@storagedb/client';

// Service key bilan client yaratish
const db = createClient('https://storage.identify.uz/v1/<REF>', '<SERVICE_KEY>');

// Foydalanuvchilar ro'yxati
const { data: users, error: listError } = await db.auth.admin.listUsers();

// Yangi foydalanuvchi
const { data: newUser } = await db.auth.admin.createUser({
  email: 'admin@example.com',
  password: 'AdminPassword123',
  user_metadata: { role: 'admin' }
});

// Foydalanuvchini yangilash
const { data: updated } = await db.auth.admin.updateUserById('<USER_ID>', {
  password: 'NewPassword123',
  banned: false,
  user_metadata: { role: 'user' }
});

// Foydalanuvchini o'chirish
const { error: deleteError } = await db.auth.admin.deleteUser('<USER_ID>');

RLS va Rollari

StorageDB PostgreSQL RLS (Row Level Security) foydalanadi. Har bir so'rov JWT'dagi role claim'iga muvofiq amalga oshiriladi.

Uchta rol mavjud: anon (tasdiqlanmagan), authenticated (tasdiqlangan), service_role (admin, RLS chetlab o'tadi).

Access token JWT'da rol avtomatik ravishda authenticated bo'ladi. Admin amallar uchun service_key ishlatiladi (JWT sifatida, role: service_role).

RLS policy'larda auth.uid() funksiyasi foydalanuvchi ID'sini qaytaradi. Masalan, storage policy: owner_id = auth.uid() o'sha foydalanuvchiga tegishli fayllarni filtr qiladi.

Client-side authenticated so'rovda access token avtomatik ravishda apikey sifatida yuboriladi (SDK tomonidan).

Savol bormi? Hujjatlarni GitHub'da yaxshilashga yordam bering.