tags
POPULAR

How to Build a Simple, Secure Social Media Site with Magic and Hasura

16 August, 2021 | 7 min read

Quickstart

  1. Create a new account and application with Magic. Keep this tab open! You’ll need both the Publishable API and Secret Keys soon.
  2. Create a new project with Hasura
  3. Add a new environment variable called HASURA_GRAPHQL_JWT_SECRET in your Hasura project’s Settings > Env vars like so:
{
  "key": "abcdefghijklmnopqrstuvwxyz1234567890",
  "type": "HS256"
}

4. Keep your Hasura project Settings > General tab open, you’ll need the GraphQL API url soon as well.

5. Run npx make-magic --template hasura

Now that the app is running, you can sign up with an email address and username. However, since we haven’t set up the backend to store and retrieve the data we need, the app will look pretty empty! If you want to complete the app, continue reading.

Intro

Learn how to build a simple yet secure social media site where you can share photos of your kitties and see other people's kitten galleries!

Magic Auth with Hasura and Next.js
Magic Auth with Hasura and Next.js

Part 1: Build Heroku PostgreSQL Database

Step 0. Update Hasura Env

Remember how you ran npx make-magic --template hasura to create a template for this project? If you take a look at the .env file, you’ll find that we’ve generated a new JWT_SECRET for you.

Make sure to go back to your Hasura project’s Settings > Env var tab, and replace the key in HASURA_GRAPHQL_JWT_SECRET with the newly generated JWT Secret.

Step 1. Set up Heroku

First thing we’re going to do is set up a database. Thanks to Hasura, we can do this a lot quicker and easier than doing it from scratch. All we have to do is create an account and a new project with Hasura, launch their console, go into the Data tab and then create a Heroku PostgreSQL database.

Connect a Database to Hasura
Connect a Database to Hasura

Step 2. Create users table

Next we’ll create our first table where we’ll store the user’s information. Namely, their issuer, publicAddress, email and username. Set the issuer as the primary key so that we can create a relationship with another table in a bit.

Users table
Users table

To control access to the users table, we’ll create a user role with a few limitations.

Users Permission
Users Permission
  1. Users should be able to see other profiles, so they have full access to select from the users table.
Users select permission
Users select permission

2. Users are only able to create, update or remove their own profile. This means we need a rule that requires the request to the GraphQL API to include a session variable called X-Hasura-User-Id.

Users insert permission
Users insert permission

X-Hasura-User-Id means the user is able to insert data if and only if it is an authenticated request. Later on in this guide you’ll see how to use the JWT token to meet this rule.

Step 3. Create kitties table

Let’s create another table and call it kitties. It’s where we’ll be storing all of the photos people submit of their kittens. The data each row will have is: id, pic_url and user_id.

We also want to control access to this table, so let’s set up a user role again. The rules are going to sound similar to the users table.

  1. Users should be able to see other people’s kittens.
Kitties select permissions
Kitties select permissions

2. Users should only be able to upload or delete photos of their own kitten.

Kitties insert permission
Kitties insert permission


Because we’ll need to run nested queries on both the users and kitties tables, we first have to establish a relationship between them. We do this by setting the user_id as the foreign key that is mapped to the primary key of the users table (namely, the issuer).

Kitties table modify
Kitties table modify

Step 4. Create an array relationship

Since there is a relationship between these two tables, we can create an array relationship which lets us do a nested query on the users table. In our case, an array relationship means a user can have multiple photos of kittens.

Users array relationship with Kitties
Users array relationship with Kitties

Now that we’ve set it up, we’re able to run a nested object query on the users table and are able to see all of the kitty pics every user has shared.

query users and kitties
query users and kitties

Step 5. Create an object relationship

Lastly, we’ll create an object relationship which lets us do a nested object query on the kitties table. This means every photo of a kitty has exactly one owner.

kitties object relationship with user
kitties object relationship with user

Here’s how a nested object query looks.

query kitties and user
query kitties and user

Part 2: Build Next.js Client

Now that we’ve got our database set up, let’s move onto the frontend and explain what our core UI components do!

<Signup />

Boxi Signup
Boxi Signup

This is where the user signs up with their email address. Because I want to display people’s usernames on their profile and dashboard, I’ve also added an extra field for it.

Note: The expected flow is for the user to 1) sign up, and if they ever log out, to get back into their account they’ll need to 2) log in. To keep the code simple, there is no logic in place to check whether or not the user is already registered.

<KittyDashboard />

Enter profile
Enter profile

Once the user logs in, they land on the dashboard. This is where they’ll be able to see all of the kitty pictures people have shared. It’s also where they can share photos of their kittens as well.

To create a profile for every user, we’ve implemented Next.js dynamic routes.

<UserKittyPics />

Boxi Gallery
Boxi Gallery

If we click into a person’s profile, we’ll be able to see their profile which includes a gallery of their kittens.

<Profile />

If we click into our own profile, we’ll also see a gallery along with our personal information.

Part 3: Plug in Magic Auth

Now let’s understand the core parts that make authentication with Magic possible.

Signing up or Logging in

signup.js is the main file that handles the user onboarding flow. ../lib/magic.js is where import the Magic library and initialize the Magic SDK. When the user logs in, we call magic.auth.loginWithMagicLink which triggers the magic link to be emailed to the user.

Once the user is authenticated by Magic, a Decentralized Identity (DID) token with a default 15-minute lifespan is generated. We send this token to our serverless function at /api/login to validate it, pull the authenticated user’s information to save in a JWT, and then store this JWT in a cookie to persist user sessions.

Ensure User is Logged in

If we take a closer look at signup.js we’ll see that we’re calling useuser(). This function checks whether or not the user is logged in, which helps us route the user to the appropriate page.

Logging out

When the user logs out, our app calls a serverless function at /api/logout. This function clears the cookie that contains the JWT and then calls magic.users.logouByIssuer() to log the user out of their session with Magic.

Part 4: Build GraphQL API

Now that we’ve got our database, client, and auth all set up, it’s time to create a GraphQL API.

<Signup />

When the user signs up, we want to create a new user in our users table. Here’s the query to make this happen:

<KittyDashboard />

When a user shares a photo of their kitten, we’ll want to add a new row to the kitties table. The query for this is addKittyQuery:

<UserKittyPics />

To display the kitty galleries owned by other users, we’ll need to fetch all of the photos for the specified user. Here is the query:

<Profile />

Boxi Profile Magic Auth
Boxi Profile Magic Auth

Lastly, for the logged in user to see their own kitty gallery as well as their personal information, we’ll need to fetch these data as well. The query to get the user’s username is:

And the query to get the kitty gallery is the same as in <UserKittyPics />. The only difference is that we’re not passing userId as a prop into the component.

Try Magic

There you have it. A simple, yet secure social media site where you can share and see photos of other people’s kitties! Here is the open source repo, and a link to the demo.

If you need an auth solution that’s easy to use, try Magic today. For a limited time, you’ll get your first 10,000 logins free. Sign up today at https://go.magic.link/hasura.

About the Author

Maricris Bonzo - Maricris has been a Developer Advocate for a variety of tech companies for 4+ years. She loves to learn about modern infrastructure and tech that either simplifies or elevates the developer experience. When she's not advocating for passwordless auth at Magic, she is building a community in public called Blockchain Ladies Club ( 🛡⛓🐞♣.y.at).

Follow her on Twitter - https://twitter.com/seemcat



Close

Get Started with GraphQL Now

Hasura Cloud gives you a fully managed, production ready GraphQL API as a service to help you build modern apps faster.

Praveen Durairaju

Praveen Durairaju

Application Engineer. Tech Enthusiast. Follow on Twitter - https://twitter.com/@praveenweb

Read More

Ready to get started?
Start for free on Hasura Cloud or you could contact our sales team for a detailed walk-through on how Hasura may benefit your business.
Get monthly product updates
Sign up for full access to our community highlights, new features, and occasional baby animal gifs! Oh, and we have a strict no-spam rule. ✌️