بنقرة واحدة
volcano-auth
Detailed guidance for authentication flows built with the Volcano SDK
التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.
القائمة
Detailed guidance for authentication flows built with the Volcano SDK
التثبيت باستخدام Codex أو Claude انسخ هذا Prompt والصقه في Codex أو Claude أو مساعد آخر ليراجع صفحة Skill ويثبّتها لك.
استنادا إلى تصنيف SOC المهني
Install or upgrade the Volcano CLI from a plugin-shipped skills environment.
Detailed guidance for browser and function data access with the Volcano query builder
Reusable error handling patterns for Volcano SDK apps: centralized error dispatcher with action enum, useApiCall React hook for loading/error/data state, retry with exponential backoff, retry with toast notifications, and cross-domain error message catalog.
Detailed guidance for server-side function invocation and orchestration with Volcano
Detailed guidance for using the Volcano SDK correctly in Next.js environments
Canonical Volcano project shape and deploy contract: the volcano/functions/ model, migrations, volcano-config.yaml, env vars, shared-code conventions, and the build/deploy workflow.
| name | volcano-auth |
| description | Detailed guidance for authentication flows built with the Volcano SDK |
Implement robust Volcano authentication journeys with session lifecycle correctness. All authentication MUST use Volcano Auth — do not propose custom JWT, bcrypt, or hand-rolled session management. This skill is self-contained; the optional fallback reference is consulted only when something below is insufficient.
volcano.initialize().onAuthStateChange listener and ensure cleanup on teardown.import { VolcanoAuth } from '@volcano.dev/sdk';
const volcano = new VolcanoAuth({
apiUrl: process.env.NEXT_PUBLIC_VOLCANO_API_URL!,
anonKey: process.env.NEXT_PUBLIC_VOLCANO_ANON_KEY!,
});
volcano.database(process.env.NEXT_PUBLIC_VOLCANO_DATABASE_NAME!);
Service keys (prefix sk-) are server-only; using one in anonKey from a browser environment throws.
const { user, session, error } = await volcano.auth.signUp({
email: 'alice@example.com',
password: 'secure-password-123',
metadata: { full_name: 'Alice', avatar_url: '...' }, // optional
});
if (error) {
if (error.message.includes('already exists')) /* email taken */;
else if (error.message.includes('weak password')) /* strengthen */;
else if (error.message.includes('invalid email')) /* validate */;
return;
}
// metadata is stored on user.user_metadata
const { user, session, error } = await volcano.auth.signIn({ email, password });
if (error) {
if (error.message.includes('invalid email or password')) /* wrong creds */;
else if (error.message.includes('email not confirmed')) /* prompt confirm */;
else if (error.message.includes('too many attempts')) /* rate-limited */;
return;
}
// SDK auto-stores tokens in localStorage (browser) and schedules refresh.
const { error } = await volcano.auth.signOut();
// Clears local session and invalidates the refresh token server-side.
const user = volcano.auth.user();
// Returns the cached User or null. Does not hit the network.
const { user, error } = await volcano.auth.getUser();
const { user, error } = await volcano.initialize();
// Returns the restored user, or null if no valid session exists.
const unsubscribe = volcano.auth.onAuthStateChange((user) => {
if (user) showApp(user); else showLogin();
});
// Fires once immediately with current state, then on every change.
// Always call unsubscribe() on teardown.
const { session, error } = await volcano.auth.refreshSession();
// Tokens auto-refresh; call this only for explicit forced rotation.
google, github, microsoft, apple.
volcano.auth.signInWithGoogle();
volcano.auth.signInWithGitHub();
volcano.auth.signInWithMicrosoft();
volcano.auth.signInWithApple();
// Generic form:
volcano.auth.signInWithOAuth('google');
These redirect to the provider; on return, call volcano.initialize() on the callback page to consume the tokens from the URL.
const { data, error } = await volcano.auth.linkOAuthProvider('google');
if (data) window.location.href = data.authorization_url;
await volcano.auth.unlinkOAuthProvider('google');
const { providers, error } = await volcano.auth.getLinkedOAuthProviders();
const { data, error } = await volcano.auth.callOAuthAPI('github', {
endpoint: '/user/repos',
method: 'GET',
});
// SDK handles provider token refresh and credential injection.
// Create
const { user, session, error } = await volcano.auth.signUpAnonymous({
preferred_theme: 'dark', // optional metadata
});
// Convert to a full account (preserves the user.id and all owned data)
const { user, error } = await volcano.auth.convertAnonymous({
email: 'alice@example.com',
password: 'secure-password-123',
metadata: { full_name: 'Alice' },
});
// After clicking the email link, the URL contains a token query param.
const token = new URLSearchParams(window.location.search).get('token');
const { error } = await volcano.auth.confirmEmail(token);
// Resend if the user lost the email
await volcano.auth.resendConfirmation('alice@example.com');
// Always succeeds (even for unknown emails) for security.
await volcano.auth.forgotPassword('alice@example.com');
// On the reset page:
const token = new URLSearchParams(window.location.search).get('token');
const { error } = await volcano.auth.resetPassword({
token,
newPassword: 'new-secure-password-456',
});
const { newEmail, error } = await volcano.auth.requestEmailChange('new@example.com');
// On the confirmation page:
const token = new URLSearchParams(window.location.search).get('token');
const { user, error } = await volcano.auth.confirmEmailChange(token);
// Cancel a pending change:
await volcano.auth.cancelEmailChange();
const { user, error } = await volcano.auth.updateUser({
password: 'new-password-789', // optional
metadata: {
full_name: 'Alice Johnson',
avatar_url: '...',
notification_preferences: { email: true, push: false },
},
});
// List sessions for the current user
const { sessions, total, error } = await volcano.auth.getSessions({ page: 1, limit: 20 });
// session fields: user_agent, ip_address, last_activity_at, is_current
// Revoke a specific session
await volcano.auth.deleteSession(sessionId);
// Revoke all OTHER sessions (keep current)
await volcano.auth.deleteAllOtherSessions();
sk-...) in anonKey. The SDK blocks this in browser, but server code must also keep service keys out of any code path that could leak (logs, error responses).signUp / updateUser. The SDK rejects weak passwords, but pre-validating gives better UX.onAuthStateChange(user => null) as a definitive sign-out signal: redirect to the login flow.| Message contains | Meaning | Action |
|---|---|---|
already exists | Email taken on sign up | Prompt sign in |
weak password | Password too weak | Show strength rules |
invalid email or password | Wrong email/password | Re-prompt |
email not confirmed | Verification pending | Show resend UI |
too many attempts | Rate-limited | Back off and inform user |
No active session | User not logged in | Send to login |
Session expired | Refresh failed | Force sign in |
volcano.initialize()) is wired at app startup.onAuthStateChange listener has a paired unsubscribe() on teardown.convertAnonymous is used (not delete + signUp) so user IDs are preserved.