You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@@ -173,6 +173,7 @@ Parameter mapping for downstream Web auth code:
173
173
-`UserNameLogin` also enables the broader password-login surface exposed by `auth.signInWithPassword({ username|email|phone, password })`
174
174
-`SmsVerificationConfig.Type = "apis"` requires both `Name` and `Method`
175
175
-`EnvId` is always the CloudBase environment ID, not the publishable key
176
+
- If the conversation only contains an environment alias, nickname, or other shorthand, resolve it to the canonical full `EnvId` first before generating auth config, SDK init examples, or console links
176
177
177
178
Internal behavior of `manageAppAuth(action="patchLoginStrategy")`:
@@ -83,6 +83,7 @@ Keep local `references/...` paths for files that ship with the current skill dir
83
83
- Using `signInWithEmailAndPassword` or `signUpWithEmailAndPassword` for username-style accounts such as `admin` and `editor`.
84
84
- Keeping the login or register account input as `type="email"` when the task explicitly says the account identifier is a plain username string.
85
85
- Starting implementation before calling `queryAppAuth(action="getLoginConfig")` and enabling `usernamePassword` when it is still off.
86
+
-**Treating `auth.getUser()` returning a user as proof of real login.** When the SDK is initialized with a `publishableKey` / `accessKey`, it may silently create an anonymous session. A route guard's `checkAuth()` must verify that the user actually signed in with username/password (e.g. check `session.loginType !== 'ANONYMOUS'` or that `user.user_metadata?.username` exists), not just that `getUser()` returns non-null. Otherwise unauthenticated visitors pass the guard, protected pages render without a real user, and role-based UI (edit / delete buttons gated on `currentUser.role`) breaks because `currentUser` has no role record.
86
87
87
88
## Overview
88
89
@@ -95,9 +96,8 @@ Keep local `references/...` paths for files that ship with the current skill dir
95
96
96
97
**Use Case**: Web frontend projects using `@cloudbase/js-sdk@2.24.0+` for user authentication
97
98
**Key Benefits**: Supabase-like Auth API shape, supports phone, email, anonymous, username/password, and third-party login methods
Use the same CDN address as `web-development`. Prefer npm installation in modern bundler projects, and use the CDN form for static HTML, no-build demos, or low-friction examples.
100
+
Use npm installation for modern Web projects. In React, Vue, Vite, and other bundler-based apps, install and import `@cloudbase/js-sdk` from the project dependencies instead of using a CDN script.
101
101
102
102
## Prerequisites
103
103
@@ -107,6 +107,7 @@ Use the same CDN address as `web-development`. Prefer npm installation in modern
107
107
### Parameter map
108
108
109
109
- For username-style identifiers, the required precondition is `loginMethods.usernamePassword === true` from `queryAppAuth(action="getLoginConfig")`. If it is false, enable it with `manageAppAuth(action="patchLoginStrategy", patch={ usernamePassword: true })` before wiring frontend auth code.
110
+
- If the conversation only provides an environment alias, nickname, or other shorthand, resolve it with `envQuery(action="list", alias=..., aliasExact=true)` first and use the returned canonical full `EnvId` for SDK init, console links, and generated config. Do not pass alias-like short forms directly into `cloudbase.init({ env })`.
110
111
- Treat CloudBase Web Auth as **Supabase-like**, not “every `supabase-js` auth example is valid unchanged”
111
112
- When `queryAppAuth` / `manageAppAuth` returns `sdkStyle: "supabase-like"` and `sdkHints`, follow those method and parameter hints first
112
113
-`auth.signInWithOtp({ phone })` and `auth.signUp({ phone })` use the phone number in a `phone` field, not `phone_number`
@@ -121,10 +122,11 @@ Use the same CDN address as `web-development`. Prefer npm installation in modern
121
122
## Quick Start
122
123
123
124
```js
125
+
// npm install @cloudbase/js-sdk
124
126
importcloudbasefrom'@cloudbase/js-sdk'
125
127
126
128
constapp=cloudbase.init({
127
-
env:`env`, // CloudBase environment ID
129
+
env:'your-full-env-id', //Canonical full CloudBase environment ID resolved from envQuery or the console, not an alias or shorthand
accessKey:'publishable key', // required, get from auth-tool-cloudbase
130
132
auth: { detectSessionInUrl:true }, // required
@@ -141,8 +143,9 @@ If the current task has not retrieved a real Publishable Key, omit `accessKey` i
141
143
142
144
**1. Phone OTP (Recommended)**
143
145
- Automatically use `auth-tool-cloudbase` to turn on `SMS Login` through `manageAppAuth`
146
+
- For phone registration, send the phone number to `auth.signUp({ phone, ... })` first, then call the returned `verifyOtp({ token })`. Do not swap the order.
Copy file name to clipboardExpand all lines: doc/prompts/cloud-functions.mdx
+35-3Lines changed: 35 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -92,6 +92,8 @@ Keep local `references/...` paths for files that ship with the current skill dir
92
92
- Forgetting that runtime cannot be changed after creation.
93
93
- Using cloud functions as the first answer for Web login.
94
94
- Forgetting that HTTP Functions must ship `scf_bootstrap`, listen on port `9000`, and include dependencies.
95
+
- Forgetting to configure function security rules after creating an HTTP Function. Default rules reject anonymous callers with `EXCEED_AUTHORITY`. Use `managePermissions(action="updateResourcePermission", resourceType="function")` to allow public access.
96
+
- Mismatching the `scf_bootstrap` Node.js binary path with the function runtime (e.g. using `/var/lang/node18/bin/node` but setting `runtime: "Nodejs16.13"`).
95
97
96
98
### Minimal checklist
97
99
@@ -110,8 +112,25 @@ Use this skill when developing, deploying, and operating CloudBase cloud functio
110
112
111
113
- If the request is for SDK calls, timers, or event-driven workflows, write an **Event Function** with `exports.main = async (event, context) => {}`.
112
114
- If the request is for REST APIs, browser-facing endpoints, SSE, or WebSocket, write an **HTTP Function** with `req` / `res` on port `9000`.
115
+
- For Node.js HTTP Functions, default to the native `http` module unless the user explicitly asks for Express, Koa, NestJS, or another framework.
113
116
- If the user mentions HTTP access for an existing Event Function, keep the Event Function code shape and add gateway access separately.
114
117
118
+
## HTTP Function authoring contract
119
+
120
+
Use these rules whenever you are writing the function code itself:
121
+
122
+
- Do not write an HTTP Function as `exports.main(event, context)`. That is the Event Function contract.
123
+
- Treat the function as a standard web server process that must listen on port `9000`.
124
+
- With Node.js, prefer `http.createServer((req, res) => { ... })` by default so the runtime contract stays explicit.
125
+
- With the Node.js native `http` module, do not assume Express-style helpers exist. `req.body`, `req.query`, and `req.params` are not provided for you.
126
+
- For Node.js HTTP Functions, choose one module system up front and keep it consistent. Default to CommonJS for simple functions (`require(...)`, no `"type": "module"` in `package.json`) unless you explicitly want ES Modules.
127
+
- If you do choose ES Modules (`"type": "module"` + `import ...`), do not mix in CommonJS-only globals or APIs such as `require(...)`, `module.exports`, or bare `__dirname`. In ESM, derive file paths from `import.meta.url` with `fileURLToPath(...)` only when needed.
128
+
- With the native `http` module, parse `req.url` yourself with `new URL(...)`, collect the request body from the stream, and only then call `JSON.parse`. Empty bodies should be handled explicitly instead of assuming JSON is always present.
129
+
- Return responses explicitly with `res.writeHead(...)` and `res.end(...)`, including `Content-Type` such as `application/json; charset=utf-8` for JSON APIs.
130
+
- Keep routing and method handling explicit. Unknown paths should return `404`, and known paths with unsupported methods should normally return `405`.
131
+
- Keep gateway setup and security-rule changes separate from the runtime code. They affect access, not the HTTP Function programming model.
132
+
- Do not add HTTP access service configuration when the task is only to create an HTTP Function itself. Gateway paths or custom domains are separate access-layer work; anonymous or public invocation requirements should be handled through the function security rule workflow.
133
+
115
134
## Quick decision table
116
135
117
136
| Question | Choose |
@@ -137,7 +156,7 @@ Use this skill when developing, deploying, and operating CloudBase cloud functio
137
156
3.**Write code and deploy, do not stop at local files**
138
157
- Use `manageFunctions(action="createFunction")` for creation
139
158
- Use `manageFunctions(action="updateFunctionCode")` for code updates
140
-
- Keep `functionRootPath` as the parent directory of the function folder
159
+
- Keep `functionRootPath` as the directory that directly contains function folders (e.g., `cloudfunctions/` or `functions/`), NOT the project root and NOT the function subdirectory itself
141
160
- Use CLI only as a fallback when MCP tools are unavailable
Copy file name to clipboardExpand all lines: doc/prompts/cloudbase-platform.mdx
+4-1Lines changed: 4 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -150,8 +150,10 @@ Use this skill for **CloudBase platform knowledge** when you need to:
150
150
1.**SDK Initialization**:
151
151
- CloudBase SDK initialization requires environment ID
152
152
- Can query environment ID via `envQuery` tool
153
+
- If the user only provides an environment alias, nickname, or other short form, resolve it with `envQuery(action="list", alias=..., aliasExact=true)` first and use the returned full `EnvId`
154
+
- Do not pass alias-like short forms directly into SDK init, `auth.set_env`, console URLs, or generated config files
-**Replace Variables**: Always replace `${envId}` with the actual environment ID queried via `envQuery` tool
348
+
-**Alias Handling**: If the conversation only contains an alias or shorthand, first resolve it with `envQuery(action="list", alias=..., aliasExact=true)` and use the returned `EnvId`; if the alias is ambiguous or missing, ask the user to confirm before generating links
346
349
-**Resource-Specific URLs**: For specific resources (collections, functions, models), replace resource name variables with actual values
347
350
-**Usage**: After creating/deploying resources, provide these console links to users for management operations
0 commit comments