The latest articles on DEV Community by Akshat Batra (@akshatbatra). https://dev.to/akshatbatra https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3584125%2F5f3dfee4-1361-410b-8789-86831f6784b6.png https://dev.to/akshatbatra en Akshat Batra Fri, 05 Dec 2025 21:50:17 +0000 https://dev.to/akshatbatra/chimera-1fhd https://dev.to/akshatbatra/chimera-1fhd <h2> Inspiration </h2> <p>We were inspired by the idea of a "digital memory monster" - what if your personal data could be resurrected and queried in an interactive, slightly spooky way? The concept of Frankenstein's creature learning from the world around it became our metaphor for an AI system that absorbs your digital footprint and surfaces forgotten memories on demand.</p> <h2> What it does </h2> <p>Chimera is a voice-activated digital memory retrieval system that queries across your personal data sources (Gmail, browser history, photos, and audio recordings) using natural language. Users speak a query into the microphone, and Chimera's Strands Agent processes the request across multiple data sources, retrieving relevant memories and articulating responses through an AI voice powered by Elevenlabs. The interface features a Halloween-themed design with spooky animations, making the experience of excavating your digital past feel appropriately eerie.</p> <h2> How we built it </h2> <p>We constructed Chimera using React + Vite for a responsive frontend with Framer Motion for smooth, theatrical animations. The RAG (Retrieval-Augmented Generation) pipeline is powered by Raindrop platform, which handles indexing and semantic search across diverse data sources. We integrated Amazon's Strands Agents SDK to orchestrate queries and Elevenlabs integration that provides the natural-sounding voice synthesis for the monster's responses. The entire stack is containerized with Docker.</p> <h2> Challenges we ran into </h2> <ul> <li> <strong>Multi-source data normalization</strong>: Consolidating data from Gmail, browser history, photos, and audio into a unified format for the RAG pipeline required careful design.</li> <li> <strong>Voice synthesis latency</strong>: Balancing real-time responsiveness with high-quality audio generation from Elevenlabs.</li> <li> <strong>State management complexity</strong>: Coordinating multiple async operations (listening → processing → audio playback) while maintaining smooth UI feedback.</li> <li> <strong>Spooky UX that still works</strong>: Making the interface visually Halloween-themed while keeping it intuitive and functional.</li> </ul> <h2> Accomplishments that we're proud of </h2> <ul> <li>Successfully integrated three complex external services (Raindrop, Strands Agents, Elevenlabs) into a cohesive workflow.</li> <li>Created a polished, animated UI that feels both fun and functional - the visual feedback during processing states really sells the "monster working" concept.</li> <li>Built a production-ready containerized deployment that can be instantly shared and demoed.</li> <li>The audio visualizer and real-time status updates create genuine engagement when the system is "speaking."</li> </ul> <h2> What we learned </h2> <ul> <li>Orchestrating multiple AI/ML services requires careful attention to async flows and error handling.</li> <li>Framer Motion is incredibly powerful for creating engaging, theatrical UX that actually improves usability.</li> <li>The "spooky theme" isn't just cosmetic - it makes the data retrieval experience feel more memorable, turning a potentially creepy concept into something delightful.</li> <li>RAG pipelines work best when data sources are well-structured and semantically consistent beforehand.</li> </ul> <h2> What's next for Chimera </h2> <ul> <li> <strong>Expanded data sources</strong>: Integration with Spotify listening history, social media archives, and calendar events.</li> <li> <strong>Pattern memory</strong>: Storing and learning from query patterns to improve future retrievals.</li> <li> <strong>Multi-voice mode</strong>: Different monster personalities with distinct voices for different data sources.</li> <li> <strong>Mobile app</strong>: Bringing Chimera to iOS/Android for on-the-go memory resurrection.</li> <li> <strong>Collaborative mode</strong>: Sharing memories and queries with friends, building a "collective digital consciousness."</li> <li> <strong>Fine-tuning</strong>: Training custom voice models to make output even more character-appropriate.</li> </ul> kiro Akshat Batra Mon, 27 Oct 2025 06:51:03 +0000 https://dev.to/akshatbatra/innogate-anti-piracy-research-discovery-platform-with-ai-powered-rag-and-auth0-fga-39of https://dev.to/akshatbatra/innogate-anti-piracy-research-discovery-platform-with-ai-powered-rag-and-auth0-fga-39of <p><em>This is a submission for the <a href="https://dev.to/challenges/auth0-2025-10-08">Auth0 for AI Agents Challenge</a></em></p> <h2> What We Built </h2> <p><strong>InnoGate</strong> is an ethical research paper sharing and discovery platform that combines Auth0's Fine-Grained Authorization (FGA) with AI-powered Retrieval Augmented Generation (RAG) to create a secure, intelligent research assistant. The platform addresses two critical challenges in academic research:</p> <h3> The Problem </h3> <ol> <li> <strong>Piracy and Ethical Sourcing</strong>: Researchers often resort to platforms like Sci-Hub due to paywalls, creating ethical and legal concerns</li> <li> <strong>Information Overload</strong>: With millions of research papers published annually, finding and synthesizing relevant information is overwhelming</li> </ol> <h3> The Solution </h3> <p>InnoGate provides:</p> <ul> <li>🔬 <strong>Ethical Research Access</strong>: Integration with OpenAlex API for legitimate, open-access research papers</li> <li>🤖 <strong>AI-Powered Research Assistant</strong>: Chat with your research papers using RAG technology</li> <li>🔐 <strong>Fine-Grained Access Control</strong>: Share papers securely with colleagues using Auth0 FGA</li> <li>🎯 <strong>Smart Suggestions</strong>: AI automatically suggests relevant papers based on your queries</li> <li>🔍 <strong>Researcher Discovery</strong>: Find and follow researchers by ORCID ID</li> </ul> <h3> Demo Video </h3> <p> <iframe src="https://www.youtube.com/embed/bmQVvu8NMCA"> </iframe> </p> <h3> Tech Stack </h3> <ul> <li> <strong>Backend</strong>: Fastify, PostgreSQL, Drizzle ORM</li> <li> <strong>Frontend</strong>: React 19, React Router 7, Tailwind CSS</li> <li> <strong>AI/ML</strong>: LangChain, Azure OpenAI (embeddings), OpenRouter (chat)</li> <li> <strong>Auth</strong>: Auth0 (JWT), Auth0 FGA (fine-grained authorization)</li> <li> <strong>APIs</strong>: OpenAlex (research papers)</li> </ul> <h2> Repository </h2> <p>🔗 <strong>Repository</strong>: <a href="https://github.com/akshatbatra/innogate" rel="noopener noreferrer">GitHub - InnoGate</a></p> <h3> Key Features </h3> <p><strong>1. Researcher Discovery &amp; PDF Management</strong></p> <p>Users can search researchers by ORCID ID and automatically <br> link their publications with metadata</p> <ul> <li>Search by ORCID: e.g. 0000-0002-1825-0097</li> <li>Auto-fetch papers from OpenAlex API</li> <li>Upload full PDFs with researcher metadata</li> </ul> <p><strong>2. AI-Powered Suggestions</strong></p> <ul> <li>Type a research question</li> <li>AI automatically suggests relevant papers (with relevance scores)</li> <li>One-click to load papers into RAG context</li> </ul> <p><strong>3. Secure PDF Sharing</strong></p> <ul> <li>Share papers with colleagues via email</li> <li>Recipients automatically linked to researcher</li> <li>Fine-grained permissions via Auth0 FGA</li> </ul> <h2> How I Used Auth0 for AI Agents </h2> <p>Auth0 is the backbone of InnoGate's security architecture, implementing both authentication and fine-grained authorization.</p> <h3> 1. Authentication with Auth0 Provider </h3> <p><strong>Frontend Setup:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="k">default</span> <span class="kd">function</span> <span class="nf">AuthProvider</span><span class="p">({</span> <span class="nx">children</span> <span class="p">}:</span> <span class="nx">Props</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">mounted</span><span class="p">,</span> <span class="nx">setMounted</span><span class="p">]</span> <span class="o">=</span> <span class="nf">useState</span><span class="p">(</span><span class="kc">false</span><span class="p">);</span> <span class="nf">useEffect</span><span class="p">(()</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nf">setMounted</span><span class="p">(</span><span class="kc">true</span><span class="p">);</span> <span class="p">},</span> <span class="p">[]);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">mounted</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Render children directly during SSR (no auth on server render)</span> <span class="k">return</span> <span class="o">&lt;&gt;</span><span class="p">{</span><span class="nx">children</span><span class="p">}</span><span class="o">&lt;</span><span class="sr">/&gt;</span><span class="err">; </span> <span class="p">}</span> <span class="kd">const</span> <span class="nx">domain</span> <span class="o">=</span> <span class="k">import</span><span class="p">.</span><span class="nx">meta</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">VITE_AUTH0_DOMAIN</span> <span class="k">as</span> <span class="kr">string</span> <span class="o">|</span> <span class="kc">undefined</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">clientId</span> <span class="o">=</span> <span class="k">import</span><span class="p">.</span><span class="nx">meta</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">VITE_AUTH0_CLIENT_ID</span> <span class="k">as</span> <span class="kr">string</span> <span class="o">|</span> <span class="kc">undefined</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">audience</span> <span class="o">=</span> <span class="k">import</span><span class="p">.</span><span class="nx">meta</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">VITE_AUTH0_AUDIENCE</span> <span class="k">as</span> <span class="kr">string</span> <span class="o">|</span> <span class="kc">undefined</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">domain</span> <span class="o">||</span> <span class="o">!</span><span class="nx">clientId</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">warn</span><span class="p">(</span><span class="dl">"</span><span class="s2">VITE_AUTH0_DOMAIN or VITE_AUTH0_CLIENT_ID is not set.</span><span class="dl">"</span><span class="p">);</span> <span class="k">return</span> <span class="o">&lt;&gt;</span><span class="p">{</span><span class="nx">children</span><span class="p">}</span><span class="o">&lt;</span><span class="sr">/&gt;</span><span class="err">; </span> <span class="p">}</span> <span class="k">return </span><span class="p">(</span> <span class="o">&lt;</span><span class="nx">Auth0Provider</span> <span class="nx">domain</span><span class="o">=</span><span class="p">{</span><span class="nx">domain</span><span class="p">}</span> <span class="nx">clientId</span><span class="o">=</span><span class="p">{</span><span class="nx">clientId</span><span class="p">}</span> <span class="nx">authorizationParams</span><span class="o">=</span><span class="p">{{</span> <span class="na">redirect_uri</span><span class="p">:</span> <span class="nb">window</span><span class="p">.</span><span class="nx">location</span><span class="p">.</span><span class="nx">origin</span><span class="p">,</span> <span class="na">audience</span><span class="p">:</span> <span class="nx">audience</span><span class="p">,</span> <span class="c1">// Request access token for the API</span> <span class="p">}}</span> <span class="nx">cacheLocation</span><span class="o">=</span><span class="dl">"</span><span class="s2">localstorage</span><span class="dl">"</span> <span class="nx">useRefreshTokens</span><span class="o">=</span><span class="p">{</span><span class="kc">true</span><span class="p">}</span> <span class="o">&gt;</span> <span class="o">&lt;</span><span class="nx">UserInitializer</span><span class="o">&gt;</span><span class="p">{</span><span class="nx">children</span><span class="p">}</span><span class="o">&lt;</span><span class="sr">/UserInitializer</span><span class="err">&gt; </span> <span class="o">&lt;</span><span class="sr">/Auth0Provider</span><span class="err">&gt; </span> <span class="p">);</span> <span class="p">}</span> </code></pre> </div> <p><strong>Backend JWT Verification:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// server/src/index.ts</span> <span class="k">import</span> <span class="nx">Auth0</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@auth0/auth0-fastify-api</span><span class="dl">"</span><span class="p">;</span> <span class="k">await</span> <span class="nx">fastify</span><span class="p">.</span><span class="nf">register</span><span class="p">(</span><span class="nx">Auth0</span><span class="p">,</span> <span class="p">{</span> <span class="na">domain</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">AUTH0_DOMAIN</span><span class="p">,</span> <span class="na">audience</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">AUTH0_AUDIENCE</span><span class="p">,</span> <span class="p">});</span> <span class="c1">// All routes protected with JWT</span> <span class="nx">fastify</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">"</span><span class="s2">/api/pdfs/upload</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">preHandler</span><span class="p">:</span> <span class="nx">fastify</span><span class="p">.</span><span class="nf">requireAuth</span><span class="p">(),</span> <span class="p">},</span> <span class="k">async </span><span class="p">(</span><span class="nx">request</span><span class="p">,</span> <span class="nx">reply</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">userEmail</span> <span class="o">=</span> <span class="p">(</span><span class="nx">request</span><span class="p">.</span><span class="nx">user</span> <span class="k">as</span> <span class="kr">any</span><span class="p">)?.[</span><span class="dl">'</span><span class="s1">https://innogate.app/email</span><span class="dl">'</span><span class="p">];</span> <span class="c1">// ... handle upload</span> <span class="p">});</span> </code></pre> </div> <p><strong>Custom Claims in Auth0:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">exports</span><span class="p">.</span><span class="nx">onExecutePostLogin</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">event</span><span class="p">,</span> <span class="nx">api</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="c1">// Add email as a custom claim to the access token</span> <span class="k">if </span><span class="p">(</span><span class="nx">event</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">email</span><span class="p">)</span> <span class="p">{</span> <span class="nx">api</span><span class="p">.</span><span class="nx">accessToken</span><span class="p">.</span><span class="nf">setCustomClaim</span><span class="p">(</span><span class="dl">'</span><span class="s1">https://innogate.app/email</span><span class="dl">'</span><span class="p">,</span> <span class="nx">event</span><span class="p">.</span><span class="nx">user</span><span class="p">.</span><span class="nx">email</span><span class="p">);</span> <span class="p">}</span> <span class="p">};</span> </code></pre> </div> <h3> 2. Fine-Grained Authorization with Auth0 FGA </h3> <p>This is where InnoGate's security shines. Auth0 FGA provides document-level access control that's both powerful and flexible.</p> <h4> The FGA Authorization Model </h4> <p>The heart of FGA is the authorization model. Here's InnoGate's model:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">model</span> <span class="nx">schema</span> <span class="mf">1.1</span> <span class="kd">type</span> <span class="nx">user</span> <span class="kd">type</span> <span class="nx">doc</span> <span class="nx">relations</span> <span class="nx">define</span> <span class="nx">owner</span><span class="p">:</span> <span class="p">[</span><span class="nx">user</span><span class="p">]</span> <span class="nx">define</span> <span class="nx">viewer</span><span class="p">:</span> <span class="p">[</span><span class="nx">user</span><span class="p">]</span> <span class="nx">define</span> <span class="nx">can_view</span><span class="p">:</span> <span class="nx">owner</span> <span class="nx">or</span> <span class="nx">viewer</span> </code></pre> </div> <p><strong>What this means:</strong></p> <ul> <li> <code>type user</code>: Represents authenticated users</li> <li> <code>type doc</code>: Represents research papers/PDFs</li> <li> <code>owner</code>: Direct relation - users who uploaded the document</li> <li> <code>viewer</code>: Direct relation - users granted read access</li> <li> <code>can_view</code>: <strong>Computed relation</strong> - authorization check that returns true if user is owner OR viewer</li> </ul> <p>This model elegantly handles the core requirements:</p> <ul> <li>Document owners have full control</li> <li>Shared users get viewer access</li> <li>Authorization checks use the <code>can_view</code> computed relation</li> </ul> <h4> FGA Client Configuration </h4> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// server/src/lib/fga.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">OpenFgaClient</span><span class="p">,</span> <span class="nx">CredentialsMethod</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@openfga/sdk</span><span class="dl">"</span><span class="p">;</span> <span class="k">export</span> <span class="kd">function</span> <span class="nf">getFGAClient</span><span class="p">()</span> <span class="p">{</span> <span class="k">return</span> <span class="k">new</span> <span class="nc">OpenFgaClient</span><span class="p">({</span> <span class="na">apiUrl</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">FGA_API_URL</span><span class="p">,</span> <span class="c1">// https://api.us1.fga.dev</span> <span class="na">storeId</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">FGA_STORE_ID</span><span class="p">,</span> <span class="c1">// Your FGA store ID</span> <span class="na">credentials</span><span class="p">:</span> <span class="p">{</span> <span class="na">method</span><span class="p">:</span> <span class="nx">CredentialsMethod</span><span class="p">.</span><span class="nx">ClientCredentials</span><span class="p">,</span> <span class="na">config</span><span class="p">:</span> <span class="p">{</span> <span class="na">clientId</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">FGA_CLIENT_ID</span><span class="p">,</span> <span class="na">clientSecret</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">FGA_CLIENT_SECRET</span><span class="p">,</span> <span class="na">apiTokenIssuer</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">FGA_API_URL</span><span class="p">,</span> <span class="na">apiAudience</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">FGA_API_AUDIENCE</span><span class="p">,</span> <span class="p">},</span> <span class="p">},</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <h4> Core FGA Operations </h4> <p><strong>Granting Access (Creating Tuples):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// server/src/lib/fga.ts</span> <span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">grantDocumentAccess</span><span class="p">(</span> <span class="nx">userEmail</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">documentId</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">relation</span><span class="p">:</span> <span class="dl">"</span><span class="s2">owner</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">viewer</span><span class="dl">"</span> <span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">fgaClient</span> <span class="o">=</span> <span class="nf">getFGAClient</span><span class="p">();</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`[FGA] Granting </span><span class="p">${</span><span class="nx">relation</span><span class="p">}</span><span class="s2"> access to doc:</span><span class="p">${</span><span class="nx">documentId</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">result</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">fgaClient</span><span class="p">.</span><span class="nf">write</span><span class="p">({</span> <span class="na">writes</span><span class="p">:</span> <span class="p">[{</span> <span class="na">user</span><span class="p">:</span> <span class="s2">`user:</span><span class="p">${</span><span class="nx">userEmail</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="nx">relation</span><span class="p">,</span> <span class="na">object</span><span class="p">:</span> <span class="s2">`doc:</span><span class="p">${</span><span class="nx">documentId</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">}],</span> <span class="p">});</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`[FGA] Successfully granted access:`</span><span class="p">,</span> <span class="nx">result</span><span class="p">);</span> <span class="k">return</span> <span class="nx">result</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <p><strong>When a PDF is uploaded, two tuples are created:</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// User is both owner and viewer</span> <span class="k">await</span> <span class="nf">grantDocumentAccess</span><span class="p">(</span><span class="nx">userEmail</span><span class="p">,</span> <span class="nx">pdfId</span><span class="p">,</span> <span class="dl">"</span><span class="s2">owner</span><span class="dl">"</span><span class="p">);</span> <span class="k">await</span> <span class="nf">grantDocumentAccess</span><span class="p">(</span><span class="nx">userEmail</span><span class="p">,</span> <span class="nx">pdfId</span><span class="p">,</span> <span class="dl">"</span><span class="s2">viewer</span><span class="dl">"</span><span class="p">);</span> </code></pre> </div> <p><strong>Checking Access (Authorization):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">canUserViewDocument</span><span class="p">(</span> <span class="nx">userEmail</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">documentId</span><span class="p">:</span> <span class="kr">string</span> <span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nx">boolean</span><span class="o">&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">fgaClient</span> <span class="o">=</span> <span class="nf">getFGAClient</span><span class="p">();</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">allowed</span> <span class="p">}</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">fgaClient</span><span class="p">.</span><span class="nf">check</span><span class="p">({</span> <span class="na">user</span><span class="p">:</span> <span class="s2">`user:</span><span class="p">${</span><span class="nx">userEmail</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="na">relation</span><span class="p">:</span> <span class="dl">"</span><span class="s2">viewer</span><span class="dl">"</span><span class="p">,</span> <span class="na">object</span><span class="p">:</span> <span class="s2">`doc:</span><span class="p">${</span><span class="nx">documentId</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">allowed</span> <span class="o">||</span> <span class="kc">false</span><span class="p">;</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="dl">"</span><span class="s2">FGA check error:</span><span class="dl">"</span><span class="p">,</span> <span class="nx">error</span><span class="p">);</span> <span class="k">return</span> <span class="kc">false</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p><strong>Batch Checking (Performance Optimization):</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">batchCheckDocumentAccess</span><span class="p">(</span> <span class="nx">userEmail</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">documentIds</span><span class="p">:</span> <span class="kr">string</span><span class="p">[]</span> <span class="p">):</span> <span class="nb">Promise</span><span class="o">&lt;</span><span class="nb">Record</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="nx">boolean</span><span class="o">&gt;&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">fgaClient</span> <span class="o">=</span> <span class="nf">getFGAClient</span><span class="p">();</span> <span class="kd">const</span> <span class="na">results</span><span class="p">:</span> <span class="nb">Record</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="nx">boolean</span><span class="o">&gt;</span> <span class="o">=</span> <span class="p">{};</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`[FGA] Batch checking </span><span class="p">${</span><span class="nx">documentIds</span><span class="p">.</span><span class="nx">length</span><span class="p">}</span><span class="s2"> documents`</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">checks</span> <span class="o">=</span> <span class="nx">documentIds</span><span class="p">.</span><span class="nf">map</span><span class="p">(</span><span class="nx">docId</span> <span class="o">=&gt;</span> <span class="p">({</span> <span class="na">user</span><span class="p">:</span> <span class="s2">`user:</span><span class="p">${</span><span class="nx">userEmail</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="na">relation</span><span class="p">:</span> <span class="dl">"</span><span class="s2">viewer</span><span class="dl">"</span><span class="p">,</span> <span class="na">object</span><span class="p">:</span> <span class="s2">`doc:</span><span class="p">${</span><span class="nx">docId</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">}));</span> <span class="c1">// Parallel FGA checks for performance</span> <span class="kd">const</span> <span class="nx">responses</span> <span class="o">=</span> <span class="k">await</span> <span class="nb">Promise</span><span class="p">.</span><span class="nf">all</span><span class="p">(</span> <span class="nx">checks</span><span class="p">.</span><span class="nf">map</span><span class="p">(</span><span class="nx">check</span> <span class="o">=&gt;</span> <span class="nx">fgaClient</span><span class="p">.</span><span class="nf">check</span><span class="p">(</span><span class="nx">check</span><span class="p">))</span> <span class="p">);</span> <span class="nx">documentIds</span><span class="p">.</span><span class="nf">forEach</span><span class="p">((</span><span class="nx">docId</span><span class="p">,</span> <span class="nx">index</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">results</span><span class="p">[</span><span class="nx">docId</span><span class="p">]</span> <span class="o">=</span> <span class="nx">responses</span><span class="p">[</span><span class="nx">index</span><span class="p">].</span><span class="nx">allowed</span> <span class="o">||</span> <span class="kc">false</span><span class="p">;</span> <span class="p">});</span> <span class="k">return</span> <span class="nx">results</span><span class="p">;</span> <span class="p">}</span> </code></pre> </div> <h4> Real-World FGA Integration </h4> <p><strong>Use Case 1: PDF Upload</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// server/src/routes/pdfs.ts</span> <span class="nx">fastify</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">"</span><span class="s2">/api/pdfs/upload</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">preHandler</span><span class="p">:</span> <span class="nx">fastify</span><span class="p">.</span><span class="nf">requireAuth</span><span class="p">(),</span> <span class="p">},</span> <span class="k">async </span><span class="p">(</span><span class="nx">request</span><span class="p">,</span> <span class="nx">reply</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">workId</span><span class="p">,</span> <span class="nx">workTitle</span><span class="p">,</span> <span class="nx">orcidId</span><span class="p">,</span> <span class="nx">researcherName</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">request</span><span class="p">.</span><span class="nx">query</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">userEmail</span> <span class="o">=</span> <span class="p">(</span><span class="nx">request</span><span class="p">.</span><span class="nx">user</span> <span class="k">as</span> <span class="kr">any</span><span class="p">)?.[</span><span class="dl">'</span><span class="s1">https://innogate.app/email</span><span class="dl">'</span><span class="p">];</span> <span class="c1">// 1. Save PDF to database</span> <span class="kd">const</span> <span class="p">[</span><span class="nx">uploaded</span><span class="p">]</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nf">insert</span><span class="p">(</span><span class="nx">uploadedPdfs</span><span class="p">)</span> <span class="p">.</span><span class="nf">values</span><span class="p">({</span> <span class="na">ownerId</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="nx">workId</span><span class="p">,</span> <span class="na">fileName</span><span class="p">:</span> <span class="nx">uniqueFileName</span><span class="p">,</span> <span class="na">originalName</span><span class="p">:</span> <span class="nx">data</span><span class="p">.</span><span class="nx">filename</span><span class="p">,</span> <span class="nx">workTitle</span><span class="p">,</span> <span class="nx">orcidId</span><span class="p">,</span> <span class="nx">researcherName</span><span class="p">,</span> <span class="p">})</span> <span class="p">.</span><span class="nf">returning</span><span class="p">();</span> <span class="c1">// 2. Create FGA tuples (this is the magic!)</span> <span class="k">if </span><span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">FGA_STORE_ID</span><span class="p">)</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="c1">// Grant both owner and viewer relations</span> <span class="k">await</span> <span class="nf">grantDocumentAccess</span><span class="p">(</span><span class="nx">userEmail</span><span class="p">,</span> <span class="nx">uploaded</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="dl">"</span><span class="s2">owner</span><span class="dl">"</span><span class="p">);</span> <span class="k">await</span> <span class="nf">grantDocumentAccess</span><span class="p">(</span><span class="nx">userEmail</span><span class="p">,</span> <span class="nx">uploaded</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="dl">"</span><span class="s2">viewer</span><span class="dl">"</span><span class="p">);</span> <span class="nx">fastify</span><span class="p">.</span><span class="nx">log</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="s2">`✅ FGA access granted for </span><span class="p">${</span><span class="nx">uploaded</span><span class="p">.</span><span class="nx">id</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">fgaError</span><span class="p">)</span> <span class="p">{</span> <span class="nx">fastify</span><span class="p">.</span><span class="nx">log</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="nx">fgaError</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Failed to grant FGA access</span><span class="dl">"</span><span class="p">);</span> <span class="c1">// Graceful degradation: Upload succeeds even if FGA fails</span> <span class="p">}</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">reply</span><span class="p">.</span><span class="nf">send</span><span class="p">({</span> <span class="na">id</span><span class="p">:</span> <span class="nx">uploaded</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">workId</span><span class="p">:</span> <span class="nx">uploaded</span><span class="p">.</span><span class="nx">workId</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <p><strong>Use Case 2: Accepting Share Requests</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// server/src/routes/pdfs.ts</span> <span class="nx">fastify</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">"</span><span class="s2">/api/pdfs/share-requests/:id/accept</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">preHandler</span><span class="p">:</span> <span class="nx">fastify</span><span class="p">.</span><span class="nf">requireAuth</span><span class="p">(),</span> <span class="p">},</span> <span class="k">async </span><span class="p">(</span><span class="nx">request</span><span class="p">,</span> <span class="nx">reply</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">id</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">request</span><span class="p">.</span><span class="nx">params</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">userEmail</span> <span class="o">=</span> <span class="p">(</span><span class="nx">request</span><span class="p">.</span><span class="nx">user</span> <span class="k">as</span> <span class="kr">any</span><span class="p">)?.[</span><span class="dl">'</span><span class="s1">https://innogate.app/email</span><span class="dl">'</span><span class="p">];</span> <span class="kd">const</span> <span class="nx">shareRequest</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nx">query</span><span class="p">.</span><span class="nx">pdfShareRequests</span><span class="p">.</span><span class="nf">findFirst</span><span class="p">({</span> <span class="na">where</span><span class="p">:</span> <span class="nf">and</span><span class="p">(</span> <span class="nf">eq</span><span class="p">(</span><span class="nx">pdfShareRequests</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="nx">id</span><span class="p">),</span> <span class="nf">eq</span><span class="p">(</span><span class="nx">pdfShareRequests</span><span class="p">.</span><span class="nx">toUserId</span><span class="p">,</span> <span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">)</span> <span class="p">),</span> <span class="na">with</span><span class="p">:</span> <span class="p">{</span> <span class="na">pdf</span><span class="p">:</span> <span class="kc">true</span> <span class="p">},</span> <span class="p">});</span> <span class="c1">// 1. Grant database access</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="nf">insert</span><span class="p">(</span><span class="nx">pdfAccess</span><span class="p">)</span> <span class="p">.</span><span class="nf">values</span><span class="p">({</span> <span class="na">pdfId</span><span class="p">:</span> <span class="nx">shareRequest</span><span class="p">.</span><span class="nx">pdfId</span><span class="p">,</span> <span class="na">userId</span><span class="p">:</span> <span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="p">});</span> <span class="c1">// 2. Create FGA tuple for shared access</span> <span class="k">if </span><span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">FGA_STORE_ID</span><span class="p">)</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="k">await</span> <span class="nf">grantDocumentAccess</span><span class="p">(</span><span class="nx">userEmail</span><span class="p">,</span> <span class="nx">shareRequest</span><span class="p">.</span><span class="nx">pdfId</span><span class="p">,</span> <span class="dl">"</span><span class="s2">viewer</span><span class="dl">"</span><span class="p">);</span> <span class="nx">fastify</span><span class="p">.</span><span class="nx">log</span><span class="p">.</span><span class="nf">info</span><span class="p">(</span><span class="s2">`✅ FGA viewer access granted to </span><span class="p">${</span><span class="nx">userEmail</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">fgaError</span><span class="p">)</span> <span class="p">{</span> <span class="nx">fastify</span><span class="p">.</span><span class="nx">log</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="nx">fgaError</span><span class="p">,</span> <span class="dl">"</span><span class="s2">Failed to grant FGA access</span><span class="dl">"</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> <span class="c1">// 3. Delete the share request (no longer needed)</span> <span class="k">await</span> <span class="nx">db</span><span class="p">.</span><span class="k">delete</span><span class="p">(</span><span class="nx">pdfShareRequests</span><span class="p">).</span><span class="nf">where</span><span class="p">(</span><span class="nf">eq</span><span class="p">(</span><span class="nx">pdfShareRequests</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="nx">id</span><span class="p">));</span> <span class="k">return</span> <span class="nx">reply</span><span class="p">.</span><span class="nf">send</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Share request accepted</span><span class="dl">"</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <p><strong>Use Case 3: AI PDF Suggestions with FGA</strong></p> <p>This is where FGA truly shines - protecting AI-powered features:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// server/src/routes/pdf-suggestions.ts</span> <span class="nx">fastify</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">"</span><span class="s2">/api/pdf-suggestions/suggest</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">preHandler</span><span class="p">:</span> <span class="nx">fastify</span><span class="p">.</span><span class="nf">requireAuth</span><span class="p">(),</span> <span class="p">},</span> <span class="k">async </span><span class="p">(</span><span class="nx">request</span><span class="p">,</span> <span class="nx">reply</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">query</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">request</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">userEmail</span> <span class="o">=</span> <span class="p">(</span><span class="nx">request</span><span class="p">.</span><span class="nx">user</span> <span class="k">as</span> <span class="kr">any</span><span class="p">)?.[</span><span class="dl">'</span><span class="s1">https://innogate.app/email</span><span class="dl">'</span><span class="p">];</span> <span class="c1">// Step 1: Get PDFs from database (first layer of security)</span> <span class="kd">const</span> <span class="nx">accessiblePdfs</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">db</span> <span class="p">.</span><span class="nf">select</span><span class="p">({</span> <span class="na">id</span><span class="p">:</span> <span class="nx">uploadedPdfs</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">workTitle</span><span class="p">:</span> <span class="nx">uploadedPdfs</span><span class="p">.</span><span class="nx">workTitle</span><span class="p">,</span> <span class="na">originalName</span><span class="p">:</span> <span class="nx">uploadedPdfs</span><span class="p">.</span><span class="nx">originalName</span><span class="p">,</span> <span class="na">researcherName</span><span class="p">:</span> <span class="nx">uploadedPdfs</span><span class="p">.</span><span class="nx">researcherName</span><span class="p">,</span> <span class="na">ownerId</span><span class="p">:</span> <span class="nx">uploadedPdfs</span><span class="p">.</span><span class="nx">ownerId</span><span class="p">,</span> <span class="p">})</span> <span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="nx">uploadedPdfs</span><span class="p">)</span> <span class="p">.</span><span class="nf">leftJoin</span><span class="p">(</span><span class="nx">pdfAccess</span><span class="p">,</span> <span class="nf">eq</span><span class="p">(</span><span class="nx">pdfAccess</span><span class="p">.</span><span class="nx">pdfId</span><span class="p">,</span> <span class="nx">uploadedPdfs</span><span class="p">.</span><span class="nx">id</span><span class="p">))</span> <span class="p">.</span><span class="nf">where</span><span class="p">(</span> <span class="nf">or</span><span class="p">(</span> <span class="nf">eq</span><span class="p">(</span><span class="nx">uploadedPdfs</span><span class="p">.</span><span class="nx">ownerId</span><span class="p">,</span> <span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">),</span> <span class="c1">// User owns it</span> <span class="nf">eq</span><span class="p">(</span><span class="nx">pdfAccess</span><span class="p">.</span><span class="nx">userId</span><span class="p">,</span> <span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">)</span> <span class="c1">// User has access</span> <span class="p">)</span> <span class="p">);</span> <span class="c1">// Step 2: Verify with FGA (second layer of security - defense in depth!)</span> <span class="kd">let</span> <span class="nx">authorizedPdfIds</span> <span class="o">=</span> <span class="nx">accessiblePdfs</span><span class="p">.</span><span class="nf">map</span><span class="p">(</span><span class="nx">pdf</span> <span class="o">=&gt;</span> <span class="nx">pdf</span><span class="p">.</span><span class="nx">id</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">FGA_STORE_ID</span><span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">pdfIds</span> <span class="o">=</span> <span class="nx">accessiblePdfs</span><span class="p">.</span><span class="nf">map</span><span class="p">(</span><span class="nx">pdf</span> <span class="o">=&gt;</span> <span class="nx">pdf</span><span class="p">.</span><span class="nx">id</span><span class="p">);</span> <span class="c1">// Batch check all PDFs in parallel</span> <span class="kd">const</span> <span class="nx">accessResults</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">batchCheckDocumentAccess</span><span class="p">(</span><span class="nx">userEmail</span><span class="p">,</span> <span class="nx">pdfIds</span><span class="p">);</span> <span class="c1">// Filter to only FGA-authorized PDFs</span> <span class="nx">authorizedPdfIds</span> <span class="o">=</span> <span class="nx">pdfIds</span><span class="p">.</span><span class="nf">filter</span><span class="p">(</span><span class="nx">id</span> <span class="o">=&gt;</span> <span class="nx">accessResults</span><span class="p">[</span><span class="nx">id</span><span class="p">]);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`[FGA] User authorized for </span><span class="p">${</span><span class="nx">authorizedPdfIds</span><span class="p">.</span><span class="nx">length</span><span class="p">}</span><span class="s2">/</span><span class="p">${</span><span class="nx">pdfIds</span><span class="p">.</span><span class="nx">length</span><span class="p">}</span><span class="s2"> PDFs`</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Filter PDFs to only authorized ones</span> <span class="kd">const</span> <span class="nx">authorizedPdfs</span> <span class="o">=</span> <span class="nx">accessiblePdfs</span><span class="p">.</span><span class="nf">filter</span><span class="p">(</span><span class="nx">pdf</span> <span class="o">=&gt;</span> <span class="nx">authorizedPdfIds</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="nx">pdf</span><span class="p">.</span><span class="nx">id</span><span class="p">)</span> <span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">authorizedPdfs</span><span class="p">.</span><span class="nx">length</span> <span class="o">===</span> <span class="mi">0</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">reply</span><span class="p">.</span><span class="nf">send</span><span class="p">({</span> <span class="na">suggestions</span><span class="p">:</span> <span class="p">[],</span> <span class="na">message</span><span class="p">:</span> <span class="dl">"</span><span class="s2">No authorized PDFs available</span><span class="dl">"</span><span class="p">,</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// Step 3: Create embeddings for semantic search</span> <span class="kd">const</span> <span class="nx">embeddings</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">AzureOpenAIEmbeddings</span><span class="p">({</span> <span class="na">azureOpenAIApiKey</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">AZURE_OPENAI_API_KEY</span><span class="p">,</span> <span class="na">azureOpenAIApiInstanceName</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">AZURE_OPENAI_API_INSTANCE_NAME</span><span class="p">,</span> <span class="na">azureOpenAIApiDeploymentName</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">AZURE_OPENAI_API_EMBEDDINGS_DEPLOYMENT_NAME</span><span class="p">,</span> <span class="na">azureOpenAIApiVersion</span><span class="p">:</span> <span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">AZURE_OPENAI_API_VERSION</span><span class="p">,</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">queryEmbedding</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">embeddings</span><span class="p">.</span><span class="nf">embedQuery</span><span class="p">(</span><span class="nx">query</span><span class="p">);</span> <span class="c1">// Step 4: Create embeddings for PDF titles and researchers</span> <span class="kd">const</span> <span class="nx">pdfTexts</span> <span class="o">=</span> <span class="nx">authorizedPdfs</span><span class="p">.</span><span class="nf">map</span><span class="p">(</span><span class="nx">pdf</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">title</span> <span class="o">=</span> <span class="nx">pdf</span><span class="p">.</span><span class="nx">workTitle</span> <span class="o">||</span> <span class="nx">pdf</span><span class="p">.</span><span class="nx">originalName</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">researcher</span> <span class="o">=</span> <span class="nx">pdf</span><span class="p">.</span><span class="nx">researcherName</span> <span class="o">||</span> <span class="dl">""</span><span class="p">;</span> <span class="k">return</span> <span class="s2">`</span><span class="p">${</span><span class="nx">title</span><span class="p">}</span><span class="s2"> </span><span class="p">${</span><span class="nx">researcher</span><span class="p">}</span><span class="s2">`</span><span class="p">.</span><span class="nf">trim</span><span class="p">();</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">pdfEmbeddings</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">embeddings</span><span class="p">.</span><span class="nf">embedDocuments</span><span class="p">(</span><span class="nx">pdfTexts</span><span class="p">);</span> <span class="c1">// Step 5: Calculate cosine similarity</span> <span class="kd">const</span> <span class="nx">similarities</span> <span class="o">=</span> <span class="nx">pdfEmbeddings</span><span class="p">.</span><span class="nf">map</span><span class="p">((</span><span class="nx">pdfEmbed</span><span class="p">,</span> <span class="nx">index</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">({</span> <span class="na">pdf</span><span class="p">:</span> <span class="nx">authorizedPdfs</span><span class="p">[</span><span class="nx">index</span><span class="p">],</span> <span class="na">similarity</span><span class="p">:</span> <span class="nf">cosineSimilarity</span><span class="p">(</span><span class="nx">queryEmbedding</span><span class="p">,</span> <span class="nx">pdfEmbed</span><span class="p">),</span> <span class="p">}));</span> <span class="c1">// Step 6: Return top 5 suggestions</span> <span class="kd">const</span> <span class="nx">topSuggestions</span> <span class="o">=</span> <span class="nx">similarities</span> <span class="p">.</span><span class="nf">sort</span><span class="p">((</span><span class="nx">a</span><span class="p">,</span> <span class="nx">b</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">b</span><span class="p">.</span><span class="nx">similarity</span> <span class="o">-</span> <span class="nx">a</span><span class="p">.</span><span class="nx">similarity</span><span class="p">)</span> <span class="p">.</span><span class="nf">slice</span><span class="p">(</span><span class="mi">0</span><span class="p">,</span> <span class="mi">5</span><span class="p">)</span> <span class="p">.</span><span class="nf">filter</span><span class="p">(</span><span class="nx">s</span> <span class="o">=&gt;</span> <span class="nx">s</span><span class="p">.</span><span class="nx">similarity</span> <span class="o">&gt;</span> <span class="mf">0.3</span><span class="p">)</span> <span class="p">.</span><span class="nf">map</span><span class="p">(</span><span class="nx">s</span> <span class="o">=&gt;</span> <span class="p">({</span> <span class="na">id</span><span class="p">:</span> <span class="nx">s</span><span class="p">.</span><span class="nx">pdf</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">workTitle</span><span class="p">:</span> <span class="nx">s</span><span class="p">.</span><span class="nx">pdf</span><span class="p">.</span><span class="nx">workTitle</span><span class="p">,</span> <span class="na">originalName</span><span class="p">:</span> <span class="nx">s</span><span class="p">.</span><span class="nx">pdf</span><span class="p">.</span><span class="nx">originalName</span><span class="p">,</span> <span class="na">researcherName</span><span class="p">:</span> <span class="nx">s</span><span class="p">.</span><span class="nx">pdf</span><span class="p">.</span><span class="nx">researcherName</span><span class="p">,</span> <span class="na">isOwner</span><span class="p">:</span> <span class="nx">s</span><span class="p">.</span><span class="nx">pdf</span><span class="p">.</span><span class="nx">ownerId</span> <span class="o">===</span> <span class="nx">user</span><span class="p">.</span><span class="nx">id</span><span class="p">,</span> <span class="na">relevanceScore</span><span class="p">:</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">round</span><span class="p">(</span><span class="nx">s</span><span class="p">.</span><span class="nx">similarity</span> <span class="o">*</span> <span class="mi">100</span><span class="p">),</span> <span class="p">}));</span> <span class="k">return</span> <span class="nx">reply</span><span class="p">.</span><span class="nf">send</span><span class="p">({</span> <span class="na">suggestions</span><span class="p">:</span> <span class="nx">topSuggestions</span><span class="p">,</span> <span class="na">totalAccessiblePdfs</span><span class="p">:</span> <span class="nx">authorizedPdfs</span><span class="p">.</span><span class="nx">length</span><span class="p">,</span> <span class="p">});</span> <span class="p">});</span> <span class="c1">// Cosine similarity helper</span> <span class="kd">function</span> <span class="nf">cosineSimilarity</span><span class="p">(</span><span class="nx">vecA</span><span class="p">:</span> <span class="kr">number</span><span class="p">[],</span> <span class="nx">vecB</span><span class="p">:</span> <span class="kr">number</span><span class="p">[]):</span> <span class="kr">number</span> <span class="p">{</span> <span class="kd">let</span> <span class="nx">dotProduct</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="kd">let</span> <span class="nx">normA</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="kd">let</span> <span class="nx">normB</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="k">for </span><span class="p">(</span><span class="kd">let</span> <span class="nx">i</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="nx">i</span> <span class="o">&lt;</span> <span class="nx">vecA</span><span class="p">.</span><span class="nx">length</span><span class="p">;</span> <span class="nx">i</span><span class="o">++</span><span class="p">)</span> <span class="p">{</span> <span class="nx">dotProduct</span> <span class="o">+=</span> <span class="nx">vecA</span><span class="p">[</span><span class="nx">i</span><span class="p">]</span> <span class="o">*</span> <span class="nx">vecB</span><span class="p">[</span><span class="nx">i</span><span class="p">];</span> <span class="nx">normA</span> <span class="o">+=</span> <span class="nx">vecA</span><span class="p">[</span><span class="nx">i</span><span class="p">]</span> <span class="o">*</span> <span class="nx">vecA</span><span class="p">[</span><span class="nx">i</span><span class="p">];</span> <span class="nx">normB</span> <span class="o">+=</span> <span class="nx">vecB</span><span class="p">[</span><span class="nx">i</span><span class="p">]</span> <span class="o">*</span> <span class="nx">vecB</span><span class="p">[</span><span class="nx">i</span><span class="p">];</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">dotProduct</span> <span class="o">/</span> <span class="p">(</span><span class="nb">Math</span><span class="p">.</span><span class="nf">sqrt</span><span class="p">(</span><span class="nx">normA</span><span class="p">)</span> <span class="o">*</span> <span class="nb">Math</span><span class="p">.</span><span class="nf">sqrt</span><span class="p">(</span><span class="nx">normB</span><span class="p">));</span> <span class="p">}</span> </code></pre> </div> <p><strong>Key Insight:</strong> Notice the <strong>defense-in-depth</strong> approach:</p> <ol> <li>Database query filters by ownership/access</li> <li>FGA batch check validates each document</li> <li>Only authorized PDFs get embedded and suggested</li> <li>AI never sees documents the user shouldn't access</li> </ol> <h4> FGA Best Practices from InnoGate </h4> <p><strong>1. Always Log FGA Operations</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`[FGA] Granting </span><span class="p">${</span><span class="nx">relation</span><span class="p">}</span><span class="s2"> access to doc:</span><span class="p">${</span><span class="nx">documentId</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="nx">console</span><span class="p">.</span><span class="nf">log</span><span class="p">(</span><span class="s2">`[FGA] Batch checking </span><span class="p">${</span><span class="nx">documentIds</span><span class="p">.</span><span class="nx">length</span><span class="p">}</span><span class="s2"> documents`</span><span class="p">);</span> </code></pre> </div> <p>This is essential for debugging authorization issues.</p> <p><strong>2. Implement Graceful Degradation</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">if </span><span class="p">(</span><span class="nx">process</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">FGA_STORE_ID</span><span class="p">)</span> <span class="p">{</span> <span class="k">try</span> <span class="p">{</span> <span class="k">await</span> <span class="nf">grantDocumentAccess</span><span class="p">(...);</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">fgaError</span><span class="p">)</span> <span class="p">{</span> <span class="nx">fastify</span><span class="p">.</span><span class="nx">log</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="nx">fgaError</span><span class="p">,</span> <span class="dl">"</span><span class="s2">FGA failed</span><span class="dl">"</span><span class="p">);</span> <span class="c1">// Don't fail the entire operation</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>If FGA is unavailable, fall back to database-only authorization.</p> <p><strong>3. Use Batch Operations for Performance</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// ❌ Bad: Sequential checks (slow)</span> <span class="k">for </span><span class="p">(</span><span class="kd">const</span> <span class="nx">docId</span> <span class="k">of</span> <span class="nx">documentIds</span><span class="p">)</span> <span class="p">{</span> <span class="k">await</span> <span class="nf">canUserViewDocument</span><span class="p">(</span><span class="nx">email</span><span class="p">,</span> <span class="nx">docId</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// ✅ Good: Parallel batch check (fast)</span> <span class="kd">const</span> <span class="nx">results</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">batchCheckDocumentAccess</span><span class="p">(</span><span class="nx">email</span><span class="p">,</span> <span class="nx">documentIds</span><span class="p">);</span> </code></pre> </div> <p><strong>4. Create Both Owner and Viewer Tuples</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// When uploading, grant both relations</span> <span class="k">await</span> <span class="nf">grantDocumentAccess</span><span class="p">(</span><span class="nx">email</span><span class="p">,</span> <span class="nx">docId</span><span class="p">,</span> <span class="dl">"</span><span class="s2">owner</span><span class="dl">"</span><span class="p">);</span> <span class="k">await</span> <span class="nf">grantDocumentAccess</span><span class="p">(</span><span class="nx">email</span><span class="p">,</span> <span class="nx">docId</span><span class="p">,</span> <span class="dl">"</span><span class="s2">viewer</span><span class="dl">"</span><span class="p">);</span> </code></pre> </div> <p>This allows the <code>can_view</code> computed relation to work correctly.</p> <p><strong>5. Delete Tuples When Revoking Access</strong><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">export</span> <span class="k">async</span> <span class="kd">function</span> <span class="nf">revokeDocumentAccess</span><span class="p">(</span> <span class="nx">userEmail</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">documentId</span><span class="p">:</span> <span class="kr">string</span><span class="p">,</span> <span class="nx">relation</span><span class="p">:</span> <span class="dl">"</span><span class="s2">owner</span><span class="dl">"</span> <span class="o">|</span> <span class="dl">"</span><span class="s2">viewer</span><span class="dl">"</span> <span class="p">)</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">fgaClient</span> <span class="o">=</span> <span class="nf">getFGAClient</span><span class="p">();</span> <span class="k">await</span> <span class="nx">fgaClient</span><span class="p">.</span><span class="nf">write</span><span class="p">({</span> <span class="na">deletes</span><span class="p">:</span> <span class="p">[{</span> <span class="na">user</span><span class="p">:</span> <span class="s2">`user:</span><span class="p">${</span><span class="nx">userEmail</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="nx">relation</span><span class="p">,</span> <span class="na">object</span><span class="p">:</span> <span class="s2">`doc:</span><span class="p">${</span><span class="nx">documentId</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="p">}],</span> <span class="p">});</span> <span class="p">}</span> </code></pre> </div> <h3> 3. RAG Implementation with Vector Stores </h3> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// server/src/routes/pdf-rag.ts</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">MemoryVectorStore</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">langchain/vectorstores/memory</span><span class="dl">"</span><span class="p">;</span> <span class="k">import</span> <span class="p">{</span> <span class="nx">AzureOpenAIEmbeddings</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">@langchain/openai</span><span class="dl">"</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">vectorStores</span> <span class="o">=</span> <span class="k">new</span> <span class="nb">Map</span><span class="o">&lt;</span><span class="kr">string</span><span class="p">,</span> <span class="nx">MemoryVectorStore</span><span class="o">&gt;</span><span class="p">();</span> <span class="nx">fastify</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">"</span><span class="s2">/api/pdf-rag/load</span><span class="dl">"</span><span class="p">,</span> <span class="p">{</span> <span class="na">preHandler</span><span class="p">:</span> <span class="nx">fastify</span><span class="p">.</span><span class="nf">requireAuth</span><span class="p">(),</span> <span class="p">},</span> <span class="k">async </span><span class="p">(</span><span class="nx">request</span><span class="p">,</span> <span class="nx">reply</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">pdfId</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">request</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">userEmail</span> <span class="o">=</span> <span class="p">(</span><span class="nx">request</span><span class="p">.</span><span class="nx">user</span> <span class="k">as</span> <span class="kr">any</span><span class="p">)?.[</span><span class="dl">'</span><span class="s1">https://innogate.app/email</span><span class="dl">'</span><span class="p">];</span> <span class="c1">// FGA authorization check before loading</span> <span class="kd">const</span> <span class="nx">hasAccess</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">canUserViewDocument</span><span class="p">(</span><span class="nx">userEmail</span><span class="p">,</span> <span class="nx">pdfId</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">hasAccess</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">reply</span><span class="p">.</span><span class="nf">code</span><span class="p">(</span><span class="mi">403</span><span class="p">).</span><span class="nf">send</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">Access denied</span><span class="dl">"</span> <span class="p">});</span> <span class="p">}</span> <span class="c1">// Load and embed PDF</span> <span class="kd">const</span> <span class="nx">documents</span> <span class="o">=</span> <span class="k">await</span> <span class="nf">loadPDF</span><span class="p">(</span><span class="nx">pdfPath</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">textSplitter</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">RecursiveCharacterTextSplitter</span><span class="p">({</span> <span class="na">chunkSize</span><span class="p">:</span> <span class="mi">1000</span><span class="p">,</span> <span class="na">chunkOverlap</span><span class="p">:</span> <span class="mi">200</span><span class="p">,</span> <span class="p">});</span> <span class="kd">const</span> <span class="nx">splits</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">textSplitter</span><span class="p">.</span><span class="nf">splitDocuments</span><span class="p">(</span><span class="nx">documents</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">embeddings</span> <span class="o">=</span> <span class="k">new</span> <span class="nc">AzureOpenAIEmbeddings</span><span class="p">({...</span><span class="nx">config</span><span class="p">});</span> <span class="kd">const</span> <span class="nx">vectorStore</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">MemoryVectorStore</span><span class="p">.</span><span class="nf">fromDocuments</span><span class="p">(</span><span class="nx">splits</span><span class="p">,</span> <span class="nx">embeddings</span><span class="p">);</span> <span class="nx">vectorStores</span><span class="p">.</span><span class="nf">set</span><span class="p">(</span><span class="nx">pdfId</span><span class="p">,</span> <span class="nx">vectorStore</span><span class="p">);</span> <span class="k">return</span> <span class="nx">reply</span><span class="p">.</span><span class="nf">send</span><span class="p">({</span> <span class="na">success</span><span class="p">:</span> <span class="kc">true</span> <span class="p">});</span> <span class="p">});</span> </code></pre> </div> <h2> Lessons Learned and Takeaways </h2> <h3> 1. <strong>Fine-Grained Authorization is Complex but Essential</strong> </h3> <p>Auth0 FGA proved invaluable because:</p> <ul> <li> <strong>Separation of Concerns</strong>: Authorization logic lives in FGA, not scattered across code</li> <li> <strong>Relationship-Based Access</strong>: The model naturally expresses owner/viewer relationships</li> <li> <strong>Scalability</strong>: Adding new relations (e.g., <code>editor</code>, <code>commenter</code>) is trivial</li> <li> <strong>Audit Trail</strong>: Every access decision is logged</li> </ul> <p><strong>Challenge</strong>: Understanding FGA's tuple-based model took time.</p> <p><strong>Lesson</strong>: Start with the simplest model and iterate. The <code>define can_view: owner or viewer</code> syntax is powerful.</p> <h3> 2. <strong>Double Defense Wins</strong> </h3> <p>InnoGate implements multiple security layers:</p> <ol> <li>JWT Authentication (Auth0)</li> <li>Database constraints</li> <li>FGA authorization checks</li> <li>Application validation</li> </ol> <p><strong>Lesson</strong>: FGA can be used to either replace database based authorization or bolster it by adding another layer of checks. In case database is somehow compromised Auth0 FGA will ensure that no data leaks.</p> <h3> 3. <strong>Batch Operations are Critical</strong> </h3> <p>Checking 50 PDFs sequentially would take seconds. Batch checking takes milliseconds.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Parallel FGA checks</span> <span class="kd">const</span> <span class="nx">responses</span> <span class="o">=</span> <span class="k">await</span> <span class="nb">Promise</span><span class="p">.</span><span class="nf">all</span><span class="p">(</span> <span class="nx">checks</span><span class="p">.</span><span class="nf">map</span><span class="p">(</span><span class="nx">check</span> <span class="o">=&gt;</span> <span class="nx">fgaClient</span><span class="p">.</span><span class="nf">check</span><span class="p">(</span><span class="nx">check</span><span class="p">))</span> <span class="p">);</span> </code></pre> </div> <p><strong>Lesson</strong>: Always use batch operations for performance.</p> <p>Team Members Handles:</p> <p><a class="mentioned-user" href="https://dev.to/soniab">@soniab</a> - Management Lead<br> <a class="mentioned-user" href="https://dev.to/akshatbatra">@akshatbatra</a> - Developer</p> devchallenge auth0challenge ai authentication