Files
2026-07-12 10:17:17 -04:00

913 lines
39 KiB
Markdown

---
name: pocketbase-development
description: "PocketBase patterns: collection schemas, API quirks, sort-field traps, useToast provider, auth flow."
version: 1.2.0
metadata:
hermes:
tags: [pocketbase, backend, collections, debugging]
related_skills: []
---
# PocketBase Development
## Overview
Common patterns, pitfalls, and fixes when building React apps backed by PocketBase. Covers collection creation, API query patterns, auth integration, SPQ legacy data model, and runtime debugging.
> **Reference:** `references/customer-db-integration.md` documents the SPQ Customer DB integration pattern: name splitting (firstName/middleName/lastName with backward-compat auto-compose), customer record auto-creation from quote/appointment/RO saves (`ensureCustomerRecord`), client-side duplicate detection, customerId pass-through across quotes → ROs → appointments, and multi-source data population (vehicles → quotes → ROs) when selecting a customer.
>
> **Reference:** `references/spq-legacy-data-model.md` documents the actual PocketBase schema for the ShopProQuote project — collection field names, vehicle data storage (no separate `vehicles` collection), the combine-and-deduplicate pattern across repairOrders/quotes, `customerName` vs `customerId` linkage (ALL existing ROs and quotes have empty `customerId`), quote services JSON display patterns (expandable rows with service line items), and migration patterns from legacy flat-text fields.
>
> **See also:** `pocketbase-react-apps/references/spq-pb-field-mapping.md` for the critical frontend-to-PB field name translation table (estimatedDuration → estimatedTime, customerType → financial JSON). Saves to wrong field names are silently dropped by PocketBase.
>
> **Reference:** `references/glitchtip-sentry-dsn-path-prefix.md` — Sentry SDK v10 DSN parser rejects multi-segment paths (`/glitchtip/1`). Fix: change DSN to bare project ID (`/1`) and add nginx regex location.
>
> **Reference:** `references/cross-origin-debugging.md` — Debugging the same React+PB app behaving differently on two domains (e.g., `shopproquote.graj-media.com` vs `grajmedia.duckdns.org`). Nginx config check → identical code → same backend → client-side localStorage stale state. Covers Zod validation failure tracing and the `spq-quote` localStorage key.
>
> **Reference:** `references/quote-to-ro-approved-services-sync.md` — Syncing approved quote services back to the originating repair order when saving a quote generated from an RO (`?fromRO=RO_ID`). Covers the merge logic (same-name update vs append), status preservation, and the two save paths (`handleSave` and `ensureShareToken`).
## Pitfalls
### Filter `~` (contains) operator can return 400 on some collections
PocketBase 0.39.1 may return `400 Bad Request` for the `~` (contains) filter operator on text fields in certain collections — even when the field and syntax are valid. The error message is the generic `"Something went wrong while processing your request."` with no field-level detail. This was observed on the `customers` collection's `name` and `phone` fields while the same SDK version handles `=` on `userId` without issue.
**Fix:** For collections with small record counts (single-shop data: customers, settings, etc.), skip server-side filters entirely and filter client-side:
```typescript
// ❌ Server-side filter — may return 400 for unknown reasons
const result = await pb.collection('customers').getList(1, 10, {
filter: `name ~ '${query}'`, // may 400 on some collections
fields: 'id,name,phone',
});
// ✅ Client-side filter — fetch all + filter in JS
const result = await pb.collection('customers').getList(1, 500, {
fields: 'id,name,phone',
batch: 500,
});
const matched = (result.items as any[]).filter((c: any) =>
(c.name || '').toLowerCase().includes(query.toLowerCase())
);
```
The `batch: 500` parameter fetches all records in a single request (PocketBase's default max batch is 500). For single-shop deployments this is always fast. Client-side filtering also avoids issues with escaping, case sensitivity, and operator support across PB versions.
**Key insight:** PocketBase's access rules (`userId = @request.auth.id`) are applied server-side automatically even without a `filter` parameter, so fetching all records and filtering client-side is a safe and reliable pattern for user-scoped data.
### sort `-created` fails with 400 on collections created via JS migrations
PocketBase v0.23+ does NOT auto-add system `created`/`updated` AutodateFields when a collection is created via `new Collection()` in a JS migration. Collections created through the admin UI DO get them. Using `sort: '-created'`, `sort: '-updated'`, or requesting `fields: '...,created,...'` in `getList()` queries on these collections returns a 400 error: "Something went wrong while processing your request."
**Workaround:** Use `sort: '-id'` instead. PocketBase IDs are time-sortable KSUIDs, so sorting by `-id` gives most-recent-first behavior.
**Proper fix (migration):** Add `AutodateField` instances to the affected collections:
```javascript
col.fields.add(new AutodateField({
name: 'created',
system: true,
onCreate: true,
onUpdate: false,
}));
col.fields.add(new AutodateField({
name: 'updated',
system: true,
onCreate: true,
onUpdate: true,
}));
app.save(col);
```
**Diagnosis steps when you see generic 400 errors on PB getList/getFullList:**
When PocketBase returns the generic `{"data":{},"message":"Something went wrong while processing your request.","status":400}`, the cause can be any query parameter (filter, sort, fields) referencing a non-existent field. Isolate the culprit systematically:
1. **Test without sort and fields first:**
```
GET /api/collections/{name}/records?perPage=1
```
If this works, the collection exists and is accessible.
2. **Add filter only:**
```
GET /api/collections/{name}/records?filter=customerId='test'&perPage=1
```
If this fails, the filter references a non-existent field.
3. **Add sort only:**
```
GET /api/collections/{name}/records?sort=-created&perPage=1
```
If this fails, the sort column doesn't exist on the collection.
4. **Add fields only:**
```
GET /api/collections/{name}/records?fields=year,make,model&perPage=1
```
If this fails, one of the requested fields doesn't exist.
5. **Check the actual SQLite schema:**
```bash
# Host path — use docker inspect if unsure where the volume is
sqlite3 /path/to/pb_data/data.db "PRAGMA table_info(collectionName);"
# Or find the volume mount path via docker inspect (faster than find on large filesystems)
docker inspect pocketbase | python3 -c "
import json, sys
data = json.load(sys.stdin)
for mount in data[0].get('Mounts', []):
if 'pb_data' in mount.get('Destination', ''):
print(mount['Source'])
break
"
```
Or check the `_collections` table's `fields` JSON:
```bash
sqlite3 /path/to/pb_data/data.db "SELECT fields FROM _collections WHERE name='collectionName';" | python3 -c "import json, sys; [print(f['name']) for f in json.load(sys.stdin)]"
```
Note: the `_collections` table has a `fields` column (not `schema`) that contains the full JSON array of field definitions.
6. **Verify with a `sort: '-id'` test** — PocketBase IDs are time-sortable KSUIDs, so `-id` sort is always available:
```
GET /api/collections/{name}/records?sort=-id&perPage=1
```
If this works but `sort=-created` doesn't, the collection is missing the system `created`/`updated` fields.
**Real-world affected collections (SPQ v2 project — all confirmed missing `created`/`updated` via PRAGMA table_info):**
| Collection | Created via | Missing fields? |
|---|---|---|
| `vehicles` | M16 JS migration (`new Collection()`) | Missing `created` and `updated` |
| `technicianInvites` | JS migration | Missing `created` and `updated` |
| `reminders` | JS migration (M26) | Missing `created` and `updated` |
| `quotes` | Admin UI | Has `createdAt`/`updatedAt` user fields but NO system `created`/`updated` |
| `repairOrders` | Admin UI | Has `createdAt`/`updatedAt` user fields but NO system `created`/`updated` |
All five were fixed in M28 by adding `AutodateField({ name: 'created', system: true, onCreate: true })` and `AutodateField({ name: 'updated', system: true, onCreate: true, onUpdate: true })`.
**Defensive fallback pattern when `created` is missing:** If the collection has a user-defined timestamp field like `createdAt`, sort by that instead:
```typescript
// ✅ Works even before M28 — createdAt is a user-defined text field
sort: '-createdAt'
// ❌ Fails on collections missing system created field
sort: '-created'
```
This pattern is used in `CustomerInfoPanel.tsx` for the quotes and repairOrders fallback queries. The `vehicles` query keeps `-created` because its try/catch wrapper handles failures gracefully while the migration is pending.
### Collection naming: camelCase not snake_case
PocketBase SDK auto-creates collections with camelCase names. A Firebase-based app may use snake_case (`repair_orders`) while the actual PB collection is `repairOrders`. Always verify collection names against the live PB instance before writing queries.
### useToast requires ToastProvider
The `useToast()` hook from `../components/ui/Toast` throws at runtime if `<ToastProvider>` is not wrapping the component tree. Always wrap `<BrowserRouter>` in `<ToastProvider>` in `App.tsx`:
```tsx
<BrowserRouter>
<ToastProvider>
<Routes>...</Routes>
</ToastProvider>
</BrowserRouter>
```
### Vite build exit code 1 is often a false positive
Rolldown can emit non-fatal chunk-size warnings that cause exit code 1 even when the build succeeded. Check `dist/index.html` exists instead of trusting the exit code:
```bash
ls -la dist/index.html # if it exists, build succeeded
```
### Creating collections without admin access
Non-admin PocketBase users cannot create collections via the REST API (returns 403). Collections must be created by an admin through the PocketBase dashboard at `http://host:8091/_/` or via admin-authenticated API calls.
### Filtering by userId on non-relational fields
When using `userId` as a plain text field (not a relation), the filter must use exact match:
```typescript
pb.collection('quotes').getList(1, 50, {
filter: `userId = '${userId}'`,
sort: '-id',
});
```
### Restrictive `fields` parameter can break queries
Using a `fields` parameter on `getList()` that lists fields not present on the collection will cause a 400 error (not just omit them). When in doubt, omit `fields` entirely and let PB return all fields:
```typescript
// ❌ Breaks if any field in the list doesn't exist
pb.collection('appointments').getList(1, 200, {
fields: 'id,customerName,date,time,status,created,updated',
});
// ✅ Safe — returns whatever fields exist
pb.collection('appointments').getList(1, 200, {
sort: '-id',
});
```
Same applies to `sort`: using `sort: 'date,time'` (two bare field names) may fail. Use the `+` or `-` prefix syntax: `sort: '-date,+time'` or just `sort: '-id'`.
### getFullList — load ALL records in one call (no pagination)
Use `getFullList()` to bypass the paged `getList()` pattern when you always want every matching record:
```typescript
// ❌ Paginated — requires "Load more" button + hasMore state
const records = await pb.collection('repairOrders').getList(page, perPage, {
filter: `userId = '${userId}'`,
sort: '-id',
});
// items in records.items, check records.totalPages for hasMore
// ✅ Un-paginated — returns ALL matching records in one array
const records = await pb.collection('repairOrders').getFullList({
filter: `userId = '${userId}'`,
sort: '-id',
});
// items returned directly as an array (no .items wrapper)
```
**When to use each:**
| Pattern | Use case | Return shape |
|---------|----------|-------------|
| `getList(page, perPage)` | Data you **want** paginated (big collections, server-side pages, "Load more" UX) | `{ items, page, perPage, totalItems, totalPages }` — items in `.items` |
| `getFullList({...})` | Small-to-medium collections you always want entirely in memory (typical single-shop data: ROs, customers, quotes) | Plain `T[]` — items returned directly from the SDK |
**Teardown the `usePagedList` hook when going un-paginated:**
If your app uses a `usePagedList<T>(fetchPage, perPage)` hook (like SPQ v2's `src/hooks/usePagedList.ts`), switching `fetchPage` from `getList` to `getFullList` means you can:
1. Change `fetchPage` to return a single-page result:
```typescript
const fetchAll = useCallback(async () => {
const records = await pb.collection('repairOrders').getFullList({ filter: `userId = '${userId}'` });
return { items: records, page: 1, perPage: 999999, totalItems: records.length, totalPages: 1 };
}, [userId]);
```
2. `hasMore` becomes always `false` (page 1 of 1 total pages)
3. The "Load more" button never renders
4. `refresh` re-fetches the full list — no accumulator state to manage
### JSON text fields: PocketBase may auto-parse or return raw strings
PocketBase stores JSON data as TEXT in the SQLite database. When the API returns these fields, **they may arrive as either a parsed JavaScript object/array OR as a raw JSON string**, depending on how the SDK serializes them. Always normalize:
```typescript
let items = raw;
if (typeof raw === 'string') {
try { items = JSON.parse(raw); } catch { items = []; }
}
if (!Array.isArray(items)) items = [];
```
This applies to the `services` field on both `quotes` and `repairOrders` collections. A `parseQuoteServices` function that only handles strings will silently return empty for pre-parsed arrays.
### Row-level security blocks cross-user data access
All SPQ collections use the access rule:
```
listRule: userId = @request.auth.id
viewRule: userId = @request.auth.id
```
This means **a user can only see records where `userId` matches their own auth ID**. If `demo@shop.com` logs in, they see zero customers/quotes/ROs because the data belongs to `mani8994@gmail.com`. The query filter doesn't matter — PocketBase applies the access rule first.
**Implications:**
- You cannot query across users with a user-level auth token
- To work around this for admin-style views, you need an admin/superuser token that bypasses the rules
- Or modify the collection rules to allow broader access (e.g., remove the userId restriction, or add an OR condition)
- The legacy site worked because it was deployed in the same PocketBase instance with the data owner's credentials
**To verify access:** Always test API calls directly with the authenticated user's token before assuming data exists. A 404 `"not found"` or empty result set often means the userId rule is blocking access.
### Detecting missing collections gracefully
```typescript
try {
const records = await pb.collection('name').getList(1, 1);
} catch (err) {
const msg = err instanceof Error ? err.message : '';
if (msg.includes('not found') || msg.includes('Missing collection')) {
setCollectionMissing(true); // show setup banner
}
}
```
### PocketBase SDK `import` keyword breaks Vite/esbuild
The PocketBase JS SDK (v0.27.0) uses `import` as a method name in `CollectionService.import()`. Both Vite's esbuild pre-bundler and the browser's native parser treat `import(` as a dynamic import expression and throw `Uncaught SyntaxError: Unexpected token '('`.
**Fix:** Patch `node_modules/pocketbase/dist/pocketbase.es.mjs` to rename the method:
```bash
sed -i 's/async import(/async _import(/g' node_modules/pocketbase/dist/pocketbase.es.mjs
```
Then add to `vite.config.ts` to serve the raw ESM file (skip pre-bundling):
```typescript
export default defineConfig({
optimizeDeps: {
exclude: ['pocketbase'],
},
// ...
});
```
### Creating NEW collections via JS migrations (v0.39+)
The `new Collection({...})` constructor works in v0.39 JS migrations, but field-based API rules **cannot be set at all via JS migrations** — the rule validator runs against a schema snapshot that never catches up to include the new fields, even in a separate migration file with `findCollectionByNameOrId()`.
**✅ Working pattern — save with empty rules, skip field-based rules:**
```javascript
migrate(
(app) => {
var col = new Collection({
name: 'myNewCollection',
type: 'base',
schema: [
new TextField({ name: 'fieldName', required: true }),
new JSONField({ name: 'jsonField', required: false }),
new BoolField({ name: 'active', required: false }),
],
listRule: '', // empty string = unrestricted (no filter)
viewRule: '', // empty = unrestricted
createRule: null, // null = no public API creates
updateRule: null,
deleteRule: null,
});
app.save(col);
console.log('[MX] created collection');
},
function(app) {
var col = app.findCollectionByNameOrId('myNewCollection');
if (col) { app.deleteCollection(col); }
}
);
```
**❌ Do NOT attempt to set field-referencing rules** (`shopUserId = @request.auth.id`, `roId = @request.query.roId`) in any migration file — it fails with `listRule: Invalid rule. Raw error: invalid left operand "fieldName" - unknown field "fieldName"`. This affects:
- `app.save(col)` with rules set on the constructor object
- `app.save(col)` with `.listRule = '...'` on the same collection object after a prior save
- `app.save(col)` after `findCollectionByNameOrId()` in a completely separate migration file (M25+1)
- Every technique tested on PB 0.39.1 with `app.save()` on collections created via JS migration
**Workaround for single-shop deployments:** The collections are usable without field-based rules — the frontend API queries filter by userId/shopUserId client-side, and `createRule: null` / `updateRule: null` / `deleteRule: null` prevents public API writes on write-protected collections (like the audit log). Accept that the collection's list/view rules are unrestricted at the API level and scope in the frontend.
**⚠️ REST API workaround:** If field-based rules are genuinely required, create the collection AND set rules via the REST API (admin auth token), not JS migrations:
```python
# Step 1: POST the collection with rules directly (works via REST API!)
result = api("POST", "/api/collections", {
"name": "myCollection",
"type": "base",
"listRule": "shopUserId = @request.auth.id",
"fields": [
{"name": "shopUserId", "type": "text", "required": True},
{"name": "customerName", "type": "text"},
],
}, token=admin_token)
```
The REST API's schema validator works correctly because it validates against the full collection body before committing. Only the Goja JS migration runtime has this schema-snapshot limitation.
**Available field constructors (PB 0.39):**
- `new TextField({ name, required })` — text values, also used for ISO date strings
- `new JSONField({ name, required })` — JSON blobs (stored as TEXT in SQLite)
- `new BoolField({ name, required })` — boolean
- `new NumberField({ name, required })` — numeric
- `new EmailField({ name, required })` — email
- `new SelectField({ name, values, required })` — dropdown
- `new FileField({ name, maxSize, allowedMimeTypes })` — file upload
**`DateTimeField` does NOT exist** — use `new TextField({ name: 'at', required: true })` and store ISO 8601 strings.
**Field names must be unique within a collection's schema.** The `find()` check `!col.fields.find(f => f.name === 'existingField')` guards against duplicate field attempts during re-migration.
### Creating records in migration hooks (v0.39+)
```javascript
app.onRecordUpdateRequest(function(e) {
if (e.collection.name !== 'sourceCollection') return;
if (!e.oldRecord) return;
var col = app.findCollectionByNameOrId('targetCollection');
var data = {
sourceId: e.record.id,
value: e.record.get('someField'),
at: new Date().toISOString(),
};
try {
var rec = new Record(col, data);
e.dao.saveRecord(rec);
} catch (err) {
console.error('[MX] save error: ' + String(err));
}
});
```
The `new Record(col, data)` constructor accepts a collection object and a plain data object. The record is persisted via `e.dao.saveRecord(rec)` (not `app.save()` or `rec.save()`).
### Hook API names (v0.39+)
| Hook name | Fires | Use case |
|---|---|---|
| `app.onRecordCreateRequest(e)` | Before create | Modify/validate new records |
| `app.onRecordUpdateRequest(e)` | Before update | Check changes, send emails, write audit logs. **NOT** `onRecordBeforeUpdateRequest` or `onRecordAfterUpdateRequest` — those names don't exist. |
| `app.onRecordDeleteRequest(e)` | Before delete | Prevent deletion, cleanup references |
`onRecordUpdateRequest` has access to `e.oldRecord` for diffing changes. This is the only hook needed for both pre-update validation and post-update notification — since it fires before the DB write, throw an `ApiError(code, message)` to reject the update, or add side-effects (email, audit records) that are best-effort.
The `e.httpContext` object exists on update hooks for accessing request data:
```javascript
var shareToken = '';
try {
shareToken = String(e.httpContext.request.query.get('shareToken') || '');
} catch (_) { return; }
```
### Throwing errors in hooks
```javascript
if (new Date() > expiryDate) {
throw new ApiError(410, 'Quote expired');
}
```
`throw new ApiError(statusCode, message)` rejects the request with the given HTTP status code and message. Valid in `onRecordCreateRequest`, `onRecordUpdateRequest`, and `onRecordDeleteRequest`. The frontend receives the status code in `err.status`.
### Sending emails from hooks (PB 0.39 mailer)
PB 0.39 SMTP must be configured via env vars (`PB_SMTP_ENABLED`, `PB_SMTP_HOST`, etc.). The mailer API:
```javascript
try {
app.getMailer().send({
to: [{ address: 'user@example.com' }],
subject: 'Quote Approved',
html: '<h2>Quote approved</h2><p>Details...</p>',
});
} catch (err) {
console.error('[MX] email failed: ' + String(err));
}
```
The `to` field is an array of `{ address, name }` objects. `name` is optional. The mailer is fire-and-forget in hook context — if it fails, log and proceed.
### JS migration API: v0.22 vs v0.39+ incompatibility
PocketBase v0.23+ completely changed the embedded JS migration API. Old v0.22-style migration files silently skip on v0.39+.
**❌ OLD syntax (v0.22, does NOT work on v0.39+):**
```javascript
migrate((db) => {
const col = db.findCollectionByNameOrId('users');
const f = new CollectionField({
name: 'role', type: 'select', values: ['advisor', 'technician', 'mobile']
});
col.fields.add(f);
db.save(col);
});
```
**Error on v0.39+:** `ReferenceError: CollectionField is not defined`
**✅ REST API alternative (works on all versions >v0.23):**
When a JS migration file fails due to API incompatibility, use the REST API to PATCH the collection schema directly. This avoids writing Go-compatible JS migrations altogether.
```python
import subprocess, json
# 1. Auth as superuser
auth = subprocess.run([
"curl", "-s", "-X", "POST",
"http://127.0.0.1:8091/api/collections/_superusers/auth-with-password",
"-H", "Content-Type: application/json",
"-d", '{"identity":"admin@shop.com","password":"..."}'
], capture_output=True, text=True, timeout=10)
token = json.loads(auth.stdout)["token"]
# 2. GET current schema (must include ALL existing fields in PATCH payload)
get_req = subprocess.run([
"curl", "-s", "http://127.0.0.1:8091/api/collections/users",
"-H", f"Authorization: Bearer *** ], capture_output=True, text=True, timeout=10)
collection = json.loads(get_req.stdout)
new_fields = list(collection["fields"])
# 3. Append new fields
new_fields.append({"name": "role", "type": "select", "values": ["advisor","technician","mobile"]})
new_fields.append({"name": "shopUserId", "type": "text"})
new_fields.append({"name": "displayName", "type": "text"})
# 4. PATCH with full fields array (replace entire field list)
subprocess.run([
"curl", "-s", "-X", "PATCH", "http://127.0.0.1:8091/api/collections/users",
"-H", f"Authorization: Bearer *** "-H", "Content-Type: application/json",
"-d", json.dumps({"fields": new_fields})
], capture_output=True, text=True, timeout=10)
```
**CRITICAL:** The PATCH payload must include ALL existing fields, not just the new ones — the `fields` array replaces the entire schema. Omitting existing fields drops them.
**Detection:** Run the migration explicitly to surface errors:
```bash
docker exec pocketbase /usr/local/bin/pocketbase --dir=/pb_data --migrationsDir=/pb_data/migrations migrate
```
If this passes cleanly, the migration will also apply on container restart. If it errors, use the REST API fallback above.
**Cleanup failed JS files after REST API workaround:** After applying the schema changes via REST API (PATCH fields or POST new collections), you MUST remove the failing JS migration file from `pb_data/migrations/`. PocketBase keeps trying it on every restart and logs a silent error each time — it won't crash but it's noise and may mask real problems.
```bash
rm /home/ray/docker/pocketbase/pb_data/migrations/1740000000001_*.js
# Then restart so the container starts clean
docker restart pocketbase
```
**REST API fallback also applies to creating NEW collections** — not just adding fields. The same two-step pattern works for full collection creation:
```python
# Step 1: POST the collection (with null rules to avoid constraint issues)
result = api("POST", "/api/collections", {
"name": "technicianAssignments",
"type": "base",
"fields": [
{"name": "shopUserId", "type": "text", "required": True},
{"name": "status", "type": "select",
"values": ["pending", "in_progress", "waiting_parts", "completed"]},
# ... more fields
]
})
cid = result["id"]
# Step 2: PATCH the rules separately (cleaner separation of concerns)
result = api("PATCH", f"/api/collections/{cid}", {
"listRule": "shopUserId = @request.auth.id || technicianUserId = @request.auth.id",
"createRule": "shopUserId = @request.auth.id",
})
```
### PocketBase v0.39.x superuser auth
Superuser authentication is at the collections endpoint, NOT the legacy `/api/admins/` path:
```bash
# ✅ Correct (v0.39.x)
POST /api/collections/_superusers/auth-with-password
body: {"identity": "admin@example.com", "password": "..."}
# ❌ Wrong (legacy — returns 404)
POST /api/admins/auth-with-password
```
Create a superuser via CLI if none exists:
```bash
docker exec pocketbase /usr/local/bin/pocketbase superuser upsert admin@shop.com PASSWORD --dir /pb_data
```
### Creating collections via API (v0.39.x)
Use `fields` not `schema` in the payload. Match existing collection patterns — most SPQ collections use `text` for `userId` (not `relation`):
```python
api("POST", "/api/collections", {
"name": "collection_name",
"type": "base",
"listRule": "userId = @request.auth.id",
"viewRule": "userId = @request.auth.id",
"createRule": "@request.auth.id != ''",
"updateRule": "userId = @request.auth.id",
"deleteRule": "userId = @request.auth.id",
"fields": [
{"name": "name", "type": "text", "required": True},
{"name": "userId", "type": "text", "required": True},
],
}, token=admin_token)
```
The API returns 400 with specific field-level errors if the schema is wrong — inspect `resp["data"]["fields"]` for detail.
### Vite dev proxy for PocketBase needs explicit `rewrite`
When proxying `/pb` to PocketBase in Vite dev, add an explicit `rewrite` rule to strip the prefix:
```typescript
server: {
proxy: {
'/pb': {
target: 'http://127.0.0.1:8091',
changeOrigin: true,
rewrite: (path) => path.replace(/^\/pb/, ''),
},
},
}
```
Without `rewrite`, some PocketBase versions serve the admin UI HTML for proxied paths instead of the API JSON.
## PocketBase API Quick Reference
- Auth: `POST /api/collections/users/auth-with-password` with `{identity, password}`
- List: `GET /api/collections/{name}/records?page=1&perPage=50&filter=...&sort=-id`
- Create: `POST /api/collections/{name}/records`
- Update: `PATCH /api/collections/{name}/records/{id}`
- Delete: `DELETE /api/collections/{name}/records/{id}`
- Health: `GET /api/health`
- Admin dashboard: `http://host:8091/_/`
## SDK Patterns
```typescript
import PocketBase from 'pocketbase';
export const pb = new PocketBase('/pb');
pb.autoCancellation(false);
// Auth
const auth = await pb.collection('users').authWithPassword(email, password);
const userId = pb.authStore.model?.id;
pb.authStore.clear(); // logout
// CRUD
const result = await pb.collection('name').getList(page, perPage, { filter, sort });
const record = await pb.collection('name').create({ field: value });
await pb.collection('name').update(id, { field: newValue });
await pb.collection('name').delete(id);
```
## React Integration
```tsx
import { pb } from '../lib/pocketbase';
import { useToast } from '../components/ui/Toast';
// Must be wrapped in <ToastProvider>
```
### Settings merge: always use spread, never explicit field lists
When loading settings from a PocketBase JSON field into local state, use `{ ...DEFAULT_SETTINGS, ...data }` spread pattern. An explicit field-by-field merge silently drops any fields that exist in `DEFAULT_SETTINGS` but were not added to the merge logic — a recurring bug when new settings are added later.
```typescript
// ❌ Brittle — every new field must be manually added here
const merged: ShopSettings = {
...DEFAULT_SETTINGS,
businessName: (d.businessName as string) || '',
taxRate: Number(d.taxRate ?? 0),
// ... 10+ more fields — easy to miss new ones
};
// ✅ Future-proof — spread includes all fields automatically
const merged: ShopSettings = { ...DEFAULT_SETTINGS, ...d } as ShopSettings;
```
This also means DEFAULT_SETTINGS must be the single source of truth for all fields and their defaults. When adding new settings fields, add them to DEFAULT_SETTINGS first, then the spread handles the rest.
### Nested component input focus loss
When an input inside a nested function component loses focus on every keystroke, the component is being recreated on every render. React treats a nested function as a new component type, destroying and recreating the DOM.
**Fix:** Extract the component to a file-level `memo`'d component so its identity is stable across renders. Never define components (functions that return JSX) inside other components — always at module scope.
```tsx
const ServiceRow = memo(function ServiceRow({ service, onUpdate, ... }: Props) {
return <input value={service.price} onChange={...} />;
});
```
### JSON fields from PocketBase
PB `json` type fields may arrive as serialized JSON strings instead of parsed objects/arrays, depending on how the record was created. Always normalize:
```typescript
// Fetch time normalization (safe)
let services = item.services || [];
if (typeof services === 'string' && services.trim()) {
try { services = JSON.parse(services); } catch { services = []; }
}
if (!Array.isArray(services)) services = [];
```
And when consuming a possibly-string field:
```typescript
function calcROTotals(services: ROService[]) {
const arr = Array.isArray(services) ? services : [];
const total = arr.reduce(...);
}
```
### Date formatting crashes (Invalid time value)
`new Date(undefined)` produces `Invalid Date`, and calling `.toLocaleDateString()` or `Intl.DateTimeFormat().format()` on it throws `RangeError: Invalid time value`. Always guard:
```typescript
function formatDate(iso: string | undefined | null) {
if (!iso) return '—';
const d = new Date(iso);
if (isNaN(d.getTime())) return '—';
return new Intl.DateTimeFormat('en-US', {...}).format(d);
}
```
### Tesseract.js in Vite
Dynamic CDN imports like `import('https://cdn.jsdelivr.net/...')` don't work in Vite production builds. Use a static npm import instead:
```typescript
// ✅ Correct — Vite bundles it
import Tesseract from 'tesseract.js';
// ❌ Wrong — fails in prod
const Tesseract = (await import('https://cdn.jsdelivr.net/...')).default;
```
### PB sign-up (user registration)
PocketBase user creation requires `passwordConfirm` at the top level of the create payload. Without it, the API returns 400:
```typescript
await pb.collection('users').create({
email: email.trim(),
password,
passwordConfirm: confirmPassword, // ← REQUIRED, not a real field
name: name.trim() || '',
emailVisibility: true,
});
```
Common failure causes:
- **Email already exists** → PB returns 400 `"Failed to create record."` with `data.email.code === 'validation_not_unique'`
- **Password < 8 chars** → PB returns `"Must be at least 8 character(s)."`
- **Missing passwordConfirm** → 400 with validation error
The SDK throws `ClientResponseError` (extends Error). `.message` gives "Failed to create record."; field details are in `.response.data`.
### Custom service / dynamic item add: always wire onClick
When a button that creates a dynamic item (e.g., "Add as custom service") has no `onClick` handler, it silently does nothing. Subagents frequently leave buttons with label text but no action. Always verify that every "Add X" button in generated code has a wired click handler that creates the item and updates state:
```tsx
// ❌ Silent — no action
<button>Add as custom service</button>
// ✅ Wired
<button onClick={() => {
const newItem = { id: `custom-${Date.now()}`, name: query.trim(), price: 0 };
addService(newItem);
}}>Add as custom service</button>
```
### Appointments page: avoid restrictive PB query params
The `fields` and `sort` parameters in `pb.collection().getList()` will 400-error if any referenced field doesn't exist on the collection. Prefer minimal params:
```typescript
// ❌ Breaks if fields or sort column doesn't exist
pb.collection('appointments').getList(1, 200, {
filter: `userId = '${userId}'`,
sort: 'date,time', // wrong syntax for PB
fields: 'id,name,date,status,created', // any missing = 400
});
// ✅ Safe
pb.collection('appointments').getList(1, 200, {
filter: `userId = '${userId}'`,
sort: '-id',
});
```
## Repair Order Domain Patterns
### Promised Completion Time (Due Date Display)
Auto repair management apps show a "promised completion time" on active repair orders. The display format adapts to how close the date is:
```typescript
function formatDueDate(promisedTime: string | undefined | null) {
if (!promisedTime) return '—';
const d = new Date(promisedTime);
if (isNaN(d.getTime())) return '—';
const now = new Date();
const today = new Date(now.getFullYear(), now.getMonth(), now.getDate());
const tomorrow = new Date(today.getTime() + 86400000);
const nextWeek = new Date(today.getTime() + 7 * 86400000);
const dateOnly = new Date(d.getFullYear(), d.getMonth(), d.getDate());
const timeStr = d.toLocaleTimeString([], { hour: 'numeric', minute: '2-digit' });
if (dateOnly.getTime() === today.getTime()) return `Today ${timeStr}`;
if (dateOnly.getTime() === tomorrow.getTime()) return `Tomorrow ${timeStr}`;
if (dateOnly.getTime() < nextWeek.getTime()) {
const days = ['Sun', 'Mon', 'Tue', 'Wed', 'Thu', 'Fri', 'Sat'];
return `${days[d.getDay()]} ${timeStr}`;
}
const months = ['Jan', 'Feb', 'Mar', 'Apr', 'May', 'Jun',
'Jul', 'Aug', 'Sep', 'Oct', 'Nov', 'Dec'];
return `${months[d.getMonth()]} ${d.getDate()} ${timeStr}`;
}
```
Outputs: `"Today 3:00 PM"`, `"Tomorrow 10:30 AM"`, `"Wed 2:00 PM"`, `"Jun 27 1:00 PM"`, `"—"`.
Store as ISO datetime string in the PB collection (`promisedTime` field). Use `<input type="datetime-local">` in forms.
### Fetching Repair Orders by Customer (Two Patterns)
Repair orders link to customers in two ways, each used for different purposes:
**1. Forward-link by `customerId` (detail view)** — The RO has a `customerId` field referencing the customer record. Use this when viewing one customer's details:
> **⚠ SPQ data reality:** In the current SPQ database, ALL 55 repair orders and ALL 47 quotes have an **empty `customerId` field**. The only reliable link is by `customerName`. Use pattern #2 (`customerName` filter) for detail views in SPQ. If `customerId` is ever populated in the future this pattern will work, but for now it returns zero results.
```typescript
const result = await pb.collection('repairOrders').getList(1, 100, {
filter: `customerId = '${customerId}'`,
sort: '-createdAt',
fields: 'id,roNumber,customerId,customerName,vehicleInfo,vin,mileage,status,workStatus,createdAt,completedTime,writeupTime,technician,notes,services',
});
```
**2. Backward-link by `customerName` (vehicle discovery)** — Used when the customer has no `customerId` on the RO (legacy data pattern). Search all ROs by customer name to discover associated vehicles:
```typescript
const nameFilter = customerNames
.map((n) => `customerName ~ '${n.replace(/'/g, "\\'")}'`)
.join(' || ');
const result = await pb.collection('repairOrders').getList(1, 500, {
filter: nameFilter,
fields: 'vehicleInfo,vin,customerName',
});
```
The first pattern is for the Customer Detail view (that customer's ROs). The second is for the Customer List view (discovering vehicles across all customers).
### RO Status Values and Display
The DB uses these `workStatus` values (stored in `status` or `workStatus` field):
| DB value | Display label | Badge color |
|---|---|---|
| `active` / `open` | Open | Blue |
| `in-progress` / `in_progress` | In Progress | Yellow/Amber |
| `waiter` / `waiting_parts` | Waiting Parts | Orange |
| `completed` | Completed | Green |
| `delivered` | Delivered | Green |
| `cancelled` | Cancelled | Red |
Status label/color helpers:
```typescript
function getRoStatusLabel(ro: RepairOrderRecord): string {
const s = ro.workStatus || ro.status || '';
switch (s) {
case 'active': case 'open': return 'Open';
case 'in-progress': case 'in_progress': return 'In Progress';
case 'waiter': case 'waiting_parts': return 'Waiting Parts';
case 'completed': return 'Completed';
case 'delivered': return 'Delivered';
case 'cancelled': return 'Cancelled';
default: return s || 'Unknown';
}
}
function getRoStatusColor(ro: RepairOrderRecord): string {
const s = ro.workStatus || ro.status || '';
switch (s) {
case 'active': case 'open':
return 'bg-blue-50 text-blue-700 dark:bg-blue-900/30 dark:text-blue-400';
case 'in-progress': case 'in_progress':
return 'bg-yellow-50 text-yellow-700 dark:bg-yellow-900/30 dark:text-yellow-400';
case 'waiter': case 'waiting_parts':
return 'bg-orange-50 text-orange-700 dark:bg-orange-900/30 dark:text-orange-400';
case 'completed': case 'delivered':
return 'bg-green-50 text-green-700 dark:bg-green-900/30 dark:text-green-400';
case 'cancelled':
return 'bg-red-50 text-red-700 dark:bg-red-900/30 dark:text-red-400';
default:
return 'bg-gray-50 text-gray-700 dark:bg-gray-900/30 dark:text-gray-400';
}
}
```
### Status Transition Buttons (Reversible)
Repair orders need reversible status changes — once marked "Completed", the user must be able to "Reopen" back to "Active". Always show context-appropriate buttons:
```
Active → In Progress, Waiting Parts, Complete
In Progress → Active, Waiting Parts, Complete
Waiting Pts → Active, In Progress, Complete
Completed → Reopen (→Active), Mark Delivered
Delivered → Reopen (→Active)
```
## Local Dev Server
For local development with PocketBase on a different port, use the SPA+PB proxy server in `references/spa-pb-proxy.py`. It serves the Vite build output and proxies `/pb/*` API calls to PocketBase, with CORS headers. Set `SPQ_DIST` and `PB_URL` env vars, or edit the defaults.