I’m using Auth0 with a React SPA to authenticate my API. My scenario is that I’m only allowing social logins like Google and Facebook and no database authentication is allowed. In this case, if a user signs in for the first time, and the React app makes an API call with his/her access token how am I to detect that the user is a first time visitor and get his/her info from /userinfo endpoint and create a new entry for user in my DB?
Currently, the way I’m checking thid on my API calls is - I’m extracting sub field from the access token and using it as a unique user ID on my DB. If i get existing data, I assume that the user is a repeat user, otherwise I’m creating a new profile by querying /userinfo endpoint first and getting more data on user.
However, doing this on each and every API call is inefficient as it incurs one extra DB call everytime.
Any suggestions?
You can consider adding some logic on a custom rule that adds a custom claim to the access token as a way to signal if this is a first-time user. The approach to make that decision can also vary, for example, you can unilaterally decide it’s a first-time user from the rule itself based on something like login count or you can make it more explicit and have your API update the Auth0 user profile with metadata to signal that this is now a recurring users because you completed all the operations necessary for a first-time user.
Having said that, I would seriously question if you really need this for two reasons, the calls from the API to the DB should be cheap and if you’re storing user information in the DB then it’s highly likely that you’ll be retrieving it for actual business reasons as a consequence of some client application API call. If you’re doing that then you can consider doing the user provision at the same time in an on-demand fashion. Said it in another way, you would not check if you have a user profile in every API call, only in the calls that already required you to obtain user information anyway.