Auth0.js custom login + NodeJS middleware

dnavasp · March 12, 2021, 9:34pm

Hello! So I managed to authenticate our users with auth0.js using webAuth0.login() method. But how can I see if users are authenticated on our NodeJS application? Unfortunately, there is no clear workflow on your documentations.

Client-side:
function setConfig() {

    webAuth = new auth0.WebAuth({
      domain: 'login.foo.com',
      redirectUri: 'https://foo.com/login/callback',
      clientID: 'XYZ',
      responseType: 'token'
    });

  }

  setConfig();

     $('#login').click(function(e) {
    e.preventDefault();
    webAuth.login(
      {
        realm: 'Username-Password-Authentication',
        email: $('#email').val(),
        password: $('#password').val()
      },
      function(err, data) {
        this.webAuth.userInfo(
          data.accessToken
        );
      }
    );
  });

Server-side:

Middleware secured():

module.exports = function () {
    return function secured (req, res, next) {
    
      if (req.user) { return next(); }

      req.session.returnTo = req.originalUrl;
      res.redirect('/auth0/login');
    };
  };

Callback route:

router.get('/login/callback', function (req, res, next) {
    passport.authenticate('auth0', function (err, user, info) {
      if (err) { return next(err); }
      if (!user) { return res.redirect('/login'); }
      req.logIn(user, function (err) {
        if (err) { return next(err); }
      //  const returnTo = req.session.returnTo;
      //  delete req.session.returnTo;
        res.redirect('/home');
      });
    })(req, res, next);
  });

dnavasp · March 17, 2021, 12:43am

EDIT 1: Whenever I hit the middleware secured() after having authenticated a user with Auth0.js v9 (webAuth.login() method), the middleware then returns a Universal Login page, as if the user has never been authenticated before.

waltervandenhouten · March 17, 2021, 4:09pm

I’ve had some issues in this area as well.
Are you handling the callback when the user returns from the login screen?

I believe it is the WebAuth.parseHash() method.

dnavasp · March 17, 2021, 6:18pm

We managed to get it working by using Resource Owner Password flow and then apply the MFA Challenges using the mfa_token.

Once we had the access_token (after MFA completed succesfully), we were good to go and apply our secured() middleware!

Yet, how we use Auth0.js v9 + NodeJS Middleware remains unclear…

Resources:

https://auth0.com/docs/flows/call-your-api-using-resource-owner-password-flow

EDIT 1: We had to implement our custom PassportJS Strategy