I’m writing 2 Single Page Apps using React & Redux. The first is customer facing and allows you to calculate a price for your order based on a few simple variables. The second is for internal use and allows our staff to tweak the settings and quote/price non-standard orders. At the back-end I have a I have a price calculator service written in Ruby and running on AWS Lambda fronted by API Gateway.
I’d like our staff to sign in to the internal app using their internal G-Suite logins - you are only allowed in if you’re logged in with a company/approved email address. I would also like to protect the API.
I have a few questions…
Should I have a single Auth0 application for the SPA and the API or should I keep them separate?
If I have them separate, then how should I go about getting a token for the API when I can’t store an Auth0 secret in the SPA because it would be publicly visible.
I’m assuming validating a JWT in a Lambda Authoriser like this example is the best way to go but I’m not clear on how to implement it in Ruby. A simple working example would be really helpful if anyone can suggest something.
Looking ahead to the customer facing app, I’d like it to be publicly available without the need for a customer to login. However, it would seem sensible to secure the API so it only accepts traffic from authorised sources (i.e. our app). Is this possible/sensible/practical?