Guest access for unauthenticated user

james.defant · January 31, 2020, 12:30am

First time Auth0 user, so I apologize if I have missed something obvious

I am developing a simple web-app that requires 3 levels of access:

GUEST - view:documents
USER - edit:documents
ADMIN - delete:documents

I only want USER and ADMIN to login - anyone else should be able to view documents. (This seems like an extremely common use-case).

I have setup my frontend with auth0-spa-js and apollo-client and my backend with mongoose and apollo-server-express. I have followed your quickstarts and have something running. The login and signup works well. However my API is now locked out for anyone who isn’t logged in.

I do have access to my API directly, say, through graphql playground, and my query works without any authorization header, but this get locked down in my app - no authenticated user - no query.

How do I grant public access to my API?
Do I have to run another server in parallel (seems like a lot of duplication)?

james.defant · January 31, 2020, 7:12pm

SOLVED

The issue here isn’t Auth0 - it is the manner in which I pass the token to Apollo-link.

After implementing Nojaf’s solution here to get the token from the useAuth0 hook and insert it into the headers via an apollo-link middleware, my app was essentially refusing any request without a token. Fine if that’s what you want.

My solution, care of Tal Z - here, was to pass the token within the queries or mutations that need it, which allows my app to be both permissive and restrictive.

Quite simple actually:

change:

const [ createUser ] = useMutation( CREATE_USER )

to:

const [ createUser ] = useMutation( CREATE_USER,
{
    context: {
        headers: {
            "Authorization": getTokenSilently()
        }
    }
})

dan.woda · January 31, 2020, 9:18pm

Thanks for following up on this!

system · February 15, 2020, 9:18pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.