Auth0 Home Blog Docs

How do I get a user's profile on the server side and prevent spoofing?

auth0
id_token
#1

Hello. I’m working on a web app and instead of rolling auth out myself, I’m using Auth0. So far, so good.

I’m using Auth0’s login service. And I’ve got login working using client-side logging. Specifically: on the client side, I can get the access token and id token from the Auth0 service, and then store them in Redux.

So the next thing I want to do is give each user a profile page where they can write their own text. Notably:

  • Each user should be able to write to their own profile
  • Each user should be able to read their own profile
  • Users should not be able to read/write others profiles.

To do this, I’ve created a table called User in my Postgres database.

When a user logs in, I want this to happen:

  • We check the database to see if we have a record where the email matches the user. If it does, we send the record, otherwise, we create a new record and send that.

I could just send the e-mail address as plaintext from the client to the backend; but theoretically, User A could sign in on their account, get their own access token and id token then run a CURL sending someone else’s email address and be able to access their account.

Ideally I’d send the id token, which contains all the data I need, but how do I make sure that the id token actually matches the access token provided? That is - that it prevents user spoofing? Then, once I send the idToken, how do I extract the profile information from the idToken on the backend?

I’m using React/Redux on the front-end, Node/Express/Postgres on the backend.

This might not even be the right approach to the problem, so if you have any ideas, I’m open to them.

On the frontend, I get the user’s profile by calling new auth0.WebAuth({…blah blah blah}).client.userInfo(err, profile) => {}), however, I don’t think that code works on the backend.

(I get “Using browser-only version of superagent in non-browser environment” and Error: Browser-only version of superagent could not find XHR
)

One last note. If I DO send the id_token, can I verify that the id_token is identical to the (already verified) access_token provided in the header by decoding both the id_token and the access_token and comparing the “kid” in the header? That would solve the problem.

Also, if there’s a slack or discord channel for Auth0, I’d really like to hear about it.

Thanks.