How do I get a user's profile on the server side and prevent spoofing?

Hello. I’m working on a web app and instead of rolling auth out myself, I’m using Auth0. So far, so good.

I’m using Auth0’s login service. And I’ve got login working using client-side logging. Specifically: on the client side, I can get the access token and id token from the Auth0 service, and then store them in Redux.

So the next thing I want to do is give each user a profile page where they can write their own text. Notably:

  • Each user should be able to write to their own profile
  • Each user should be able to read their own profile
  • Users should not be able to read/write others profiles.

To do this, I’ve created a table called User in my Postgres database.

When a user logs in, I want this to happen:

  • We check the database to see if we have a record where the email matches the user. If it does, we send the record, otherwise, we create a new record and send that.

I could just send the e-mail address as plaintext from the client to the backend; but theoretically, User A could sign in on their account, get their own access token and id token then run a CURL sending someone else’s email address and be able to access their account.

Ideally I’d send the id token, which contains all the data I need, but how do I make sure that the id token actually matches the access token provided? That is - that it prevents user spoofing? Then, once I send the idToken, how do I extract the profile information from the idToken on the backend?

I’m using React/Redux on the front-end, Node/Express/Postgres on the backend.

This might not even be the right approach to the problem, so if you have any ideas, I’m open to them.

On the frontend, I get the user’s profile by calling new auth0.WebAuth({…blah blah blah}).client.userInfo(err, profile) => {}), however, I don’t think that code works on the backend.

(I get “Using browser-only version of superagent in non-browser environment” and Error: Browser-only version of superagent could not find XHR

One last note. If I DO send the id_token, can I verify that the id_token is identical to the (already verified) access_token provided in the header by decoding both the id_token and the access_token and comparing the “kid” in the header? That would solve the problem.

Also, if there’s a slack or discord channel for Auth0, I’d really like to hear about it.


Hey there!

Terribly sorry for such delay in response! We’re doing our best in providing the best developer support experience out there, but sometimes our bandwidth is just not enough for all the questions that are coming in. Sorry for the inconvenience!

Do you still require further assistance from us?