Hello. I’m working on a web app and instead of rolling auth out myself, I’m using Auth0. So far, so good.
I’m using Auth0’s login service. And I’ve got login working using client-side logging. Specifically: on the client side, I can get the access token and id token from the Auth0 service, and then store them in Redux.
So the next thing I want to do is give each user a profile page where they can write their own text. Notably:
- Each user should be able to write to their own profile
- Each user should be able to read their own profile
- Users should not be able to read/write others profiles.
To do this, I’ve created a table called User in my Postgres database.
When a user logs in, I want this to happen:
- We check the database to see if we have a record where the email matches the user. If it does, we send the record, otherwise, we create a new record and send that.
I could just send the e-mail address as plaintext from the client to the backend; but theoretically, User A could sign in on their account, get their own access token and id token then run a CURL sending someone else’s email address and be able to access their account.
Ideally I’d send the id token, which contains all the data I need, but how do I make sure that the id token actually matches the access token provided? That is - that it prevents user spoofing? Then, once I send the idToken, how do I extract the profile information from the idToken on the backend?
I’m using React/Redux on the front-end, Node/Express/Postgres on the backend.
This might not even be the right approach to the problem, so if you have any ideas, I’m open to them.
On the frontend, I get the user’s profile by calling new auth0.WebAuth({…blah blah blah}).client.userInfo(err, profile) => {}), however, I don’t think that code works on the backend.
(I get “Using browser-only version of superagent in non-browser environment” and Error: Browser-only version of superagent could not find XHR
)
One last note. If I DO send the id_token, can I verify that the id_token is identical to the (already verified) access_token provided in the header by decoding both the id_token and the access_token and comparing the “kid” in the header? That would solve the problem.
Also, if there’s a slack or discord channel for Auth0, I’d really like to hear about it.
Thanks.