Is it possible to sanitize/restrict data sent by Auth0-js.Management.getUser()?

The Context

I have an SPA (built with VueJS) that uses Auth0 with Google as the sole, social connection. I set up the client with read:current_user create:current_user_metadata update:current_user_metadata scopes to allow users to manage their own user_metadata via auth0-js.Management.getUser() and auth0-js.Management.patchUserMetadata(). I also have a separate backend API for managing other data related to the app, but my plan was to just keep user profile info in Auth0. I’ve got my backend set up to serve as a proxy to Auth0’s Management API so that admins can do global user management.

The Problem/Question

As my app has evolved, it has become necessary to save some sensitive data in app_metadata that should never be sent to the frontend. My question:

  • Am I correct in believing that it is NOT possible to restrict what user data gets sent to to the client via auth0-js.Management.getUser()?

Further Explanation

For example, from my backend (which uses auth0.ManagementClient), I can restrict the fields returned by doing something like:

// load the library
const mc = require('auth0').ManagementClient

// initialize a client
const client = new mc({ domain, clientId, clientSecret })

// query users, specifying fields to be left out
  id: 'google-oauth2|1234567890',
  fields: 'app_metadata',
  include_fields: false
  user => {
    // returned user will NOT have app_metadata attached

However, with the web client, there doesn’t appear to be any way to specify which fields get returned:

// load the library
const auth0 = require('auth0-js')

// initialize a client; token created with `read:current_user` scope
const client = new auth0.Management({ domain, token })

// get user
client.getUser('google-oauth2|1234567890', function(err, user) {
  // returned user WILL have app_metadata attached
  // INCLUDING sensitive stuff that should NOT be sent to the client

I tried implementing a rule to remove the sensitive data from app_metadata, but apparently rules only get triggered during the actual authentication process, and are not applied to calls to getUser().

There’s an easy workaround for my problem. I can just stop using auth0-js.getUser() and force all user data requests to go through my backend API where I have more control.

I just want to make sure that I’m correct in thinking there’s no way to filter/sanitize/restrict what data gets sent to the client when using auth0-js.Management.getUser(). Is this understanding accurate?


Hi @morphatic,

Thanks for reaching out.

In regards to your specific question:

It is not possible. Even if you were able to specify which fields you would like to receive, a user could inspect their client and get the access token their SPA received and make their own requests to the management API with whichever fields they wanted. This is exactly why a SPA is limited to a few special scopes from the management API. app_metadata should be treated as read-only user data.

If the data is related to the authentication process and needs to be in the user’s profile (app_metadata) you could encrypt it.

Similar to this:

Otherwise, you could store it in a user DB that your API has access to.

Let me know if this helps.

1 Like

Hi @dan.woda,

Thank you for the response! Regardless of whatever else I do, encrypting app_metadata is a fantastic idea, and I appreciate the link to the resource.

In the meantime, I’ve restricted the scope of the access_token to NOT include any metadata, and adjusted the architecture of my app so that it will ONLY make requests for sensitive information via my backend API so I’ll always get a chance to sanitize it before it reaches the client.



Glad that works for you!

Good luck going forward,

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.