Hi @zachariah.howell
Welcome to the Auth0 Community!]
I am sorry about the delayed response to your inquiry!
The pattern you’re looking for is often reference as user-level authorization or data ownership , and it is a fully supported use case by Auth00. The essential link you’re missing has already been provided to your application, the Access Token .
An validated Access Token is the secure bridge between the client and the server. You can use a middle like the checkJwt one which validates the token then attaches its payload to the request object. This payload contains the user’s unique, known as the sub claim. You must use this claim from the token as the sole identifier for all database queries related to that user’s data.
The someAuth0UserObject from your example is, in practice, the payload of the JWT. The modern express-oauth2-jwt-bearer library attaches this object at req.auth .
To get things started, you will need to use the recommended library: express-oauth2-jwt-bearer
You will need to configure it in your server.js file as such:
// server.js
const express = require('express');
const { auth } = require('express-oauth2-jwt-bearer');
const app = express();
const checkJwt = auth({
audience: 'YOUR_API_AUDIENCE',
issuerBaseURL: `https://YOUR_AUTH0_DOMAIN/`
});
Once you have done so, you will need to secure the endpoint using the claim mentioned beforehand. by having the checkJwt validate that the user is logged in. Once this is confirmed, inside the route handler, it will retrieve the user’s unique ID and use it to query any necessary information. To provide you an example, it should look like this:
const allCrudObjects = [
{ id: 1, owner_id: 'auth0|user_A_id', data: "User A's secret" },
{ id: 2, owner_id: 'auth0|user_A_id', data: "User A's other secret" },
{ id: 3, owner_id: 'auth0|user_B_id', data: "User B's private data" },
];
app.get('/api/my-objects', checkJwt, (req, res) => {
const auth0UserId = req.auth.payload.sub;
const userSpecificData = allCrudObjects.filter(
obj => obj.owner_id === auth0UserId
);
res.json(userSpecificData);
});
});
If you need to extra validation along the way, you can add custom claims inside the Access Token using a PostLogin Action. You can add things such as roles, department data or other app_metadata which the user should not be able to modify. You can do that as such:
// In Auth0 Dashboard > Actions > Post-Login
exports.onExecutePostLogin = async (event, api) => {
const department = event.user.app_metadata.department;
if (department) {
api.accessToken.setCustomClaim('https://my-api.com/department', department);
}
};
You can then access this in your Express route via req.auth.payload['https://my-api.com/department'] and use it in your secure filtering logic.
If you have any other questions regarding the matter, please let me know!
Kind Regards,
Nik