Most of the Auth0 API examples discuss gating endpoints based on whether a user is logged in vs not & whether a user has a role which would allow them to access that endpoint. eg Node.js and TypeScript Tutorial: Secure an Express API or indeed the docs for Express which use checkJwt to gate endpoints: Node (Express) API: Authorization - Auth0 Docs
..but I feel like this is missing an important piece mapping users : data, ie user A should be able to access the data they own while user B should be able to access their own data. With my existing client side use of Auth0 I was already able to detect usernames and therefore store CRUD objects with user ids, names, or emails, and I can sort of check if those match.. but that doesn’t seem secure without a validated server : client connection using some Auth0 code.
Is this a supported use case? Are there any good examples/tutorials for this? A pseudocode I’d like to run on the server would be something like:
function getAllCrudObjectsForUser(someAuth0UserObject) {
if not someAuth0UserObject.isAuthenticated
return ['some unauthenticated objects']
userId = someAuth0UserObject.someIdVariable
return myDatabase.search(crudObjects.userId === userId)