Match URL with parameter when using AuthModule HttpInterceptor

Auth0 provides the AuthHttpInterceptor to automatically attach a Bearer token to an outgoing HTTP request. You can set up the interceptor to match specific route URL’s in the App.Module by doing the following:

AuthModule.forRoot({
      ...env.auth,
      httpInterceptor: {
        allowedList: [
          `http://localhost:5050/api`,
        ]
      }
    }

I have a URL that takes a template parameter in the URL, so the URL will be something like

http://localhost:5050/api/123

You can use a wildcard to match all of the routes that start with that url by doing http://localhost:5050/api/*

The above is great, but it means that the Bearer token is exposed to all routes that match the wildcard, which could be a security vulnerability.

I want to be able to match the route when I don’t know what the template parameter will be ahead of time. So I want something that will match

http://localhost:5050/api/123
http://localhost:5050/api/456
http://localhost:5050/api/abc456
etc

However if I provide the allowed list with http://localhost:5050/api or http://localhost:5050/api/ it doesn’t work

How can I do this?

Hi @jakemangan1,

Just to clarify, are you wanting to send an Access Token with every request that follows the pattern of http://localhost:5050/api/* (for example, http://localhost:5050/api/123 or http://localhost:5050/api/abc456), but not allow something like http://localhost:5050/api/*/some-other-url-param (for example, http://localhost:5050/api/abc456/profile)?

Unfortunately, I don’t believe there is a way to configure an allowedList with anything but hard-coded URLs or a wildcard at the end of the URL, but I can double-check if this sounds like what you are looking for.

Hi,

I’m also implementing this in my angular10 web app.
But for some reason it doesn’t work. It doesn’t apply the interceptor for my requests.
I have followed the setup here.
So this for my localhost dev setup that uses CORS and I’m not sure if that interferes with HTTPInterceptor as well. Will do more research on my end and will try a build that runs from the same-origin to avoid CORS.

I’m using "@auth0/auth0-angular": "^1.3.2", version. Any ideas what could cause this?

Mohammad

Hi @mohammadz and @jakemangan1,

Unfortunately, the allowedList property only supports a wildcard at the end of the URL as I suspected. If you’d like to see the support of more complex patterns, it would be great to get your feedback and details of your use-case in our feedback category:

Hi,

That’s good to know that it accepts wild cards.
My issue is related to this module but different, I’ll make another post to explain it.

1 Like