Next.js SDK - matching Auth0 users to internal API users

  • Which SDK this is regarding: nextjs-auth0
  • SDK Version: 1.7.0
  • Platform Version: Next.js 12.0.8

I am building a Next.js app that acts as a web front end for an internal API. The internal API is opaque - i.e. I cannot make any changes to it, it is provided by a 3rd party. I am trying to map external users to the internal API userid.

I am currently doing this by using Auth0’s app_metadata field and it seems to work quite well from a functionality perspective - the user can log in via Auth0/Next.js and hit a Next.js-provided API page to get and update that user’s data from the internal API by reading the app_metadata value from the user session.

My frontend pages are protected using the withPageAuthRequired helpers and my Next.js API proxies are using withApiAuthRequired.

The crux of the question - this app handles a lot of PII (Personal Identifiable Information) and as such I need to be 100% sure that every request is only going to the user it is intended for. So - is storing the userid in app_metadata appropriate for this, or should I have an internal database map the Auth0 id to the API userid? The userid in itself is not sensitive - a UUID - so I don’t mind exposing this to the user.

Following on from this - if app_metadata is an appropriate place to store this data - does the Next.js SDK do any cookie/session validation to check for tampering, or do I need to do this myself somehow? For example, could I maliciously modify my session cookie to set the userid map to a different value?

Any thoughts or pointers to best practices would be much appreciated.