I am rebuilding a database and website for a Chicago-based news company as a freelance developer. I am currently using create react app (CRA) as opposed to a custom webpack environment since the former supports running the application concurrently via a proxy (two separate package.json files). The latter, unfortunately, is only supported via the use of experimental react and react-dom packages. That said, I have several questions pertaining to configuring Auth0 for this app. First, since CRA is a SPA, would I use the single page web application type (for react) or the traditional web application type (for node) since API calls originate in back-end node controllers? I am using axios (or could use fetch) to connect the two in an API.jsx file in utils on the client side. Since there is a limit to three photos to be included for new users, I have consolidated controllers->routes->server in one image as follows:
Controllers communicate with mongoose schemas (models); the controllers are passed to routes which are then passed through the server. Since the app is running concurrently, the server ApiPORT=3030 whereas the AppPORT=3000 (default CRA PORT)
Client-Side and Server-Side are linked via a proxy in the client-side package.json
Currently, I have the following Auth0 configuration code in client/src (root of the react-app)
As you may have noticed in the server, I do have a MongoDB Atlas cluster I would like to use to store user information. I was wondering how exactly the data flow is executed in this regard? I have used a custom JWT method in another MERN app that were embedded in server-generated cookies via cookie-parser npm. It had four separate flags explicitly set for security. I want to use Auth0 for this business because it is the most bulletproof method and provides peace of mind. I am also wondering if I should use an Auth0 context provider if already using a react-redux store, and if so if this would be the correct approach for incorporating the Auth0 provider in the root?
One remaining question pertaining to the use of auth0_config.json files that are .gitignored; why not use a .env approach utilizing the dotenv npm (as I do on the server side in node)? Just noticed most SPA examples use a json file instead and was wondering why?
That all said, before proceeding further I thought it best to ask if what I’m doing is considered good practice and for any input, critiques, recommendations, etc…