Total.js + Auth0 = Iron Gate of Security – part 3/3
In the last part we focused on integration Total.js with Auth0. All presented solutions are using in practice by Agrippa Solutions from Norvey (www.agrippa.no) and JRB System (www.jrbsystem.com) from Poland. Total.js uses his own modules for security to protect restricted routing path of our REST API. Total.js has a simple authorization mechanism. It’s built on one delegate function framework.onAuthorize(). The authorization is asynchronous.
- You can create your own authorization mechanism (total.js gives open options).
- The authorization delegate is async.
- You can authorize users according to the cookies / headers.
- You can set user roles.
- The authorization delegate adds
authorizeandunauthorizeflag according to the state. - Is executed in each request.
- Delegate does not handle static files.
In order to integrate integration of totaljs auth0 we have to add a function JWT validating the correctness of our key (JWT token comes from auth0). In this situation path of authorisation will be following:
– function JWT checks the correctness of our key (JWT token comes from auth0): Auth0 (auth0.com) sends to our total.js server jwt token placed in header authorization for instance:
Bearer dG8KD-M4tllmtaueG4w2vTmg0Q0342O6oqGQGds97PinUQTFsJEnCt3Eldy
In our authorisation module we get token from header of request and pass it to jsonwebtoken function verify.
Token is validating with using our secret key F.config.AUTH0_SECRED_KEY located in config file. F.config.AUTH0_SECRED_KEY value comes from Client Secret field on aut0.com
jwt.verify() returns decoded object contains our auth0_user_id in sub property. Value of auth0_user_id is stored both on auth0.com and total.js DB and we use auth0_user_id as key in relationships between two authorisation systems: Auth0 and Total.js
Auth0 and user_id:
Total.js and auth0_user_id:
– total.js applies defined process of authorisation (validation if user exists in our db and his access rights)
Whole logic contained in /definitions/authorization.js
F.onAuthorize will be called for each of the following routes placed in /controllers. For instance I made a few Rest Api functions.
Routes called as Todos are protected by our hook/filter using [‘authorise’] key, end every access to them without authorisation will be finished error 401 – Unauthorized. Only one route is not protected – /list
Let’s make a test in our browser:
- 1. http://localhost:8000/todos – we see result as error 401 – Unauthorized
- 2. http://localhost:8000/list – we see result as list [1,2,3,4,5]
Expanded structure directories of client (React.js), Total.js and Auth0:
In case of catalogs structure:
- /client – React.js directory
- /definitions/authorization.js – file with authorisation logic
- /controllers/default.js – access to SPA application located in /views /public /client directories (React/Angular2 client)
- /controllers/api.js – Rest API functions protected by authorization mopochdule
- /views/index.html – main index.html our SPA
- /public/ – bundled files and another resources for index.html our SPA
- /databases/ – our NoSql database that stored information about registered users in our system (You can use another relational or non relational db)
- /models/user – definition of User structure stored in noSQL db
In case of configuration total.js side:
Create a config file in the the / project of total.js and add client id and Auth0 domain values to APP_AUTH0_CLIENT_ID, APP_AUTH0_DOMAIN, AUTH0_SECRED_KEY respectively.
VERY IMPORTANT: PROTECT YOUR AUTH0_SECRED_KEY – it should be stored only on server side
I’m impressed, I must say. Rarely do I encounter a blog that’s both
educative and entertaining, and let me tell you, you have hit the
nail on the head. The issue is something that too few men and women are
speaking intelligently about. I’m very happy that I came across this
during my search for something relating to this..