Total.js + Auth0 = Iron Gate of Security – part 2/3

In previous post (read post) become described integration Auth0 with React.js. In current post we will focus on backend side of our system – integration Auth0 with Total.js. At the beginning we will focus on the assumptions of our project and we will discuss these points.

Assumptions, and Security Levels our project:
First Level – Auth0 defines security channel our created Client on dashboard
– defines source authorisation e.g. twitter, facebook, email, gmail or anothers
– defines security key’s: Client Id, Domain, Secret Key – client after authorisation uses only dedicated channel 

– defines callback url’s – client connection’s will not be able to be redirected to another URL
– defines expiration time of token used both in inside client (routing to links) and with node.js as backend side

Second Level auth0 and client: by client applications understand the browser and mobile based applications React, Angular2, Vue and not only. Auth0 module on client side works both in on-line or offline mode (Yes, that really true. It works in case of  broken internet connection  or as very good solution for mobile app where connection is only in the some of our range e.g. huge warehouses, factories). In case of offline mode communication is limited by the time the session expires. For offline mode very good solution is using local storage. In on-line mode in SPA application we can use auth0 functions in routing to another links  inside our app and without total.js (or another backend system). We use communication with with Total.js e.g. only in case of access to rest api functions and in the first step of authorisation (check if user id exists also in our db)


Third Level auth0 and Total.js: Total.js uses his own modules for security to protect restricted routing path of our REST API. Total.js has a simple authorization mechanism. It’s built on one delegate function framework.onAuthorize(). The authorization is asynchronous.

  • You can create your own authorization mechanism (total.js gives open options).
  • The authorization delegate is async.
  • You can authorize users according to the cookies / headers.
  • You can set user roles.
  • The authorization delegate adds authorize and unauthorize flag according to the state.
  • Is executed in each request.
  • Delegate does not handle static files.

source: docs of total.js

In order to integrate integration of totaljs auth0 we have  to add a function JWT validating the correctness of our key (JWT token comes from auth0). In this situation path of authorisation will be following:

– function JWT checks the correctness of our key (JWT token comes from auth0)
– total.js applies defined process of authorisation (validation if user exists in our db and his access rights)

Whole logic will be contained in /definitions/authorization.js

To implementation JWT validation we will apply jsonwebtoken npm module (read more)

Expanded structure directories of client (React.js), Total.js and Auth0:

In case of catalogs structure:

  1. /client – React.js directory
  2. /definitions/authorization.js – file with authorisation logic
  3. /controllers/default.js – access to SPA application located in /views /public /client directories (React/Angular2 client)
  4. /controllers/api.js – Rest API functions protected by authorization mopochdule
  5. /views/index.html – main index.html our SPA
  6. /public/ – bundled files and another resources for index.html our SPA
  7. /databases/ – our NoSql database that stored information about registered users in our system (You can use another relational or non relational db)
  8. /models/user – definition of User structure stored in noSQL db

In case of configuration total.js side:

Create a config file in the the / project of total.js and add client id and Auth0 domain values to APP_AUTH0_CLIENT_ID, APP_AUTH0_DOMAIN, AUTH0_SECRED_KEY respectively.

VERY IMPORTANT: PROTECT YOUR AUTH0_SECRED_KEY – it should be stored only on server side


In the next part we will focus on /definitions/authorization.js file and REST API

February 14th, 2017