Total.js + Auth0 = Iron Gate of Security – part 3/3

In the last part we focused on integration Total.js with Auth0. All presented solutions are using in practice by Agrippa Solutions from Norvey ( and JRB System ( from Poland. Total.js uses his own modules for security to protect restricted routing path of our REST API. Total.js has a simple authorization mechanism. It’s built on one delegate function framework.onAuthorize(). The authorization is asynchronous.

  • You can create your own authorization mechanism (total.js gives open options).
  • The authorization delegate is async.
  • You can authorize users according to the cookies / headers.
  • You can set user roles.
  • The authorization delegate adds authorize and unauthorize flag according to the state.
  • Is executed in each request.
  • Delegate does not handle static files.


In order to integrate integration of totaljs auth0 we have  to add a function JWT validating the correctness of our key (JWT token comes from auth0). In this situation path of authorisation will be following:

– function JWT checks the correctness of our key (JWT token comes from auth0): Auth0 ( sends to our total.js server jwt token placed in header authorization for instance:

Bearer dG8KD-M4tllmtaueG4w2vTmg0Q0342O6oqGQGds97PinUQTFsJEnCt3Eldy

In our authorisation module we get token from header of request and pass it to jsonwebtoken function verify.


Token is validating with using our secret key F.config.AUTH0_SECRED_KEY located in config file. F.config.AUTH0_SECRED_KEY value comes from Client Secret field on 


jwt.verify() returns decoded object contains our auth0_user_id in sub property. Value of auth0_user_id  is stored both on and total.js DB and we use auth0_user_id as key in relationships between  two authorisation systems: Auth0 and Total.js

Auth0 and user_id:

Total.js and auth0_user_id:

– total.js applies defined process of authorisation (validation if user exists in our db and his access rights)

Whole logic contained in /definitions/authorization.js

F.onAuthorize will be called for each of the following routes placed in /controllers. For instance I made a few Rest Api functions.

Routes called as Todos are protected by our hook/filter using [‘authorise’] key, end every access to them without authorisation will be finished error 401 – Unauthorized. Only one route is not protected – /list

Let’s make a test in our browser:

  1. 1. http://localhost:8000/todos – we see result as error 401 – Unauthorized

  1. 2. http://localhost:8000/list – we see result as list [1,2,3,4,5]


Expanded structure directories of client (React.js), Total.js and Auth0:

In case of catalogs structure:

  1. /client – React.js directory
  2. /definitions/authorization.js – file with authorisation logic
  3. /controllers/default.js – access to SPA application located in /views /public /client directories (React/Angular2 client)
  4. /controllers/api.js – Rest API functions protected by authorization mopochdule
  5. /views/index.html – main index.html our SPA
  6. /public/ – bundled files and another resources for index.html our SPA
  7. /databases/ – our NoSql database that stored information about registered users in our system (You can use another relational or non relational db)
  8. /models/user – definition of User structure stored in noSQL db

In case of configuration total.js side:

Create a config file in the the / project of total.js and add client id and Auth0 domain values to APP_AUTH0_CLIENT_ID, APP_AUTH0_DOMAIN, AUTH0_SECRED_KEY respectively.

VERY IMPORTANT: PROTECT YOUR AUTH0_SECRED_KEY – it should be stored only on server side



February 20th, 2017

  • I have to express my respect for your generosity giving support to men and women that really need guidance on the niche. Your personal commitment to passing the message up and down came to be really important and has consistently helped somebody like me to get to their goals. Your own interesting guideline indicates much a person like me and further more to my fellow workers. Thanks a ton; from everyone of us..

  • You made some first rate points there. I looked on the web for the issue and located most individuals will go together with with your website..

  • I happen to be commenting to let you know of the magnificent discovery our child found viewing your web page. She discovered many things, not to mention what it is like to possess an awesome helping character to let men and women just completely grasp specified tortuous matters. You actually exceeded her expectations. Many thanks for displaying these good, healthy, educational and cool tips on that topic to Lizeth..