0

I have two separate servers, an nginx for the frontend and nodejs for the backend, running on the same machine. The frontend is available via https and is authenticated using auth0. I have created an tenant and a single page application and set the audience, callback url, etc.

The authentication via the frontend works well.

The backend is accessible via a reverse proxy (using the same nginx server) on /api, which forwards the requests to localhost.

Since I use a reverse proxy, the backend is available also directly by calling /api and therefore, is not secure.

I am passing the auth0 cookies (I am using Username-Password-Authentication) to the server.

How can I ensure that the calls to the backend (running express.js) originated by an authenticated user? What should be added to the backend in order to support that?

Thank you.

shaolintl
  • 43
  • 5
  • Alternative approach: You can prevent calls from elsewhere to your backend by making it listen only on localhost: `app.listen(80, "localhost", function() {...})`. – Heiko Theißen Jun 04 '22 at 16:37
  • send the JWT access token to the back; verify it their( how?: https://stackoverflow.com/a/71564958/8757883) – Akber Iqbal Jun 05 '22 at 22:58
  • Thanks @HeikoTheißen, the app listens on localhost only but due to CORS, I use a reverse proxy to access it. – shaolintl Jun 06 '22 at 19:50
  • Thank you @AkberIqbal, I will try your solution and if I do not manage, I will check the option of just allowing the server to access localhost and deal with the CORS. – shaolintl Jun 06 '22 at 19:50
  • Hi @AkberIqbal, thank you again. In fact, auth0 itself has information of how to validate the token, under API::Quick Start. I got confused by how it works but now it is clearer. Thanks again. – shaolintl Jun 07 '22 at 15:14

0 Answers0