Learn
Learn
Learn web development from expert teachers. Build real projects, join our community, and accelerate your career
Get Started
Fullstack Rust Fullstack Node.js Fullstack D3 Fullstack React Fullstack React with TypeScript more →
The newline Guide to Building Your First GraphQL Server with Node and TypeScript
In this course, we'll show you how to create your first GraphQL server with Node.js and TypeScript
Enroll for free
Teach
Teach
Share your knowledge with others, earn money, and help people with their career
Apply Now
Apply To Teach A Course What Our Teachers Say
Amelia Wattenberger
Author of Fullstack D3
"Writing Fullstack D3 was a thoroughly enjoyable, fun process.

The writing was over before I knew it, and we've sold way more copies than I expected! Plus, the compliments from my peers have been really amazing."
Community
Community
Get help with programming projects, find collaborators, and make friends
Join Now
Join our Discord Server Listen to the Podcast What Our Students Say
Featured Podcast
A Software Engineer's Guide to Venture Capital with AngelList Engineer Sumukh Sridhara
While many engineers work at startups or are interested in starting their own company, venture capital can seem like a total mystery. In this episode, we talk about how venture capital firms function, how VCs make money - and...
Listen to the full episode
Tutorials

This video is available to students only

JWT Based Security

Securing the application with JSON Web Tokens

Lesson
Discussion

Securing the App#

Up until this point, we have been making great progress, but our backend API is unsecured. We will address security in this module by using JSON Web Tokens (JWTs).

JWTs are an industry-standard way of representing identity that can be used to authenticate and authorize an API call.

Once you have an actual JWT, the security mechanism is pretty straight forward. You attach the JWT to your API request header and then the backend API validates the JWT prior to handling the request.

Here's an example API request with a JWT:

GET /api/lunch-week
Header
Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjVoc1FKZ3BKdU9fV3FVLTdCQUd3ViJ9.eyJpc3MiOiJodHRwczovL2Rldi0tNmFlOGJ4aS51cy5hdXRoMC5jb20vIiwic3ViIjoiYXV0aDB8NWY0YTcwYTZjNjQ3OGIwMDY3ZDg2ODk1IiwiYXVkIjpbImh0dHBzOi8vZGV2LS02YWU4YnhpLnVzLmF1dGgwLmNvbS9hcGkvdjIvIiwiaHR0cHM6Ly9kZXYtLTZhZThieGkudXMuYXV0aDAuY29tL3VzZXJpbmZvIl0sImlhdCI6MTU5OTg1OTcwOSwiZXhwIjoxNTk5OTQ2MTA5LCJhenAiOiI4SEx5VVhTSkd3NWI0MW5ob1U1MmVVaFA3OUwyeDlPNSIsInNjb3BlIjoib3BlbmlkIHByb2ZpbGUgZW1haWwifQ.nJvx5iNdZvUHDTTcBzEIe_uIqzKDSMF-F-_tpKNl-YIlm3W_u-A-TorkZZV7qYnEJ4BiEOdKuzZtrvyRYRKLYvr7HEJwXrqWsUs8NHcLlnkxmeEkagMFRpx9L_S8ZP_owfjzY0TbddL-xSE7OwKZLkYtK8TKy1b1I2DsKuIozwNKGm-vhAowYUmGCvBtBl3-MaVPvJT10tEeDJuHTGukEK6TWeFCi3BKPdRmn1W0t0_UPwL270wYUw5G-PdvO-IAZS9RHjE6Vh2tg8vR2AbBVZvXTkYiBLJbRpJ53LkwzwIClLn4RVHUqapHG-xxGEYBP--zGHn5xaOUjJ7pd-25Nw

For this course, we are going to integrate with Auth0, a third party service. Auth0 will generate JWTs and manage users for our app. To get started, head over to https://auth0.com and sign up for a free account.

Creating an Auth0 Application#

Once you get logged into the Auth0 dashboard, navigate to the Applications section and Create Application. Choose the Single Page Application option. You can call the application school-lunch-frontend:

Creating a Test User#

Next, go to the Users & Roles menu and choose Create User. Complete the form to create a test user, making sure to remember the password you use.

Integrating Auth0 with the Frontend Application#

We need to take a few steps to integrate Auth0 into the frontend Svelte application. Here's an overview of how this process will work:

For frontend lunch administration pages that need security, determine whether the user is currently authenticated
If the user is not authenticated, redirect the user to the Auth0 login page and provide Auth0 with a callback URL
The user logs in and Auth0 redirects the user back to the callback URL provided in step 2
When Auth0 redirects back, it will provide a special code in the callback URL, e.g., http://localhost:5000/callback/code=kjsdlnliksdfsdf
The Svelte app will then parse the callback URL and receive the user's JWT
Store the user's JWT in the browser's localStorage so that it will be persistent across tabs and available for API calls

Ok, it's a lot of steps and sounds complicated, but hopefully it will make more sense as we work through the code.

First, install the Auth0 SPA library in the frontend application:

$ npm install @auth0/auth0-spa-js@1.12.0

Next, we are going to update the AdminLayout component that we already use for all Admin pages. We'll add our Auth0 onMount code and a logout button.

Working with AdminLayout.svelte add a Logout button to the markup and stub out a logout function:

<script>
  ...other script stuff
  const logout = async () => {
    // todo
  }
</script>
<div>
  {#if initialized}
    <button class="button is-light is-small" style="float: right;" on:click="{() => logout()}">Logout</button>
    <Route {currentRoute} />
  {/if}
</div>

Now, we can use the Auth0 library in the onMount function and handle authentication, but first, there are a couple of places where we will need Auth0 config, so go ahead and create a file called auth0-config.js in the frontend/src directory of the project.

You can find the config values needed by looking at the school-lunch-frontend Application in the Auth0 console.

// src/auth0-config.js
const auth0Config = {
  audience: 'https://<YOUR AUTH0 DOMAIN>/api/v2/',
  domain: '<YOUR AUTH0 DOMAIN>',
  client_id: '<YOUR AUTH0 CLIENT ID>',
  cacheLocation: 'localstorage',
}
export default auth0Config

Back to the AdminLayout.svelte file, import auth0-config and createAuth0Client. Then we'll add a bit of code to check the authentication state of the current user. If the current user is not authenticated, then redirect to Auth0 for login.

Update the onMount function to add the following Auth0 related code. For now, we're still setting a test user in the user store. We'll address this in the next lesson.

import createAuth0Client from '@auth0/auth0-spa-js'
import auth0Config from '../../auth0-config'
onMount(async () => {
  let auth0 = await createAuth0Client(auth0Config)
  const authenticated = await auth0.isAuthenticated()
  if (!authenticated) {
    await auth0.loginWithRedirect({
      redirect_uri: `${window.location.origin}/callback`,
      appState: window.location.pathname,
    })
  } else {
    user.set({
      name: 'Test User',
      schoolName: 'Test School',
    })
    initialized = true
  }
})

At this point, if we go to test this code, we'll get an error in the browser's console. We need to set Allowed Callback URLs and Allowed Web Origins in the Auth0 dashboard.

In Auth0 under Applications > school-lunch-frontend > Settings, add the following:

Add http://localhost:5000 and http://localhost:5000/callback to the Allowed Callback URLs field.
Add http:/localhost:5000 to the Allowed Web Origins field.
Add http:/localhost:5000 to the Allowed Logout URLs field as well.

Make sure to hit the Save Changes button at the bottom of the page.

This time, when you test the application by refreshing, you should be redirected to an Auth0 login page. Enter the credentials you used for your test user and sign in.

You should be redirected back to to localhost:5000/callback, however, since we have not created that route yet, you will should see localhost:5000/404.html.

When you signed in, you saw the Auth0 login page. You can customize the look and feel of this page in the Auth0 dashboard under Universal Login.

Additionally, as the user, you may have granted consent to login to the School Lunch application. You can configure Auth0 to skip the consent question under APIs > Auth0 Management API > Settings > Allow Skipping User Consent.

This page is a preview of Fullstack Svelte

Previous Lesson:

The Lunch Week Details Component

Next Lesson:

Evolving the App to Multi Tenant

-:--2

Please select a discussion on the left.

Latest Book

Terms of Service
Privacy

Learn

The newline Guide to Building Your First GraphQL Server with Node and TypeScript

Teach

Amelia Wattenberger

Author of Fullstack D3

Community

Featured Podcast

A Software Engineer's Guide to Venture Capital with AngelList Engineer Sumukh Sridhara

Fullstack Svelte

Welcome: Introduction

Introduction:

Start Here

Introduction: (5:23)

Fullstack Svelte Course Overview

Module 1: Setting Up A Development Environment

Lesson 1: (4:12)

Development Environment Setup

Lesson 2: (7:04)

Initializing a Svelte Project

Lesson 3: (9:25)

Setting up a Formatter and Linter

Module 2: Front End Routing

Lesson 1: (20:16)

Single Page Application Routers

Lesson 2: (11:36)

Front End Layouts

Module 3: User Interface Styles and Interactions

Lesson 1: (6:15)

Front End Component Libraries

Lesson 2: (6:38)

Creating a Landing Page

Lesson 3: (13:47)

Events and Input Bindings

Module 4: Creating the Backend Application

Lesson 1: (16:48)

Initializing an Express Project

Lesson 2: (10:52)

REST API Endpoints

Lesson 3: (13:47)

School Lunch Data Model

Module 5: Fetching Data in the Frontend

Lesson 1: (14:34)

Fetching Data with Axios

Lesson 2: (10:59)

Svelte Each Blocks

Lesson 3: (6:36)

Showing Loading Spinner Icons

Lesson 4: (5:31)

Externalizing Frontend Configuration

Module 6: Adding Persistence with PostgreSQL

Lesson 1: (7:18)

Installing PostgreSQL and Initial Setup

Lesson 2: (12:37)

Knex Migrations

Lesson 3: (15:32)

Using Knex with Express

Lesson 4: (21:57)

Adding Post, Put and Delete Endpoints

Module 7: Creating, Updating and Deleting Data in the Frontend

Lesson 1: (22:32)

Deleting Data with the Front End

Lesson 2: (9:45)

Creating Data with the Front End

Lesson 3: (28:42)

The Lunch Week Details Component

Module 8: Securing the Application

Lesson 1: (37:19)

JWT Based Security

Lesson 2: (35:05)

Evolving the App to Multi Tenant

Lesson 3: (36:25)

User Registration

Module 9: Public Lunch Menu View

Lesson 1: (20:35)

Public Lunch Week Page

Module 10: Production Deployment

Lesson 1: (13:35)

Building and Serving Svelte

Lesson 2: (23:56)

Production Deployment