I am trying to implement Auth0 authentication with MERN stack.
However, it is confusing because React only seems to be communicating with the Auth0 server when authenticating as shown in the tutorial here.
So is the nodeJS server then assuming that any token sent from the client is legit? the server doesn't do any authentication of the token sent from the client? Isn't this quite risky as tokens are stored in LocalStorage on the front end?
1 Answer
You are correct in saying that at this point your resource server is not protected. The tutorial you are referring to only authenticated the user via the auth0 authentication API. However, you still need to protect the resource server.
A basic standard flow would be: user requests protected resource from the front end -> front end sends access token from local storage to Node server -> Node server accepts access token -> Node server decodes access token, does multiple validity checks (expiry, audience, etc) -> Node server return protected resource if access token passes checks.
So you just need to set up your Node server to accept and check JWTs.