Skip to content

Proof-of-concept application I developed as a take home project.

Notifications You must be signed in to change notification settings

rdowinton/pizza

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Pizza 42 Proof-of-concept

This PoC includes a pizza website that demonstrates how you can integrate with Auth0 with the following requirements:

  • Users can sign up only by username and password.
  • Only existing users can log in via a social provider.
  • Users must verify their email address before they can place an order.
  • Orders placed are stored in the user profile.
  • The user's order history is added to their ID token when they log in.

Tenant setup

Application, API, and rules

  1. Install Terraform
  2. Move terraform.tf.template to terraform.tf
  3. Add your domain, client ID and secret for use with the management API to the Auth0 provider configuration.

Universal login

  1. Go to Branding -> Universal Login and click the Login tab.
  2. Enable 'Customize Login Page'.
  3. Add the following lines above where Lock is instantiated:
const allowSignUp = !config.extraParams.prevent_sign_up;
const initialScreen = allowSignUp ? 'signUp' : 'login';
const allowedConnections = allowSignUp ? ['Username-Password-Authentication'] : ['Username-Password-Authentication', 'google-oauth2'];
  1. Update options to use the following:
allowedConnections: allowedConnections,
allowSignUp: allowSignUp,
initialScreen: initialScreen,

Account linking

You will need to manually set up the account linking extension in the dashboard. If you have followed the Universal login steps above you can skip the Update the login page step here.

To prevent users from signing up via Google you will need to edit the rule generated by the extension.

Change:

if (targetUsers.length > 0) {
  context.redirect = {
    url: buildRedirectUrl(createToken(config.token), context.request.query)
  };
}

to:

if (targetUsers.length > 0) {
  context.redirect = {
    url: buildRedirectUrl(createToken(config.token), context.request.query)
  };
} else if(context.connection === 'google-oauth2') {
  callback(new UnauthorizedError('Social login is only available for existing users'));
}

To ensure the user can return later if they abandon the linking process, change:

function firstLogin() {
  return context.stats.loginsCount <= 1;
}

to:

function firstLogin() {
  return true;
}

There is also an edge case where you can attempt to sign in via Google (which still creates a profile in Auth0) and then sign up as a standard user and link it to the Google account, making Google the primary identity.

You can prevent this by only allowing account linking when signing in via Google. Add the following at the start of the generated rule function:

if(context.connection !== 'google-oauth2') {
  return callback(null, user, context);  
}

Backend setup and AWS deployment

You can find all the necessary files in deploy/aws/backend.

Prerequisites

  • You will need an IAM user with full access.
  • You will need the AWS SAM CLI installed.

Custom domain configuration

You will need to add a public certificate for your custom domain in AWS and set the ARN accordingly in template.yml.

Template and authorizer configuration

  1. Move template.yml.template to template.yml.
  2. Replace the placeholders in the parameter defaults as follows:
  • AUTH0_DOMAIN - your Auth0 domain (e.g., your-tenant.eu.auth0.com)
  • DOMAIN_CERTIFICATE_ARN - refer to Custom domain configuration
  • CLIENT_ID - client ID of the non-interactive application created by Terraform
  • CLIENT_SECRET - client secret of the non-interactive application created by Terraform
  1. Move .env.template to .env and fill in the values as follows:
  • JWKS_IDENTIFIER - your Auth0 tenant's JWKS endpoint (e.g., https://your-tenant.eu.auth0.com/.well-known/jwks.json)
  • AUDIENCE - the identifier of the API created by Terraform (should be https://pizza.auth.yoga/api)
  • TOKEN_ISSUER - your Auth0 issuer (e.g., https://your-tenant.eu.auth0.com/)

Deployment

To deploy your API for the first time run sam deploy --guided.

Should you choose to save the configuration you can subsequently run sam deploy without the --guided option.

Frontend setup and AWS deployment

You can find all the necessary files in src and deploy/aws/frontend.

Configuration

Move auth.config.json.template to auth_config.json and set the values as follows:

  • domain - your Auth0 domain (e.g., your-tenant.eu.auth0.com)
  • clientId - the client ID of Pizza 42 created by Terraform
  • audience - the identifier of the API created by Terraform (should be https://pizza.auth.yoga/api)

Also set your API base URL in src/api/axios.js.

Deployment

Prerequisites

You will need a non-interactive IAM user with AmazonS3FullAccess policy attached. You will need to have added a certificate for your custom domain in AWS.

Create S3 bucket and policy

Create an S3 bucket and restrict public access. The bucket name should be the same as your custom domain name.

Please refer to Configuring a static website using a custom domain registered with Route 53 for further details. Despite the title you do not need to use Route 53.

Create CloudFront distribution

For HTTPS you will need to create a CloudFront distribution to serve requests for your S3 bucket.

Create a CloudFront distribution with the following settings:

  • Set Viewer Protocol Policy to Redirect HTTP to HTTPS.
  • Add your custom domain to Alternative Domains (CNAMES).
  • Choose Custom SSL Certificate and create and verify a certificate in AWS Certificate Manager if necessary.
  • Set Restrict Bucket Access to Yes.
  • Set Origin Access Identity to Create a New Identity.
  • Set Grant Read Permissions on Bucket to Yes, Update Bucket Policy.

Once you have created the distribution, go to Error Pages and add a custom error response with the following:

  • Set HTTP Error Code to 403
  • Set Response Page Path to /index.html
  • Set HTTP Response Code to 200

This will allow you to visit application routes directly.

Add CNAME record for custom domain

Set a CNAME record for your domain that points to your CloudFront distribution domain. This will be in the format xxxxx.cloudfront.net.

Build and deploy website

Set BUCKET_NAME environment variable and run deploy.sh. This script will create a build before syncing to S3.

Credits

Application based on /~https://github.com/auth0-samples/auth0-react-samples/tree/master/Sample-01 Authorizer based on /~https://github.com/auth0-samples/jwt-rsa-aws-custom-authorizer

License

This project is licensed under the MIT license. See the LICENSE file for more info.

About

Proof-of-concept application I developed as a take home project.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published