Restore Auth0 tutorial with fixed security issue(s)

[sepiariver]

Which Cloudflare product(s) does this pertain to?

Workers

Subject Matter

Auth0 implementation tutorial

Content Location

content/workers/tutorials/authorize-users-with-auth0/*

Additional information

Removed in commit 52fa94d244ec8b9f2fa587dc02bb1dd7d94ed84a. Should be able to start from a revert of that commit.

PR coming up...

[mrbm]

Any updates on this....?

[sepiariver]

Update is...I got pulled away temporarily.

It's back at the top of the list :D Thanks for pinging me about it—it does help to know that someone else was using this tutorial

I'll aim to have it done by end of next weekend (Jan 22)

One consideration is that the scope of changes seems larger than I'd originally anticipated, because the Workers runtime and Wrangler have both moved on from the versions used in the original tutorial. To make it relevant for someone starting today, I intend to update it, as much as feasible.

Unless anyone has objections to that?

[mrbm]

Something that might help are what things should be updated to ensure that the security flaws are fixed (if that is possible)

Additionally, it would be helpful what would be a way to transition a project like this to a different solution that is more widely used? Would be a great learning tool, I don't see any worker specific tutorials talking about authorization.

[sepiariver]

Agreed. Definitely the security flaws

With respect to transitioning to a different project, you mean how to integrate Auth0 with..anything else? Or how to move your Worker to another platform?

If the former, the Auth0 developer docs are probably the best place for that. They have pretty good documentation—they've always been developer-friendly in my opinion.

If the latter, Workers are pretty specific to the Workers runtime, but you should be able to convert it to a NodeJS/Express app without too much headache. It goes without saying you'd lose all the Cloudflare features.

Or something else?

[sgoodluck]

Hello @sepiariver -- this is something we have been meaning to do in one of our projects (use auth0 in workers to authorize users)

1. Are the security issues fixed?
2. Is this documentation due to be completed anytime soon?

I'd be happy to take a crack at Auth0 + Cloudflare and may be able to contribute to the docs if I can be pointed in the right direction.

For context, we are deploying a Next.js 13 hybrid application to Cloudflare pages. Most of the pages are static but making use of the API routes.

[mrbm]

@sepiariver just checking this...not sure why I didn't get the earlier notification.

FYI I modified the demo code to work if the project is converted from a service worker to a es module (I wanted to experiment with D1 which requires the project be an es module project)

That said auth is working via the demo method, but what would be required to fix the the security issue for this demo?

[sepiariver]

Let me post a working auth0.js file

The delay has been wholesale rewriting the doc, but at least if I push up the code changes it should clarify what needs fixing :)

I'll do that tonight

[mrbm]

I look forward to seeing the diff changes! Thanks for making the world a "safer" place!

[sepiariver]

Didn't quite get to it last night. Working on it today :)

[sepiariver]

There's a file in my fork with an example Auth0 handler class. It's been tested in exactly 1 non-production environment. Other than testing, these are outstanding for this PR:

1. Convert the tutorial to reference the methods in this example class, and embed the relevant bits of code into the tut
2. Example usage / instructions on usage

I'm hoping to have the above done and a PR submitted this week. Sorry for the delay @deadlypants1973

[deadlypants1973]

Thank you so much for this. My current update is this is going through an internal security review and will be updated after that review has passed.

[sepiariver]

Amazing, thank you @deadlypants1973 Please feel free to reach out if anything needs adjusting. If required, I'm happy to discuss offline either via email (it's in my Github profile) or the Cloudflare community Discord server (I'm yj#0008)

[mrbm]

Hey @deadlypants1973 and @sepiariver just checking in to see the progress on this, thanks for making the world a safer place! :D

[mrbm]

Hey @deadlypants1973 just checking in on this

[onattech]

Is there any way to display this tutorial to properly read it? Is there like a preview deployment I can navigate to and read?

[sepiariver]

The fork from which the PR was made is public. You can look at the files changed here: https://github.com/cloudflare/cloudflare-docs/pull/7812/files

😄

Hopefully we'll hear back soon about any issues that need to be resolved, then I can do some merge conflict resolution and resubmit for merging. 🤞

[onattech]

Thank you for quick reply. I actually need it now. I would like to have authentication implemented by tomorrow so I will see if I can make sense of the changes through the pr or maybe locally build it with Hugo. I hope it gets merged soon. This is golden information.

[mrbm]

@sepiariver have been playing with your demo, I noticed is I get an exception thrown if the user hasn't logged in over night. Debugging it a bit, the error goes back to the file auth0.js function: verifySession function and inside this function it tries to: validateToken via: userInfo = await this.validateToken(kvStored.id_token)

this catches as an error and then moves to the catch portion and throws the error leading to a cloudflare worker error page.

Instead of throwing an error, would it be better if it redirect to the logout page instead of throwing an error?

[deadlypants1973]

@sepiariver Sorry for the lack of update. I spoke with the original author of this tutorial as we were going through your edits and we are thinking to rewrite this in 2024 with a simpler and less wordy instruction. I am still tracking this issue for the new tutorial's upcoming PR.