Netlify identity and go functions

netlify site name: nervous-lewin-928377

This is my first time using Netlify Identity, so wanted to double check a few things. Been using the docs here as a reference https://docs.netlify.com/functions/build-with-go/#access-the-clientcontext. The docs made it look like you only need to check for a valid lambda context to auth the route, but I saw a valid context regardless whether or not a valid token was submitted by the front end. So wanted to double check my approach.

When I log the request context I can see some information attached by netlify in the Custom field (abbreviated token below). It looks something like Custom:map[netlify:eyJpZGVudGl0eSI6....=]

{"file":"handlers.go:38","func":"ServeHTTP","level":"info","msg":"cc: {Client:{InstallationID: AppTitle: AppVersionCode: AppPackageName:} Env:map[] Custom:map[netlify:eyJpZGVudGl0eSI6....=]}","time":"2020-06-27T07:27:32Z"}

I’m able to parse this Custom field and then check for the presence of a user. Attaching full middleware below.

Everything seems to be working. Users with valid tokens are allowed to make requests and those with no token or an invalid token are not. But, just wanted to check if this all looks as expected as I was having trouble finding a complete example of auth for a netlify function on the go side.

Hi @okeydoke,

We won’t authenticate functions automatically. You can use the context to validate and then perform what you need to do in your function. Or if the token fails to validate, you can return a status code for 401, etc. Hope that makes sense.

1 Like

Thanks @Dennis. Is the Bearer token the frontend provides just forwarded along to the backend via the context (with no intermediate steps)? I had read the docs / a few blog posts and was a little confused about what I needed to verify in the lambda in order to ensure that a logged in user was making the request. For example, from the blog post below:

When your serverless function endpoint receives these new headers, Netlify’s Functions service will automatically detect any bearer token and verify the signature. If it’s a valid token issued by the Identity instance linked to the site, Netlify will add the user’s claims in a context.clientContext.user object.

Yea, there is no intermediate steps. You provide the token and our system will do the checks. If it’s valid, you will find the claims in the context.clientContext.user object. So you could check for that object to confirm that the request is authorized. Hope that makes sense.

Thanks. But isn’t this an intermediate step between the frontend and the lambda?

You provide the token and our system will do the checks.

But I think that I follow.

Frontend submits a request with a token --> Netlify verifies the token and if it’s valid attaches the claim to context and forwards to the Netlify function (and if token is not valid the claim is not attached to context) --> Netilify function can use the info the gets attached to the context (like user) to allow or deny access.

Ah, right, it is. :smiley: I just meant that no intermediate step is needed to be taken by you. And your summary is correct.

1 Like