I am hosting the frontend of my application and doing auth using Netlify, I want to store some additional user information in my own database and make calls to an API I have built and I need to verify the user is who they say they are, how do I do this, I can’t find anything in the documentation on how to do this.
@jonathan-fielding, hmm, I don’t have implementation details but if you can pass the token to your backend, you can check for their metadata as mentioned here: https://docs.netlify.com/visitor-access/identity/manage-existing-users/#user-account-metadata. Let me know if that works for you.
So how do I verify that the JWT being sent hasn’t been tampered with or generated by someone else. I don’t have a way to provide a secret for identity to use in this way as far as I know
You can verify the signature of our JWT’s in a Netlify function. In fact if you pass an Identity JWT in as a bearer token in an Authorization header, we’ll verify for you automatically and inject the
user data in to the functions
context. From there you can actually run some logic with that data or sign a new JWT and send it to your own backend. Another option is to use JWS with netlify redirects so that you can confirm that the request comes Netlify directly. You can read more about signed proxy redirects in https://www.netlify.com/blog/2017/10/17/introducing-structured-redirects-and-headers/#signed-proxy-redirects
@jonathan-fielding I was wondering the same thing. I looked thru GoTrue API and noticed that
/.netlify/identity/user requires auth. My plan is to use this endpoint to verify tokens. This might be the same as what netlify functions are doing.
Edit: Never mind, this is going to add unnecessary calls and slow things down. I’m going to look into using an RS256 auth provider.