Search code examples
node.jsreactjsapiexpressuser-input

How to link logged users to their data, retrieve and update them in MySQL table

This is the my web-app "User Settings" page. I have simplified it to a minimum to better highlight the problem.

To authenticate users I use Auth0, I wanted to use the sub claim user_id to identify the users inside my MySQL database for update and retrieve user's info. Unfortunately the user_id is different for each provider, for example, if the same user with the same e-mail logs-in via Auth0 he gets a user_id if he does it via google he gets another one.

I thought about using email to link logged user to his info. The problem is in my API. Before the change it was "localhost: 8080 / api / users /: id" each time it created a new id and in any case it was impossible to recover the data of the single user. Now that I have replaced "id" with "email" my API has also changed in "localhost: 8080 / api / users /: [email protected]".
Before:
enter image description here

After: enter image description here In a few words, the request url on the client side has also changed.

I would like to make sure that the GET and PUT requests are made based on the e-mail of the logged user without going to modify the whole back-end.

Solution

  • Sounds like something is wrong with how you authenticate users. If you have multiple ways to authenticate a user, those methods need to be in a one to many relation with the user. For example each user has a list of auth-methods, and whenever an authentication is made you check your table of authentication methods and find the one user it maps to.

    Im not sure if you are doing this yourself or if the framework you are using is handling that, but it sounds like you need to change the model to allow many Auth methods for a single account.

    Also you could use email, but that is also an "old" way of uniquely identifying users almost every single person has multiple active email accounts nowadays, so you should also have a one-to-many relation for users to emails. What if the user has different email accounts for their Facebook and Google accounts?

    See account linking here: https://auth0.com/docs/users/user-account-linking

    It is dangerous to trust that the external providers are truthful about what email belongs to who. What if I open a new account using someone else's email on one of the providers? Then I can log into that users account in your application, which is a pretty big security risk.