What is the recommended way to do Kinde auth with a SPA app (Vue) and a REST API (Fastify)
I've set up a Kinde account (called "seenthis.kinde.com") and the environments and the apps in the admin UI all make sense to me. I've added the
@kinde-oss/kinde-auth-pkce-js package to the frontend app along with a "Sign in" button and I'm able to invoke getToken on the kinde client and pass that down to the API in the Authorization: Bearer ${token} header. I am also able to invoke getUser to get user details for the logged in user. So far so good. The part where I get confused is in the backend REST API. I've installed the @kinde/jwt-validator package and I can validate the JWT token passed down from the client. I can also parse the token and extract the user ID. However, what else does the backend need to do in order to be secure? Is that all that is required? I've navigated so many different documentation pages and I've been trying to reverse engineer what the kinde express package does and I've tried the Node client and the TypeScript client but I'm not sure out of all this what I should be using. My goal is just to keep the code as simple as at all possible whilst of course still being secure... Any help appreciated. Thanks!2 Replies
Thanks for the long and quick reply! Just to clarify I'm using Node.js in the backend and not Python (it's easy to confuse Fastify with FastAPI :)). So if I'm reading you correctly I should be able to use the code in jwtVerify in my backend and be all set then? I'm assuming that covers point 1 above ("Verify the JWT signature:"). As far as token storage is concerned. that is something your package handles (in cookies?) so I'm assuming that is secure? To be honest I'm somewhat surprised that I need to copy paste code from the kinde Express package when I'm not even using the Express framework. That also doesn't seem ideal from an update/upgrade perspective (since I will be hand-rolling the code rather than using your library)? Shouldn't this be covered by the Kinde Node/TypeScript packages?
Hi @Peter Marklund apologies that this question seems to be unanswered. Do you have what you need or can we provide additional assistance?