Verify Access Token server side

Hi,

I’m building a headless e-commerce app that will integrate with MongoDB Realm which will be used for the primary user management.

I have all users log in via MongoDB Realm and automatically create the corresponding user in the e-commerce platform when they register on the site. So far so good.

When I want to fetch address data for the customer, however, I have to use an admin API for the e-commerce platform (don’t ask me why, but you can’t get that data using frontend available APIs). This is where the problem begins.

Since this is sensitive data I need to ensure the user is logged in before they’re able to access the data, and they should only be able to access their own data. My idea was to pass the access token, or something similar, to our custom API and verify the token, preferably even decode it to get the customer email (used to query the e-commerce system) from there and nothing else from the request.

I’ve built this functionality with Firebase in the past and they have a super simple functionality to verify a user ID token. I had hoped for something similar for Realm, but haven’t been able to find anything.

What’s the best way to achieve this in Realm?

Hey Max,

Unfortunately there currently isn’t a way to verify access tokens on the server-side.

Since this is sensitive data I need to ensure the user is logged in before they’re able to access the data, and they should only be able to access their own data.

Is there something preventing you from using an authentication trigger that will fetch the user’s address data from the eCommerce Admin API and store it in their custom user data? This will ensure that the user has logged-in/registered and only they can access their own custom data.

e.g.

  1. User Logs-In/Registers
  2. Authentication Trigger fires for that specific user
  3. Use User data to fetch address from E-Commerce API
  4. Populate User’s data with address so that only that user can access it.
1 Like

Hi Sumedha,

Thanks for the response.

There are 3 reasons why I don’t want to store their address in their custom data:

  1. It means I have to keep it in sync across all different methods that can change it.
  2. Redundant data stored across multiple systems.
  3. I need to verify the user is logged in for other reasons as well that don’t relate to reading or writing additional data that I even could store in Realm. For example, they should be able to interact with their orders in the e-commerce system.

Is there no other way you can think of? This is a hard requirement for my project and I’d be really bummed out to have to replace Realm this far into the project.

I just had an idea that might work: in a login trigger, create a token with the relevant user information and save to the user custom data. The token is encoded with a secret that’s shared with our API and thus can be decoded there. Then use the decoded token to get any data.

What I’m thinking with that, however, is that I want to renew that token as often as the access token is renewed, to ensure its security. Is there a trigger for when the access token is renewed?

I figured out a way to achieve what I was after from this page: https://docs.mongodb.com/realm/reference/authenticate-http-client-requests#std-label-authenticate-http-client-requests

  1. Use the refresh token to create a new access token (I tried using their current access token but I kept getting invalid session when calling the GraphQL endpoint in the third step)
  2. Pass the new access token and the email to the API.
  3. Call the GraphQL endpoint with a query to the user’s custom data.
  4. If the response is successful and I get data back it means the user was verified

Would still love a built-in way to achieve this, but it works well enough for my use case for now.

Hey Max - what you mentioned is a possible workaround. I was also going to suggest potentially moving some of your API logic to Realm Functions where you have confirmation that the user is authenticated and valid.

We have gotten multiple requests for an API method that validates an access token. I can’t give a definite date but we’re actively investigating and looking into releasing this. I can post here with any updates.

3 Likes