If your website uses Auth0 for user authentication, and you have subscribed to an Enterprise Plan (https:\/\/auth0.com\/pricing), you can store your user data in your own database, rather that Auth0’s internal database. The connection between Auth0 and your database is done through a set of Node.js scripts that you supply. Auth0 provides template scripts for many databases, but not AWS DynamoDb.<\/p>\n
What if you want to store your users on DynamoDb, and log log-in\/log-out etc. events in a daily CloudWatch log stream? Here is how you do it ….<\/p>\n
Auth0’s custom database connection requires 6 scripts to be defined: Login, Create, Verify, Change Password, Get User and Delete. Here is a script for Login. Once you get the picture, you can copy and adapt this script for the 5 others. Note that I have assumed a certain structure in my Dynamodb user table. If your structure (fields and global indicies) are different, you will need to do some minor adjustment accordingly.<\/p>\n
\r\nfunction login(email, password, callback) {\r\n\r\nvar AWS = require('aws-sdk');\r\nvar crypto = require('crypto');\r\n\r\nvar region = configuration.region;\r\nvar accessKeyId = configuration.accessKeyId;\r\nvar secretAccessKey = configuration.secretAccessKey;\r\nvar groupName = configuration.groupName;\r\nvar userTableName = configuration.userTableName;\r\nvar salt = configuration.salt;\r\nvar streamNamePrefix = configuration.streamNamePrefix;\r\n\r\nvar logEvents = [];\r\n\r\n\r\nvar cloudwatchlogs = new AWS.CloudWatchLogs({\r\n apiVersion: '2014-03-28',\r\n region: region,\r\n accessKeyId: accessKeyId,\r\n secretAccessKey: secretAccessKey\r\n});\r\n\r\nvar dynamodb = new AWS.DynamoDB({\r\n apiVersion: '2012-08-10',\r\n region: region,\r\n accessKeyId: accessKeyId,\r\n secretAccessKey: secretAccessKey\r\n});\r\n\r\n\r\n\r\nfunction zeroPad(num, places) {\r\n var zero = places - num.toString().length + 1;\r\n return Array(+(zero > 0 && zero)).join("0") + num;\r\n}\r\n\r\nfunction todayAsString() {\r\n var mydate = new Date();\r\n return zeroPad(1900 + mydate.getYear(), 4) +\r\n '-' + zeroPad(mydate.getMonth(), 2) +\r\n '-' + zeroPad(mydate.getDate(), 2);\r\n}\r\n\r\nvar streamName = streamNamePrefix + '\/' + todayAsString();\r\n\r\nfunction makeLogGroup(cb) {\r\n cloudwatchlogs.createLogGroup({\r\n logGroupName: groupName\r\n },\r\n cb\r\n );\r\n}\r\n\r\nfunction makeLogStream(cb) {\r\n cloudwatchlogs.createLogStream({\r\n logGroupName: groupName,\r\n logStreamName: streamName\r\n },\r\n cb);\r\n}\r\n\r\nfunction createLogGroupIfNotExists(cb) {\r\n var tryCount = 0;\r\n var maxTries = 3;\r\n\r\n function tryOnce() {\r\n cloudwatchlogs.describeLogStreams({\r\n logGroupName: groupName,\r\n logStreamNamePrefix: streamName\r\n },\r\n function(err, data) {\r\n if (err) {\r\n if ((err.code === 'ResourceNotFoundException') && (tryCount++ < = maxTries)) {\r\n makeLogGroup(function(gerr, gdata) {\r\n if (gerr) {\r\n cb(gerr);\r\n } else {\r\n tryOnce();\r\n }\r\n });\r\n } else {\r\n cb(err);\r\n }\r\n } else {\r\n cb(null, data);\r\n }\r\n });\r\n }\r\n\r\n tryOnce();\r\n}\r\n\r\nfunction createLogStreamIfNotExists(cb) {\r\n var tryCount = 0;\r\n var maxTries = 3;\r\n\r\n function tryOnce() {\r\n createLogGroupIfNotExists(function(err, data) {\r\n if (err) {\r\n cb(err);\r\n } else {\r\n if (data.logStreams.length === 0) {\r\n makeLogStream(function(lerr, ldata) {\r\n if ((lerr) && (tryCount++ <= maxTries)) {\r\n cb(lerr);\r\n } else {\r\n tryOnce();\r\n }\r\n });\r\n } else {\r\n cb(null, data.logStreams[0]);\r\n }\r\n }\r\n });\r\n }\r\n\r\n tryOnce();\r\n}\r\n\r\nfunction createLogEvent(rec) {\r\n return {\r\n message: typeof rec === 'string' ?\r\n rec : JSON.stringify(rec),\r\n timestamp: typeof rec === 'object' && rec.time ?\r\n new Date(rec.time).getTime() : Date.now()\r\n };\r\n}\r\n\r\nfunction cloudLog(event) {\r\n logEvents.push(createLogEvent(event));\r\n}\r\n\r\nfunction emit(cb) {\r\n function doCallBack(err, data) {\r\n if (typeof cb === 'function') {\r\n cb(err, data);\r\n }\r\n }\r\n\r\n if (logEvents.length) {\r\n createLogStreamIfNotExists(function(err, streamMetaData) {\r\n var nextToken = streamMetaData ? streamMetaData.uploadSequenceToken : null;\r\n if (err) {\r\n if (typeof cb === 'function') {\r\n cb(err);\r\n }\r\n } else {\r\n var params = {\r\n logEvents: logEvents,\r\n logGroupName: groupName,\r\n logStreamName: streamName\r\n };\r\n logEvents = [];\r\n if (nextToken) {\r\n params.sequenceToken = nextToken;\r\n }\r\n cloudwatchlogs.putLogEvents(params, function(err, data) {\r\n doCallBack(err, data);\r\n });\r\n }\r\n });\r\n } else {\r\n doCallBack();\r\n }\r\n}\r\n\r\nfunction getUserByEmail(email, cb) {\r\n dynamodb.query({\r\n TableName: userTableName,\r\n IndexName: 'email-index',\r\n ExpressionAttributeNames: {\r\n "#u": "user-id"\r\n },\r\n ExpressionAttributeValues: {\r\n ":v1": {\r\n S: email\r\n }\r\n },\r\n KeyConditionExpression: 'email = :v1',\r\n ProjectionExpression: '#u,email,nick,phash'\r\n },\r\n cb);\r\n}\r\n\r\nfunction hashString(datum) {\r\n var hash = crypto.createHash('sha256');\r\n hash.update(datum);\r\n return hash.digest('base64');\r\n}\r\n\r\nfunction hashPassword(user_id,given_password) {\r\n return hashString(user_id + '|' + salt + '|' + given_password);\r\n}\r\n\r\nfunction pass(user_id, given_password, phash) {\r\n return hashPassword(user_id,given_password) === phash;\r\n}\r\n\r\nfunction testCredentials(email, password, cb) {\r\n getUserByEmail(email, function(err, data) {\r\n var user = null;\r\n if ((!err) && (data.Items.length >= 0)) {\r\n user = {\r\n user_id: data.Items[0]['user-id'].S,\r\n nickname: data.Items[0].nick.S,\r\n email: data.Items[0].email.S,\r\n phash: data.Items[0].phash.S\r\n };\r\n }\r\n if (user && ((user.email !== email) || (!pass(user.user_id, password, user.phash)))) user = null;\r\n cb(err, user);\r\n });\r\n}\r\n\r\n cloudLog({method:'login',control:'ENTER'});\r\n testCredentials(email, password, function(err, user) {\r\n if (err) {\r\n cloudLog(err);\r\n\r\n } else if (user) {\r\n cloudLog({\r\n method: 'login',\r\n pass: 'true',\r\n email: email,\r\n user_id: user.user_id\r\n });\r\n\r\n } else {\r\n cloudLog({\r\n method: 'login',\r\n pass: 'false',\r\n email: email\r\n });\r\n }\r\n cloudLog({method:'login',control:'EXIT'});\r\n emit(function(emit_err, datum) {\r\n callback(err);\r\n });\r\n });\r\n}\r\n<\/pre>\nSettings<\/h1>\n
In the settings, you will need to define the following configuration items:<\/p>\n
You will need to assign at least the following policies (after substitution of place-markers) to the user, who’s credentials were passed in the Auth0 custom database connection settings above.<\/p>\n
\r\n{\r\n "Version": "2012-10-17",\r\n "Statement": [\r\n {\r\n "Effect": "Allow",\r\n "Action": "logs:CreateLogGroup",\r\n "Resource": "arn:aws:logs:<#region>:<#account>:*"\r\n },\r\n {\r\n "Effect": "Allow",\r\n "Action": [\r\n "logs:DescribeLogStreams",\r\n "logs:CreateLogStream",\r\n "logs:PutLogEvents"\r\n ],\r\n "Resource": [\r\n "arn:aws:logs:<#region>:<#account>:log-group:<#group>:*"\r\n ]\r\n },\r\n {\r\n "Effect": "Allow",\r\n "Action": [\r\n "dynamodb:DeleteItem",\r\n "dynamodb:GetItem",\r\n "dynamodb:PutItem",\r\n "dynamodb:Scan",\r\n "dynamodb:UpdateItem"\r\n ],\r\n "Resource": "arn:aws:dynamodb:<#region>:<#account>:table\/<#table>"\r\n },\r\n {\r\n "Effect": "Allow",\r\n "Action": [\r\n "dynamodb:Query"\r\n ],\r\n "Resource": "arn:aws:dynamodb:<#region>:<#account>:table\/<#table>\/index\/<#index>"\r\n }\r\n ]\r\n}\r\n<\/pre>\n… where the following place-markers are substituted for your particular values:<\/p>\n
I have assumed that the user table has schema that follows this pattern of item:<\/p>\n
\r\n{\r\n "email": "sean@seanbdurkin.id.au",\r\n "email_verified": true,\r\n "nick": "Sean",\r\n "phash": "<#redacted>",\r\n "user-id": "sean"\r\n}\r\n<\/pre>\nwhere the primary key is user-id. You will also need a global index to look-up users based on email. Probably you should also add fields for username and user_metadata.<\/p>\n
A note about logging<\/h2>\n
The CloudWatch log name will be ‘< #streamNamePrefix>\/< #Date>‘ where < #streamNamePrefix> is as given by the settings, and < #Date> is today’s date. There is an assumption that there will be no other log streams which begin with ‘< #streamNamePrefix>\/< #Date>‘, but are not ‘< #streamNamePrefix>\/< #Date>‘. So when we search for streams prefixed with ‘< #streamNamePrefix>\/< #Date>‘, we only get zero streams, or exactly one stream, which is the stream we want. If this assumption is not going to hold in your architecture, adjust the code accordingly.<\/p>\n
What about the other 5 scripts?<\/h2>\n
You can develop them yourself. Once you see how the login script is made, it’s just a case of cut and paste, with some obvious modification.<\/p>\n
After-thoughts<\/h2>\n
The custom database connection is only available on the expensive Enterprise plan, or on a 30 day trial. If it was on the free plan, I would use Auth0 for my amateur and Start-Up projects. It is not good keeping your user table in a foreign database, because you can’t join it with other tables.<\/p>\n","protected":false},"excerpt":{"rendered":"
If your website uses Auth0 for user authentication, and you have subscribed to an Enterprise Plan (https:\/\/auth0.com\/pricing), you can store your user data in your own database, rather that Auth0’s internal database. The connection between Auth0 and your database is … Continue reading