`;
// Auto-hide success and info messages after 5 seconds
if (type === 'success' || type === 'info') {
setTimeout(() => {
statusDiv.innerHTML = '';
}, 5000);
}
}
showRPCResult(title, data) {
const resultsDiv = document.getElementById('rpc-results');
const resultHtml = `
${title}
${JSON.stringify(data, null, 2)}
`;
resultsDiv.innerHTML = resultHtml;
this.showStatus('ā RPC call completed successfully', 'success');
}
}
// Initialize the application
const app = new CapnWebAuth0Client();
app.init().catch(error => {
// Initialize app when DOM is loaded
document.addEventListener('DOMContentLoaded', initializeApp);
Step 7: Test and Run the Application
7.1: Start the development server:
npm run start
7.2: Open http://localhost:3000 in your browser
7.3: Test the complete authentication flow:
- Click "Login" to authenticate with Auth0
- View your profile information (email will be displayed from Auth0)
- Update your bio and save
- Refresh the page - you should remain logged in (thanks to refresh tokens)
- Test logout functionality
- Test RPC calls (Get Profile, Update Profile, Get Public Data)
- Verify WebSocket connection status
- Test logout functionality
SECURITY REQUIREMENTS & BEST PRACTICES
- ā NEVER accept unauthenticated RPC calls for protected methods
- ā ALWAYS validate JWT signatures using JWKS from Auth0
- ā Implement comprehensive error handling for expired/invalid tokens
- ā Use environment variables for all sensitive configuration
- ā Validate all user inputs before processing
- ā Log security events and authentication attempts
- ā Use secure WebSocket connections (WSS) in production
- ā Implement proper CORS policies
- ā Add request rate limiting for production use
- ā Sanitize all data before storage or transmission
TROUBLESHOOTING TIPS
- Check browser console for JavaScript errors
- Verify .env file contains correct Auth0 configuration
- Ensure Auth0 application settings match your local URLs
- Confirm API scopes are properly configured in Auth0 dashboard
- Test WebSocket connectivity separately if RPC calls fail
- Validate JWT tokens using jwt.io for debugging
```
## Get Started
This quickstart demonstrates how to add Auth0 authentication to a Cap'n Web application. You'll build a modern RPC-based web application with secure login functionality using Cap'n Web's JavaScript framework and the Auth0 SPA SDK.
Create a new Cap'n Web project and set up the basic structure:
```shellscript theme={null}
mkdir capnweb-auth0-app && cd capnweb-auth0-app
```
Initialize the project and configure it for ES modules:
```shellscript theme={null}
npm init -y && npm pkg set type="module"
```
Create the project folder structure:
```shellscript theme={null}
mkdir -p client server && touch server/index.js client/index.html client/app.js .env.example .env
```
Install Cap'n Web and core dependencies:
```shellscript theme={null}
npm install capnweb ws dotenv
```
Install the Auth0 SDKs for authentication and token verification:
```shellscript theme={null}
npm install @auth0/auth0-spa-js @auth0/auth0-api-js
```
**@auth0/auth0-spa-js** is used on the client side to handle user authentication, login flows, and token management in the browser.
**@auth0/auth0-api-js** is used on the server side to verify access tokens and validate JWT signatures using Auth0's JWKS.
Set up the start script in package.json:
```shellscript theme={null}
npm pkg set scripts.start="node server/index.js"
```
Next up, you need to create a new app on your Auth0 tenant and add the environment variables to your project.
You can choose to do this automatically by running a CLI command or do it manually via the Dashboard:
Run the following shell command on your project's root directory to create an Auth0 app and generate a `.env` file:
```shellscript Mac theme={null}
AUTH0_APP_NAME="My Cap'n Web App" && AUTH0_API_NAME="Cap'n Web API" && AUTH0_API_IDENTIFIER="https://capnweb-api.$(date +%s).com" && brew tap auth0/auth0-cli && brew install auth0 && auth0 login --no-input && auth0 apis create --name "${AUTH0_API_NAME}" --identifier "${AUTH0_API_IDENTIFIER}" --scopes "read:profile,write:profile" --json > auth0-api-details.json && auth0 apps create -n "${AUTH0_APP_NAME}" -t spa -c http://localhost:3000 -l http://localhost:3000 -o http://localhost:3000 --json > auth0-app-details.json && CLIENT_ID=$(jq -r '.client_id' auth0-app-details.json) && DOMAIN=$(auth0 tenants list --json | jq -r '.[] | select(.active == true) | .name') && echo "AUTH0_DOMAIN=${DOMAIN}" > .env && echo "AUTH0_CLIENT_ID=${CLIENT_ID}" >> .env && echo "AUTH0_AUDIENCE=${AUTH0_API_IDENTIFIER}" >> .env && echo "PORT=3000" >> .env && echo "NODE_ENV=development" >> .env && rm auth0-app-details.json auth0-api-details.json && echo ".env file created with your Auth0 details:" && cat .env
```
```shellscript Windows theme={null}
$AppName = "My Cap'n Web App"; $ApiName = "Cap'n Web API"; $ApiIdentifier = "https://capnweb-api.$((Get-Date).Ticks).com"; winget install Auth0.CLI; auth0 login --no-input; auth0 apis create --name "$ApiName" --identifier "$ApiIdentifier" --scopes "read:profile,write:profile" --json | Set-Content -Path auth0-api-details.json; auth0 apps create -n "$AppName" -t spa -c http://localhost:3000 -l http://localhost:3000 -o http://localhost:3000 --json | Set-Content -Path auth0-app-details.json; $ClientId = (Get-Content -Raw auth0-app-details.json | ConvertFrom-Json).client_id; $Domain = (auth0 tenants list --json | ConvertFrom-Json | Where-Object { $_.active -eq $true }).name; Set-Content -Path .env -Value "AUTH0_DOMAIN=$Domain"; Add-Content -Path .env -Value "AUTH0_CLIENT_ID=$ClientId"; Add-Content -Path .env -Value "AUTH0_AUDIENCE=$ApiIdentifier"; Add-Content -Path .env -Value "PORT=3000"; Add-Content -Path .env -Value "NODE_ENV=development"; Remove-Item auth0-app-details.json, auth0-api-details.json; Write-Output ".env file created with your Auth0 details:"; Get-Content .env
```
Before you start, create a `.env` file on your project's root directory
```shellscript .env theme={null}
AUTH0_DOMAIN=YOUR_AUTH0_APP_DOMAIN
AUTH0_CLIENT_ID=YOUR_AUTH0_APP_CLIENT_ID
AUTH0_AUDIENCE=https://capnweb-api.yourproject.com
PORT=3000
NODE_ENV=development
```
1. Head to the [Auth0 Dashboard](https://manage.auth0.com/dashboard/)
2. Click on **Applications** > **Applications** > **Create Application**
3. In the popup, enter a name for your app, select `Single Page Web Application` as the app type and click **Create**
4. Switch to the **Settings** tab on the Application Details page
5. Replace `YOUR_AUTH0_APP_DOMAIN` and `YOUR_AUTH0_APP_CLIENT_ID` on the `.env` file with the **Domain** and **Client ID** values from the dashboard
Finally, on the **Settings** tab of your Application Details page, configure the following URLs:
**Allowed Callback URLs:**
```
http://localhost:3000
```
**Allowed Logout URLs:**
```
http://localhost:3000
```
**Allowed Web Origins:**
```
http://localhost:3000
```
**Allowed Callback URLs** are a critical security measure to ensure users are safely returned to your application after authentication. Without a matching URL, the login process will fail, and users will be blocked by an Auth0 error page instead of accessing your app.
**Allowed Logout URLs** are essential for providing a seamless user experience upon signing out. Without a matching URL, users will not be redirected back to your application after logout and will instead be left on a generic Auth0 page.
**Allowed Web Origins** is critical for silent authentication. Without it, users will be logged out when they refresh the page or return to your app later.
**Required: Create an Auth0 API**
You must create an Auth0 API for token validation to work:
1. In the Auth0 Dashboard, go to **APIs** > **Create API**
2. Set these values:
* **Name**: `Cap'n Web API`
* **Identifier**: `https://capnweb-api.yourproject.com` (use your own unique identifier)
* **Signing Algorithm**: `RS256` (default)
3. Click **Create**
4. In the **Scopes** tab, add these scopes:
* `read:profile` - Read user profile data
* `write:profile` - Update user profile data
5. Update your `.env` file with the API identifier as `AUTH0_AUDIENCE`
Without creating an Auth0 API, you'll get an "access\_denied" error during login. The API identifier must match your `AUTH0_AUDIENCE` environment variable exactly.
Create the Cap'n Web server with Auth0 integration:
```javascript server/index.js expandable lines theme={null}
import { RpcTarget, newWebSocketRpcSession } from 'capnweb';
import { WebSocketServer } from 'ws';
import { ApiClient } from '@auth0/auth0-api-js';
import http from 'http';
import { readFileSync } from 'fs';
import { dirname, join } from 'path';
import { fileURLToPath } from 'url';
import dotenv from 'dotenv';
dotenv.config();
const __dirname = dirname(fileURLToPath(import.meta.url));
const userProfiles = new Map();
// Auth0 configuration
const AUTH0_DOMAIN = process.env.AUTH0_DOMAIN;
const AUTH0_CLIENT_ID = process.env.AUTH0_CLIENT_ID;
const AUTH0_AUDIENCE = process.env.AUTH0_AUDIENCE;
const PORT = process.env.PORT || 3000;
if (!AUTH0_DOMAIN || !AUTH0_CLIENT_ID || !AUTH0_AUDIENCE) {
console.error('ā Missing required Auth0 environment variables');
if (!AUTH0_DOMAIN) console.error(' - AUTH0_DOMAIN is required');
if (!AUTH0_CLIENT_ID) console.error(' - AUTH0_CLIENT_ID is required');
if (!AUTH0_AUDIENCE) console.error(' - AUTH0_AUDIENCE is required');
process.exit(1);
}
// Initialize Auth0 API client for token verification
const auth0ApiClient = new ApiClient({
domain: AUTH0_DOMAIN,
audience: AUTH0_AUDIENCE
});
async function verifyToken(token) {
try {
const payload = await auth0ApiClient.verifyAccessToken({
accessToken: token
});
return payload;
} catch (error) {
throw new Error(`Token verification failed: ${error.message}`);
}
}
// Profile Service - Cap'n Web RPC Target
class ProfileService extends RpcTarget {
async getProfile(accessToken) {
const decoded = await verifyToken(accessToken);
const userId = decoded.sub;
const profile = userProfiles.get(userId) || { bio: '' };
return {
id: userId,
email: decoded.email || 'Unknown User',
bio: profile.bio
};
}
async updateProfile(accessToken, bio) {
const decoded = await verifyToken(accessToken);
const userId = decoded.sub;
userProfiles.set(userId, { bio });
return { success: true, message: 'Profile updated successfully' };
}
}
// Create HTTP server
const server = http.createServer(async (req, res) => {
res.setHeader('Access-Control-Allow-Origin', '*');
res.setHeader('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
res.setHeader('Access-Control-Allow-Headers', 'Content-Type');
if (req.method === 'OPTIONS') {
res.writeHead(200);
res.end();
return;
}
if (req.url === '/api/config') {
const config = {
auth0: {
domain: AUTH0_DOMAIN,
clientId: AUTH0_CLIENT_ID,
audience: AUTH0_AUDIENCE
}
};
res.setHeader('Content-Type', 'application/json');
res.writeHead(200);
res.end(JSON.stringify(config));
return;
}
// Handle root path and Auth0 callback
if (req.url === '/' || req.url === '/index.html' || req.url.startsWith('/?code=') || req.url.startsWith('/?error=')) {
const html = readFileSync(join(__dirname, '../client/index.html'), 'utf8');
res.setHeader('Content-Type', 'text/html');
res.writeHead(200);
res.end(html);
return;
}
if (req.url === '/app.js') {
const js = readFileSync(join(__dirname, '../client/app.js'), 'utf8');
res.setHeader('Content-Type', 'application/javascript');
res.writeHead(200);
res.end(js);
return;
}
// Serve Auth0 SPA JS SDK from node_modules
if (req.url === '/@auth0/auth0-spa-js') {
const modulePath = join(__dirname, '../node_modules/@auth0/auth0-spa-js/dist/auth0-spa-js.production.esm.js');
const js = readFileSync(modulePath, 'utf8');
res.setHeader('Content-Type', 'application/javascript');
res.writeHead(200);
res.end(js);
return;
}
// Serve capnweb from node_modules
if (req.url === '/capnweb') {
const modulePath = join(__dirname, '../node_modules/capnweb/dist/index.js');
const js = readFileSync(modulePath, 'utf8');
res.setHeader('Content-Type', 'application/javascript');
res.writeHead(200);
res.end(js);
return;
}
res.writeHead(404);
res.end('Not found');
});
// WebSocket server for Cap'n Web RPC
const wss = new WebSocketServer({ server });
wss.on('connection', (ws, req) => {
// Only handle RPC connections on /api path
if (req.url === '/api') {
console.log('š New Cap\'n Web RPC connection');
// Create a new ProfileService instance for this connection
const profileService = new ProfileService();
// Use capnweb's newWebSocketRpcSession to handle the connection
newWebSocketRpcSession(ws, profileService);
}
});
// Start server
server.listen(PORT, () => {
console.log(`š Cap'n Web Auth0 Server Started`);
console.log(`š Server running on http://localhost:${PORT}`);
console.log(`š Auth0 Domain: ${AUTH0_DOMAIN}`);
console.log(`š Client ID: ${AUTH0_CLIENT_ID.substring(0, 8)}...`);
console.log(`šÆ API Audience: ${AUTH0_AUDIENCE}`);
});
```
Create the frontend HTML and JavaScript files:
```html client/index.html expandable lines theme={null}
Cap'n Web + Auth0 Demo
Cap'n Web + Auth0 Profile Demo
Initializing...
š Welcome!
This demo shows Auth0 authentication with Cap'n Web RPC for real-time profile management.
š¤ Profile Management
Email:Loading...
```
```javascript client/app.js expandable lines theme={null}
import { createAuth0Client } from '@auth0/auth0-spa-js';
import { newWebSocketRpcSession } from 'capnweb';
// Auth0 Configuration
let auth0Client = null;
let profileApi = null;
// Auth0 Configuration - Loaded dynamically from server
let AUTH0_CONFIG = null;
// Load Auth0 config from server
async function loadConfig() {
const response = await fetch('/api/config');
const config = await response.json();
AUTH0_CONFIG = {
domain: config.auth0.domain,
clientId: config.auth0.clientId,
authorizationParams: {
redirect_uri: window.location.origin,
audience: config.auth0.audience,
scope: 'openid profile email'
},
useRefreshTokens: true,
cacheLocation: 'localstorage'
};
return AUTH0_CONFIG;
}
// Initialize the application
async function initializeApp() {
try {
showStatus('Loading configuration...', 'info');
const config = await loadConfig();
showStatus('Initializing Auth0 client...', 'info');
auth0Client = await createAuth0Client(config);
const query = window.location.search;
if (query.includes('code=') && query.includes('state=')) {
showStatus('Processing login...', 'info');
await auth0Client.handleRedirectCallback();
window.history.replaceState({}, document.title, window.location.pathname);
}
const isAuthenticated = await auth0Client.isAuthenticated();
if (isAuthenticated) {
showStatus('Connecting to Cap\'n Web RPC...', 'info');
const protocol = window.location.protocol === 'https:' ? 'wss:' : 'ws:';
profileApi = newWebSocketRpcSession(`${protocol}//${window.location.host}/api`);
await showProfileSection();
} else {
showAuthSection();
}
setupEventListeners();
} catch (error) {
console.error('Initialization error:', error);
showStatus(`Failed to initialize: ${error.message}`, 'error');
}
}
// Authentication functions
async function login() {
try {
showStatus('Redirecting to Auth0...', 'info');
await auth0Client.loginWithRedirect();
} catch (error) {
showStatus(`Login failed: ${error.message}`, 'error');
}
}
async function logout() {
try {
if (profileApi) {
profileApi[Symbol.dispose]();
}
await auth0Client.logout({
logoutParams: { returnTo: window.location.origin }
});
} catch (error) {
showStatus(`Logout failed: ${error.message}`, 'error');
}
}
async function getAccessToken() {
try {
return await auth0Client.getTokenSilently({
authorizationParams: {
audience: AUTH0_CONFIG.authorizationParams.audience
}
});
} catch (error) {
if (error.error === 'consent_required' || error.error === 'interaction_required') {
await auth0Client.loginWithRedirect({
authorizationParams: {
audience: AUTH0_CONFIG.authorizationParams.audience,
scope: 'openid profile email',
prompt: 'consent'
}
});
}
throw error;
}
}
// Profile management functions
async function fetchProfile() {
try {
showStatus('Fetching profile...', 'info');
const token = await getAccessToken();
const user = await auth0Client.getUser();
const profile = await profileApi.getProfile(token);
document.getElementById('userEmail').textContent = user.email || profile.email || 'No email available';
document.getElementById('bioTextarea').value = profile.bio || '';
showStatus('Profile loaded successfully!', 'success');
} catch (error) {
showStatus(`Failed to fetch profile: ${error.message}`, 'error');
}
}
async function saveProfile() {
try {
showStatus('Saving profile...', 'info');
const token = await getAccessToken();
const bio = document.getElementById('bioTextarea').value;
const result = await profileApi.updateProfile(token, bio);
showStatus(result.message || 'Profile saved successfully!', 'success');
} catch (error) {
showStatus(`Failed to save profile: ${error.message}`, 'error');
}
}
// UI helper functions
function showAuthSection() {
document.getElementById('authSection').style.display = 'block';
document.getElementById('profileSection').style.display = 'none';
showStatus('Ready to login', 'info');
}
async function showProfileSection() {
document.getElementById('authSection').style.display = 'none';
document.getElementById('profileSection').style.display = 'block';
await fetchProfile();
}
function showStatus(message, type) {
const statusEl = document.getElementById('status');
statusEl.textContent = message;
statusEl.className = `status ${type}`;
}
// Event listeners
function setupEventListeners() {
document.getElementById('loginBtn').addEventListener('click', login);
document.getElementById('logoutBtn').addEventListener('click', logout);
document.getElementById('fetchBtn').addEventListener('click', fetchProfile);
document.getElementById('saveBtn').addEventListener('click', saveProfile);
}
// Initialize app when DOM is loaded
document.addEventListener('DOMContentLoaded', initializeApp);
```
```shellscript theme={null}
npm run start
```
**Checkpoint**
You should now have a fully functional Auth0 login page running on your [localhost](http://localhost:3000/)
***
## Advanced Usage
Enhance security by adding additional validation and rate limiting to your RPC methods:
```javascript server/profile-service.js theme={null}
import rateLimit from 'express-rate-limit';
class ProfileService extends RpcTarget {
constructor() {
super();
this.rateLimiter = new Map(); // Simple in-memory rate limiting
}
async validateAndRateLimit(userId) {
const now = Date.now();
const userLimit = this.rateLimiter.get(userId) || { count: 0, resetTime: now + 60000 };
if (now > userLimit.resetTime) {
userLimit.count = 0;
userLimit.resetTime = now + 60000;
}
if (userLimit.count >= 10) {
throw new Error('Rate limit exceeded. Try again later.');
}
userLimit.count++;
this.rateLimiter.set(userId, userLimit);
}
async getProfile(accessToken) {
const decoded = await verifyToken(accessToken);
await this.validateAndRateLimit(decoded.sub);
const userId = decoded.sub;
const profile = userProfiles.get(userId) || { bio: '' };
return {
id: userId,
email: decoded.email || 'Unknown User',
bio: profile.bio,
lastUpdated: profile.lastUpdated || null
};
}
}
```
Implement proper WebSocket connection handling with automatic reconnection:
```javascript client/connection-manager.js theme={null}
import { newWebSocketRpcSession } from 'capnweb';
class RpcConnectionManager {
constructor(wsUrl, options = {}) {
this.wsUrl = wsUrl;
this.api = null;
this.reconnectAttempts = 0;
this.maxReconnectAttempts = options.maxReconnectAttempts || 5;
this.reconnectDelay = options.reconnectDelay || 1000;
this.isConnecting = false;
this.onReconnect = options.onReconnect || (() => {});
}
async connect() {
if (this.isConnecting) return this.api;
this.isConnecting = true;
try {
// Dispose existing connection if any
if (this.api) {
this.api[Symbol.dispose]();
}
// Create new WebSocket RPC session
this.api = newWebSocketRpcSession(this.wsUrl);
this.reconnectAttempts = 0;
this.isConnecting = false;
console.log('ā RPC connection established');
this.onReconnect(this.api);
return this.api;
} catch (error) {
this.isConnecting = false;
if (this.reconnectAttempts < this.maxReconnectAttempts) {
this.reconnectAttempts++;
console.log(`š Reconnection attempt ${this.reconnectAttempts}/${this.maxReconnectAttempts}`);
await new Promise(resolve =>
setTimeout(resolve, this.reconnectDelay * this.reconnectAttempts)
);
return this.connect();
} else {
throw new Error('Max reconnection attempts reached');
}
}
}
disconnect() {
if (this.api) {
this.api[Symbol.dispose]();
this.api = null;
}
this.reconnectAttempts = 0;
}
getApi() {
return this.api;
}
}
// Usage in app.js
const connectionManager = new RpcConnectionManager(
`${protocol}//${host}/api`,
{
maxReconnectAttempts: 5,
reconnectDelay: 1000,
onReconnect: async (api) => {
// Refresh UI or reload data after reconnection
await displayProfile(api);
}
}
);
// Connect when authenticated
if (isAuthenticated) {
await connectionManager.connect();
profileApi = connectionManager.getApi();
}
```
Replace in-memory storage with a database for production use:
```javascript server/database.js theme={null}
import { Pool } from 'pg';
const pool = new Pool({
connectionString: process.env.DATABASE_URL || 'postgresql://localhost/capnweb_auth0'
});
// Initialize database schema
async function initializeDatabase() {
await pool.query(`
CREATE TABLE IF NOT EXISTS user_profiles (
user_id VARCHAR(255) PRIMARY KEY,
bio TEXT,
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
updated_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
)
`);
}
class DatabaseProfileService extends RpcTarget {
async getProfile(accessToken) {
const decoded = await verifyToken(accessToken);
const result = await pool.query(
'SELECT bio, updated_at FROM user_profiles WHERE user_id = $1',
[decoded.sub]
);
return {
id: decoded.sub,
email: decoded.email,
bio: result.rows[0]?.bio || '',
lastUpdated: result.rows[0]?.updated_at || null
};
}
async updateProfile(accessToken, bio) {
const decoded = await verifyToken(accessToken);
await pool.query(`
INSERT INTO user_profiles (user_id, bio, updated_at)
VALUES ($1, $2, CURRENT_TIMESTAMP)
ON CONFLICT (user_id)
DO UPDATE SET bio = $2, updated_at = CURRENT_TIMESTAMP
`, [decoded.sub, bio]);
return { success: true, message: 'Profile updated successfully' };
}
}
export { initializeDatabase, DatabaseProfileService };
```
