Backend: Handling Response
When the user is authenticated, you will receive a response similar to this from your front end. Your frontend is reponsible for sending this payload to your server.
{
"email": "[email protected]", // User's email (or phone number)
"oauth_token": {
"access_token": "eyJhbGciOiJFUzI1NiIsImt...", // Access Token to validate
"id_token": "eyJhbGciOiJFUzI1Ni...",
"refresh_token": "27805:CNf76faa8trMhjXM...",
"expires_in": 3600,
"token_type": "Bearer",
"auth_method": "OTP"
},
"user": {
"ID": "abcdefgh-abcd-abcd-abcd-af6f81fb5432", // Cotter User ID
"created_at": "2020-07-21T05:50:14.182738Z",
"updated_at": "2020-07-21T06:00:47.115096Z",
"deleted_at": "0001-01-01T00:00:00Z",
"issuer": "<YOUR_API_KEY_ID>",
"identifier": "[email protected]"
}
}
Send this payload to your backend to register or login the user in your database. A typical flow would look like this:
- 1.Validate the access token
- 2.Check if the email exists in your database
- If it doesn't exists: Create a new user
- If it exists: Continue login
- 3.(Optional) If you want to use your own session tokens, set the cookie here after validating the access token.
- 4.(Optional) if you want to use Cotter's tokens, either store Cotter's access token in the cookie or on the front-end side.
Examples:
Node.js (Express)
Python (Flask)
const express = require("express");
const app = express();
var cors = require("cors");
var bodyParser = require("body-parser");
var cotterNode = require("cotter-node");
var cotterToken = require("cotter-token-js");
var session = require("express-session");
const port = 3005;
app.use(cors());
app.use(bodyParser.json());
// EXAMPLE LOGIN ENDPOINT
app.post("/login", async (req, res) => {
console.log(req.body);
// Validate access token
const access_token = req.body.oauth_token.access_token;
var valid = false;
try {
valid = await cotterNode.CotterValidateJWT(access_token);
} catch (e) {
valid = false;
}
if (!valid) {
res.status(403).end("Invalid access token");
return;
}
// (Optional) Read access token
let decoded = new cotterToken.CotterAccessToken(access_token);
console.log(decoded);
// (Optional) Register or Login User
// (Optional) Set access token as cookie
res.status(200).json(decoded.payload).end();
});
app.listen(port, () =>
console.log(`Example app listening at http://localhost:${port}`)
);
from flask import Flask
from flask import request
from flask_cors import CORS
import requests
from jose import jwt
CotterJWKSURL="https://www.cotter.app/api/v0/token/jwks"
app = Flask(__name__)
CORS(app)
@app.route('/login', methods=['POST'])
def login(name=None):
req = request.get_json();
# Getting jwt key
r = requests.get(url = CotterJWKSURL);
data = r.json();
print(data);
public_key = data["keys"][0];
# Getting access token and validate it
token = req["oauth_token"]["access_token"]
resp = jwt.decode(token, public_key, algorithms='ES256', audience=API_KEY_ID)
# User Authenticated!
# 1) If user doesn't exist, register user to db. Otherwise, continue
# 2) Either use Cotter's Access Token for your entire API authorization
# OR
# You can Generate your JWT Tokens or other session management here
return resp;
Read more on how to verify the OAuth Tokens from Cotter here: