Skip to main content

Authentication

Ditto does not come with an identity provider. Using "Online With Authentication" requires that you have your own identity provider already set up. Each app can use multiple identity providers.

The "Online With Authentication" identity type is geared towards apps that will be deployed in real world settings. "Online With Authentication" identity types are:

  • for apps that need to integrate with existing permissions
  • for apps that need to integrate with existing authentication systems

How it works

caution

Devices using Online with Authentication need to connect to the Internet and authenticate at least once before synchronizing with other peers. This is required so devices can get a valid certificate before going offline.

To use the "Online With Authentication" system, your client application is expected to authenticate with your identity system and retrieve some sort of token prior to syncing with Ditto. Often times this token is some sort of identity token, access token, commonly in the format of a JWT (JSON Web Token).

Once your client application successfully has retrieved this token, it should pass it to the Ditto authenticator which will pass it to an authentication webhook. As the developer, you are responsible for writing code and deploying the this webhook to an accessible URL. The authentication webhook will validate and decode the token from the client side and return identity and access control information back to your Ditto instance.

The full flow is detailed in the diagram below:

sequenceDiagram Client App->>Your Authentication Mechanism: Send Credentials Your Authentication Mechanism->>Client App: Return JWT Client App->>Ditto Big Peer: JWT Ditto Big Peer->>Auth Webhook: JWT Auth Webhook->>Ditto Big Peer: Formatted Ditto Auth Response Ditto Big Peer->>Client App: Ditto Credentials rect rgba(0, 0, 255, .1) Client App->Ditto Big Peer: Ditto Sync end

API

Creating your client

Create the ditto client with the onlineWithAuthentication identity. This identity requires an authentication handler authHandler.

warning

You must refresh the auth token when it expires. You can do that by implementing authenticationExpiringSoon. If you do not implement this, then sync will stop when the token expires.

import { init, Ditto } from "@dittolive/ditto"(async () => {  await init() // you need to call this at least once before using any of the Ditto API
  const authHandler = {    authenticationRequired: async function(authenticator) {      console.log("Login request.");    },    authenticationExpiringSoon: function(authenticator, secondsRemaining) {      console.log(`Auth token expiring in ${secondsRemaining} seconds`)    }  }
  const identity = {    type: 'onlineWithAuthentication',    appID: 'REPLACE_ME_WITH_YOUR_APP_ID',    authHandler  }
  const ditto = new Ditto(identity, '/persistence/file/path')  ditto.startSync()})()

Login

Login takes two parameters: the first is token. The token can be any string value. Most auth services use a JWT (JSON Web Token), but you can send any token you want from the client. For example, during testing you may want to create a secret code for development use. This string will be sent in a POST request to the HTTP route.

Sample Authentication Webhook Endpoint in the Portal

let accessToken = await ThirdPartyAuth.getToken()await ditto.auth.loginWithToken(accessToken, 'my-auth')

Logout

Logout will stop sync, shut down all replication sessions, and remove any cached authentication credentials. Note that this does not remove any data from the store. If you wish to delete data from the store then use the optional cleanupFn parameter to perform any required cleanup.

The cleanupFn is an optional function that will be called with the relevant Ditto instance as the sole argument that allows you to perform any required cleanup of the store as part of the logout process.

async function cleanupFn (ditto) {  await ditto.store.collection('cars').findAll().evict()}await ditto.auth.logout(cleanupFn)

Tutorial

  • This section will require knowledge of writing server side HTTP endpoints and handlers. The server side sample code is written in JavaScript (NodeJS with an Express-like API), however you can use any framework or language of your choosing.

  • We will use Auth0 in this tutorial. But you can use any third-party identity provider. Each app can use multiple identity providers. Identity providers can be:

  • In this tutorial, you'll build a simple application so users can log in with a a third-party provider using Auth0. We assume that you have already completed the Auth0 tutorial on their documentation before starting this tutorial.

  • For the full application code in JavaScript and Swift, see the code samples on GitHub.

Server

The authentication webhook needs to handle an HTTP POST request. Each client that will need to authenticate will send a payload to this webhook. The following section requires that you have knowledge of writing server side HTTP endpoints and responding with a JSON payload. Code samples of server side code are written with a NodeJS / Express syntax. You can use any language or framework on the server side.

Incoming POST body

When your client device wants to authenticate using your webhook, your server will receive an HTTP post with a JSON payload that looks like:

{  "appID": "YOUR_APP_ID_HERE", // the appID  "provider": "my-auth", // this is the "Name" of the "Authentication Webhook"  "token": "eyJhbGciOiJI..." // this is what each device will send to authenticate}

Your can introspect these values by parsing out the request body:

let express = require('express')let cors = require('cors')let body = require('body-parser')let app = express()
app.use(cors())app.use(body.json())
let app = express()
app.post('/', (req, res) => {  const appID = req.body.appID  const provider = req.body.provider  const token = req.body.token})

Generally, you will want to check the token for some sort of validity. Let's assume you have some sort of library or logic to parse and validate the token is for a specific user.

You can also use the userInfo key in your JSON response to pass information back to client.

app.post('/', async (req, res) => {  const token = req.body.token;  try {    // The token that your server receives from ditto is always a string    let parsedToken = JSON.parse(token)    let payload = getDittoPermissions(parsedToken)    res.json(payload)  } catch (err) {    res.json({      "authenticate": err,      "userInfo": err.message    })   }})

As a simple example, let's grant full read & write permissions to all collections and all documents.

app.post('/', async (req, res) => {  const token = req.body.token;  try {    let payload = {      "authenticate": true,      "expirationSeconds": 28800,      "userID": "123abc",      "permissions": {        "read": {          "everything": true,          "queriesByCollection": {}        },        "write": {          "everything": true,          "queriesByCollection": {}        }      }    }    res.json(payload)  } catch (err) {    res.json({      "authenticate": err,      "userInfo": err.message    })   }})

For more information on how to design your app's permissions, see Access Control Permissions.

Deploy your server

Now, the portal will attempt to reach this server. That means you must deploy it somewhere that this HTTP request is accessible. For testing, you can use a quick-deploy service such as Glitch.

info

Please be sure that this endpoint is not behind a firewall or VPN. If you cannot get around this requirement contact us.

app.listen(process.env.PORT, () => {  console.log('server listening on ', process.env.PORT)})

Configure your Portal App

To use an "Online With Authentication" identity, go to your app in the portal and find the Authentication Mode & Webhook Settings section. Ensure that "With Authentication" is selected like so:

Online With Authentication setting in Portal

Below, a section called Authentication Webhooks will be editable. Once your Authentication Webhook Endpoint(s) is deployed and ready, you can register it in the portal. Add a Name and URL.

  • The Name is used the differentiate between multiple authentication. Most applications will have one authentication webhook, however the Name parameter is still required. This name value is important for the next section.
  • The URL parameter is the fully qualified URL of the webhook that you deployed in the section above. Please include the protocol (https:// or http:// though we highly discourage http://).

Client

To configure your client application, you must first add URL of the POST endpoint you created in the previous section.

Sample Authentication Webhook Endpoint in the Portal

info

The provider name given to the Ditto Client must match a provider name in the Portal (e.g., my-auth).

This tutorial assumes you've already configured your auth0 client from the official Auth0 documentation.

Login

Assuming you have a login button in the HTML:

<button onClick={login}>Login</button>

We attach a login function to the button.

import createAuth0Client from '@auth0/auth0-spa-js';// OR for Reactimport { useAuth0 } from '@auth0/auth0-react';
// configure your auth0 client...
async function login () {  await auth0.loginWithRedirect({    redirect_uri: window.location.origin  });  startDitto()}

We can then create a startDitto function that gets the access token and starts a new Ditto instance, and passes the token to your server route you created in the previous section.

import createAuth0Client from '@auth0/auth0-spa-js';// OR for Reactimport { useAuth0 } from '@auth0/auth0-react';import { init, Ditto } from "@dittolive/ditto"
// configure your auth0 client...
let ditto
(async () => {  await init() // you need to call this at least once before using any of the Ditto API
  function startDitto () {    let token = await auth0.getAccessTokenSilently();
    const authHandler = {      authenticationRequired: async function(authenticator) {        await authenticator.loginWithToken(token, "my-auth");        console.log("Login request completed.");      },      authenticationExpiringSoon: function(authenticator, secondsRemaining) {        console.log(`Auth token expiring in ${secondsRemaining} seconds`)        await authenticator.loginWithToken(token, "my-auth");        console.log("Login request completed.");      }    }
    const identity = {      type: 'onlineWithAuthentication',      appID: 'REPLACE_ME_WITH_YOUR_APP_ID',      authHandler    }
    ditto = new Ditto(identity, '/persistence/file/path')    ditto.startSync()  }
  async function login () {    await auth0.loginWithRedirect({      redirect_uri: window.location.origin    });    startDitto()  }})()

To demonstrate that this Ditto client has been authenticated, let's display the number of cars in the collection, and a button to add one item to it:

<div>  <h1>Cars: {numberOfCars}</h1>  <button onClick={addItem}>+1</button></div>

Once we start the ditto instance, we can create a liveQuery and create a button that adds items to a collection:

let subscription = ditto.store.collection('cars').find("state == 'FOR_SALE'").subscribe()let liveQuery = ditto.store.collection('cars').find("name == 'Toyota'").observeLocal((cars) => {  numberOfCars = cars.length})
function addItem () {  ditto.store.collection('cars').upsert({    "name": 'Toyota',    "state": 'FOR_SALE'  })}

To make this usable for real-world applications, you can retreieve the user's profile details such as email, username, and full name. See the official Auth0 documentation for your platform to add that functionality to your application

Logout

First, we need some sort of way to monitor the state of the login flow. This allows us to display a Logout button when the user has already logged in.

let loggedIn = falseif (auth0.isAuthenticated()) {  loggedIn = true}
if (loggedIn) {  // render the logout button  <button onClick={onLogoutClick}>Logout</button>} else {  <button onClick={login}>Login</button>}

And then we can write the logout function and attach it to the button.

We also recommend calling ditto.auth.logout with a callback function that evicts any data from the local database.

function onLogoutClick() {  ditto.auth.logout(() => {    ditto.store.collection('cars').findAll().evict()  })  await auth0.logout({ returnTo: window.location.origin })}

🎉 You now have a fully functioning onlineWithAuthentication app. Build and run it on a device.

For the full application code in React and iOS, see the code samples on GitHub.