I’m working on an authentication workflow using SvelteKit and Auth0, and I’ve encountered a challenge.
Current Workflow:
Login Endpoint:
When a user is redirected to the login endpoint, I have a +server.ts file that generates the PKCE verifier and code challenge, so that I can send it to the authorization endpoint.
The endpoint the sends a query to the Auth0 authorization endpoint.
Callback Endpoint:
After the login process is complete, users are redirected to the callback endpoint, which also has a +server.ts file.
At this point, I make a call to the Auth0 token endpoint and need to pass the original PKCE verifier.
Initially, I stored the verifier token in an HTTP cookie then deleted it after I make the request to the token endpoint. However, I’ve read that storing this in plain text isn’t secure.
To address this, I encrypted the verifier before storing it.
I’m struggling to find a secure way to pass the encryption key and IV values to the callback endpoint so that I can decrypt the verifier token before sending it to the Auth0 token endpoint. I've looked at different things such as stores, how the Svelte documentation highly discourages the use of stores in server files.