The downside would be similar as other forum posts that talk about accessing fauna directly from the frontend.
- Do I need a backend API between FaunaDB and my app? What are the use cases of an API? - #6 by databrecht
- How to implement a refresh (httpOnly cookies)/access (in memory) token flow with a partial backend for auth?
However, how your tokens are stored could be hidden in your Auth0 library in this case. So it essentially boils down to figuring out how Auth0 stores authentication information in the browser and determine whether you are ok with that. I can’t say for sure how that happens, but as far as I know it’s technically impossible to use httpOnly cookies. There are some questions on the Auth0 forum about that though:
- Isn't storing a JWT in a non-httponly cookie just as insecure as local storage? - Auth0 Community
- Securing access tokens in SPA + API - Auth0 Community
I think they store something short-lived in memory and then use silent authentication to refresh it based on a (non httpOnly) cookie, but I’m not certain exactly how that happens.