I'm currently doing a hobby project for a friend which involves a custom CMS and a front-end server to serve the data. I've posted on here before but after two weeks of struggling I've not advanced too much.On the back end I've an express server running an API for the blog, users and other schemas.On the front-end I've an express server that serves the pages using the templating engine handlebars.Currently I've managed to authenticate users to the API using Passport and JWT, on login I'm storing a JWT with permissions in the cookie storage within the browser (no localstorage access as it's not a SPA)My issue is that I am struggling how to implement authorization on the client end for access to the admin panel.Should I decode the JWT on the client-end and read the user role then serve the pages if the admin pages if the user is an admin or should I be sending every request to access the admin section of the front-end to the API for a verification check then serve the page on the front end if the check passes.I realise this would have been much easier if I had just combined the front-end and back-end into 1 app but I was looking at trying to separate them as I've read it's a better practice.Any help would be greatly appreciated, thank you.
Submitted May 10, 2017 at 08:46PM by wires55
No comments:
Post a Comment