Monday, 25 February 2019

Should I use Mongo for looking up permissions on every API call?

Hey everyone,My Node app has a security model that involves different users having different permissions. The users identify themselves by using JWT. On every call to a protected endpoint, my app:Checks the authentication token (using express-jwt)Checks the permissions they have (by extracting a user ID from the authentication token), to make sure they're authorized to access the specific piece of data they request. (This is what I'm working on, it's not implemented yet).Right now, the permissions are stored in Mongo. Is it efficient to call Mongo every time a user makes an API call? (The call would be made to a collection with a unique index).The other option I have in mind is to use something like Redis to cache the permissions, and to propagate every change to the data in Mongo to Redis as well.What do you think? Have any experience with something like this? The app currently runs on a 4GB machine with a Xeon CPU, but can be upgraded at will.At what load do you expect Mongo will feel the pain? Thanks.

Submitted February 25, 2019 at 12:07PM by tehnologie

No comments:

Post a Comment