Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Authentication and Authorization don't belong in the front-end, that belongs on the backend with the server, the one true source as to whether a user is authenticated and whether a user has authorization to do what they are trying to do.

So as long as you write your REST endpoints correctly, your front-end will fall into line.



I agree that most of the authentication belongs on the backend, but there's still the question of how best to handle/recognize authenticated users and authorized requests on the frontend. Should I be using JSON web tokens, or cookies? What's the best way to protect routes for users with varying degrees of access? If anything, I'd like to see pros and cons of each strategy, assuming a backend implementation is already in place.


> your front-end will fall into line.

How, exactly? Basic auth? Cookies? Tokens? OAuth?

There are lots of ways to do this, and I agree with your parent that if there is a best practice, it isn't obvious or well-known.

Edit: Ignore this - posted at the same time as arms!


This is what we've been doing at my workplace, we're a Google partner so all Auth is done through Google.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: