I'm working on a web app and want to get some feedback on my current architectural choice. For public pages that don't require any user-specific data, like sections for exploring and browsing, I use standard navigation links. However, for features that involve user-specific information, such as saved favorites, I rely on API calls that automatically send JWT cookies for authentication.
The idea is that if I access a public page through a link, the backend doesn't need to recognize my identity. But when I want to retrieve my favorites, the request goes through an authenticated API endpoint, utilizing the JWT to fetch the correct user data.
My question is whether this approach makes sense for the long haul. Is this the most effective use of JWTs, or am I overlooking a simpler or more efficient design? I'd love to hear your thoughts!
3 Answers
Could you clarify your question a bit? It sounds like you’re trying to authenticate every link that requires user data. Just loading an authenticated user's info from an API with JWTs is standard practice. Are you asking about using anchor tags for navigation instead?
Consider using httpOnly cookies for storing your JWT. This allows the token to be sent along with normal navigation links, which can help with caching public pages. Still, you'll want to segregate public data from user-specific info, so using API calls makes sense for that dynamic part. Alternatively, regular sessions could simplify the process, depending on your application's needs.
You might want to rethink how your backend handles user-specific data. It should recognize if a user is logged in or not, so potentially, user-specific data could be included in the responses. If the endpoint knows who's requesting the data, you could manage access better.
It seems like the issue is about verifying permissions on each link. A middleware approach could handle that effectively!