I'm building a web application and want to confirm if my architectural strategy makes sense. Here's what I'm considering:
I plan for public subpages that don't need any user-specific data (like exploring or browsing) to be accessed through regular hyperlinks. When it comes to personal user data, like favorites, I intend to load that via API calls that utilize a fetch wrapper to automatically send JWT cookies and handle authentication.
For example, if I navigate to a public page through a standard link, the server won't need to identify the user. However, to load my favorites, that information would be retrieved from an authenticated API endpoint, where the JWT identifies the user to retrieve the correct data from the backend.
I believe this separation of navigation and data access is logical since navigating to favorites directly via a link wouldn't send a JWT, leaving the server unclear on which user is making the request.
Does this approach seem viable in the long run? Am I on the right track with using JWTs, or is there a better method I should consider?
6 Answers
JS shouldn’t be a requirement for basic navigation, so you're right to keep those public pages accessible. Allowing users simple URL navigation is key. Also, consider how you display the logged-in user’s links; it'll enhance user experience if you can adapt based on their login status.
Your approach isn’t just a short-term fix; it's practical as long as you're consistent in what content is client-rendered versus server-rendered. It’s like the classic single-page application (SPA) model. A few tips: if you're using cookies for JWT, the server can recognize users even on basic link navigations. Just pick a method and stick to it for clarity, and don’t forget SEO and performance aspects when loading data—having a blank page load can slow things down.
It's totally reasonable to separate public navigation from user-specific data. Just remember, even if the backend doesn’t need to know who you are on a public page, tracking can be helpful for security, like bot detection. It's great that you’re thinking about best practices!
There's nothing wrong with your approach! It's simple and effective, especially if you're using standard links for static pages. Just remember, if you want to go beyond a standard SPA setup in the future, you'll need to address routing more dynamically as your app grows.
If your JWT is stored in a cookie, it will be sent automatically with all HTTP requests, so there shouldn't be a big issue. Your approach is more about how you want to display data. Just make sure you're clear on what happens with the response you get back from your API calls!
Even if user data isn’t required on public pages, ensuring that the user is logged in for sections that demand it is critical. Take care to surround those sections with adequate checks!
Absolutely! You want to ensure the back and forward buttons work seamlessly, and refreshing the page won't lead users to lose their spot. Consistency in how you navigate is crucial. User experience can also be improved by showing whether users are logged in when accessing public content.