Context: We're professionalizing our front end: design system, component library, tailwindUI.
Agenda:
- what's the vision for how our front end should be structured relative to our API and users? (capturing tasks / ideas)
- what's been done so far?
- what's up next?
- are there open questions?
- dev environment: branch in github auto-deploying
- has its own environment variables
- def FE → dev API
- set a standard for secrets / environments
- as needed access
- don't expose tokens in the front end / repos
- JWT validated by the API against a secret key in DO
- refresh tokens prevent access
- token ⭤ user ID pair
- what about public front end views (no auth)?
- API can use permissions to prevent access/action (roles)
- the FE client can use its own
clienttoken - logged in user credentials would override
clienttoken - local, dev, prod all use same methodology
- consider an isolated back end service for users/OAuth
- better security, separation of concerns
- https://oauth.net/2/
- let's not use Supabase auth to database, it should be the API
- research OAuth to estimate time / more specifically plan
- set up refresh tokens
- sketch roles/permissions