This section will explain in detail the implementations of security on ScaffoldHub.
All the security files must be replicated on both frontend and backend.
Every action a user can perform on the application has a related permission.
- allowedRoles: The user roles that contain that permission.
When the user signs-in, he receives a secure JWT token.
The frontend then sends this token on each request via the Authorization header.
Using an authentication middleware, the backend validates this token, fetches the current user, and assigs him to the request.
Each endpoint validates if the user has the permission to access that resource.
Some endpoints, like sign-in and sign-up, do not require the user to be authenticated, and for those cases, it just doesn't validate the presence of the user on the request.
Menus have their permission assigned to them and are only shown if the user contains a role that contains that permission.
Action buttons also have validations to check if the user has permission.