October 17, 2023

Context: We're professionalizing our front end: design system, component library, tailwindUI.

Agenda:

• what's the vision for how our front end should be structured relative to our API and users? (capturing tasks / ideas)

• what's been done so far?

• what's up next?

• are there open questions?

Goals

• dev environment: branch in github auto-deploying

  • has its own environment variables

  • def FE → dev API

• set a standard for secrets / environments

  • as needed access

• don't expose tokens in the front end / repos

  • JWT validated by the API against a secret key in DO

  • refresh tokens prevent access

  • token ⭤ user ID pair

    • what about public front end views (no auth)?

  • API can use permissions to prevent access/action (roles)

  • the FE client can use its own client token

  • logged in user credentials would override client token

  • local, dev, prod all use same methodology

• consider an isolated back end service for users/OAuth

  • better security, separation of concerns

  • https://oauth.net/2/

  • let's not use Supabase auth to database, it should be the API

To Do

• research OAuth to estimate time / more specifically plan

• set up refresh tokens

• sketch roles/permissions