October 17, 2023

Context: We're professionalizing our front end: design system, component library, tailwindUI.


  • what's the vision for how our front end should be structured relative to our API and users? (capturing tasks / ideas)

  • what's been done so far?

  • what's up next?

  • are there open questions?


  • dev environment: branch in github auto-deploying

    • has its own environment variables

    • def FE → dev API

  • set a standard for secrets / environments

    • as needed access

  • don't expose tokens in the front end / repos

    • JWT validated by the API against a secret key in DO

    • refresh tokens prevent access

    • token ⭤ user ID pair

      • what about public front end views (no auth)?

    • API can use permissions to prevent access/action (roles)

    • the FE client can use its own client token

    • logged in user credentials would override client token

    • local, dev, prod all use same methodology

  • consider an isolated back end service for users/OAuth

    • better security, separation of concerns

    • let's not use Supabase auth to database, it should be the API

To Do

Last updated