Securing mixed SSR + API server

tpluscode · May 5, 2023, 7:26am

Hi. I would like your suggestions for configuring a dual app which will consist of a back end and a front end.

I am moving from pure SPA+API approach to one where the HTML of initial page load will be server-sider rendered for performance and SEO reasons.

Currently, I’ve been using JWT tokens with auth0.js lib.

What do I do next? Can I keep the API and dynamic requests in pages but also transparently have the user authenticated when they are requesting the pages from the browser?

phi1ipp · May 6, 2023, 4:41pm

If you switch to web-server app model, then you can redirect your unauthenticated user (when they try to hit a protected page) to the login page and then return back to your backend an authZ code, which it can exchange for token(s). After verifying the tokens your backend can generate a page with the required content and establish a cookie with a session or a token, depending if your API is hosted on the same server or on a different one.

Topic		Replies	Views
How to secure an SPA which fetch data from REST api? Does every authentication needs to be done at backend? Help jwt , api , login	4	4460	March 9, 2021
Questions on mixing SPA with API Authentication Help	2	2763	June 12, 2020
SPA app that queries my own server, rather than auth0 directly? Help spa	2	4236	March 2, 2018
Stuck with User-Auth in Fullstack-App - struggling to find the right approach Help apis , application	2	758	October 4, 2023
Setting up a SPA + API combo with React and .NET Core Help jwt , auth0 , api , spa , cookie	2	3352	March 5, 2024

Securing mixed SSR + API server

Related topics