I am in the planning stages for my application, and while I’ve done ruby and JS programming before, I’ve never scaffolded a full app stack myself before, so please bear with me. I’ve done quite a bit of research, and I’m finding that my use case doesn’t quite line up with any of the numerous examples I’ve found to date. I’d like to get through the stage of laying the groundwork so I can start putting in some code and really play with things.
I intend for a rails-backed JSON API, nearly certainly using rails-api to minimize the middleware (as termed by rails) involved.
The frontend will be an ember.js app, and should require authorization before the app gets served. This is a bit of security-through-obscurity, but I’d prefer to not serve up the whole admin app to just anyone; I’d prefer to only serve it to people who can first produce valid login credentials.
I am looking very closely at JWT, as it’s implemented for many platforms, and there is the potential for future frontends implemented as native iOS/android apps.
I need to allow users to log-in via either static html+js or rails views.
Once a user is authenticated, they should be redirected to the ember app, and the authentication token needs to be passed into the ember app, where it will be used to authorize access to the back-end API.
While the user is inside the ember app, timeout should be fairly short (~ 5 minutes guesstimate), but authorization should be refreshed while the user is active (hitting the back-end API is probably? sufficient indicator of activity)
If the authorization times out, the user should be re-directed to login. There will be no “remember-me” functionality; login is required.
I am expecting to serve all content across SSL, using nginx + passenger as the production server.
I am currently assuming two rails apps
back-end API app. Requires authorization- use modified devise?
front-end app - use modified devise? + ember-cli-rails to serve the ember app, and devise views for login, password-reset etc?
I am assuming that the two rails apps need to share a database, so that both have access to the authentication data.
Should I be using a modified ember-simple-auth within the ember app, or simply use the jsonwebtoken npm?
Should I use rails to serve the ember app via ember-cli-rails in order to enforce authorization, or is there a different/better way?
How should the JWT token get initially passed into the ember app, so the ember app can subsequently use it for access to the back-end API?
Should the back-end API refresh tokens with all API requests, or should there be a timed function in the ember app which uses a separate API endpoint to refresh its token?