We need to adjust the UI in order to secure access to posting-api as the hts-app (UI) is the component that handles end-user authentication (the posting-api does not have knowledge of who is logged in or not which is good - it allows it to be stateless and horizontally scalable).
All requests to posting-api should be removed from client side Javascript and replaced with requests directly to hts-app. Within hts-app, those requests can be piped to the posting-api in a lightweight manner, but the resource in hts-app should require end-user authentication.
I strongly recommend using expressjs/cookie-session in combination with passportjs to manage authentication... using cookies, in particular, will allow us to horizontally scale the UI without using sticky sessions on the ELB.
We need to adjust the UI in order to secure access to posting-api as the hts-app (UI) is the component that handles end-user authentication (the posting-api does not have knowledge of who is logged in or not which is good - it allows it to be stateless and horizontally scalable).
All requests to posting-api should be removed from client side Javascript and replaced with requests directly to hts-app. Within hts-app, those requests can be piped to the posting-api in a lightweight manner, but the resource in hts-app should require end-user authentication.
I strongly recommend using expressjs/cookie-session in combination with passportjs to manage authentication... using cookies, in particular, will allow us to horizontally scale the UI without using sticky sessions on the ELB.