limited-https-http security group restricting beta user access

[that1guy]

The new security group is prohibiting beta testers from accessing application. Staging should be accessible to beta users.

[brozeph]

We'll need to adjust the UI in order to secure access to posting-api as the hts-app (UI) is the component that handles end-user authentication (the posting-api does not have knowledge of who is logged in or not which is good - it allows it to be stateless and horizontally scalable).

All requests to posting-api should be removed from client side Javascript and replaced with requests directly to hts-app. Within hts-app, those requests can be piped to the posting-api in a lightweight manner, but the resource in hts-app should require end-user authentication.

I strongly recommend using expressjs/cookie-session in combination with passportjs to manage authentication... using cookies, in particular, will allow us to horizontally scale the UI without using sticky sessions on the ELB.

[that1guy]

Closing this issue and opening up focused issue in htsApp. Thanks for catching this Josh. :) Get well soon buddy!