Closed amcgee closed 10 years ago
NB: The initial page load requirements are getting a bit excessive and can sometimes time-out. We should investigate compiling javascript resources server-side and caching them client-side sooner than later.
Also, we should definitely move to using the minified backbone and underscore (or lodash? My personal preference) libraries.
Some implementation details for the record:
Also, fix some latent bugs in rendering and update the UI to reflect the authentication changes. Currently, anonymous users will always see an empty map since I've only implemented resource-level permissions.
There are currently two hard-coded users - user and admin. Both have the password 'password'.
As far as implementation: Sending a POST request to /api/login with the username (eventually email) and password will cause the server to sign a permissions object and return the signed token (JWT). This token can then be used to authenticate any API request without the need for persistent server-side session state. The tokens expire after one hour.
Next steps:
Authority: Bearer <token>
header is required)