separate backend and frontend

[Notalifeform]

when first looking at the example I was a bit confused that both the client spa and server where accessed via localhost:5137

Separating them on different ports makes it more clear that the spa and the backend are completely independent

[Notalifeform]

TBH, I think I'd rather keep the reverse proxy in the web frontend and keep them running on the same port. You can still hit the server backend on port 3000 if desired.

Hi Jason, what is the reason you prefer that?

I know this is not a production setup, but from a security point of view one of the 'selling points' of Oauth is that the service (resource) never 'sees' the credentials of the users. (if the resource gets hacked it can get it's hand on access token, but never on credentials)

By using a proxy you actually break that: a hacker can get it's hands on actual passwords

My reason to split them is that I think it can be quite confusing for people not that familiar with the OAuth protocol (It took me also a while to figure out how the two services are related).

just my 2 cents.

[jasonraimondi]

Yeah agreed you would not use this proxy in prod, this is just for the dev setup. In prod we would really be using a load balancer in place of the proxy.

We can definitely update the console log messages to make it more clear for end users.

[Notalifeform]

Just wondering, what is the reason you prefer to keep the proxy?

[jasonraimondi]

I just like offering my API on a path route of my web application instead of having it on a separate domain. I would use a tool like nginx, caddy, or traefik to handle the proxy in production.

Just a personal thing, tomato tomato.

By offering this example this way, it does not stop anyone from hosting their oauth server or api on a separate domain/port and just tweaking the web application.

[Notalifeform]

ok. fair enough. Let's agree to disagree on this one 😄