dscwebdev
commented
1 month ago Hey, just a heads up, I'll be adding the new withAuth page as part of this ticket. We need the server-side authentication done before we can update our user permissions on the fly.
We have quite the security risk and inconvenience when it comes to authenticating our users.
Right now, your permissions are solely limited to the userStatus field in the JWT passed. This is not good as someone has the potential to change the JWT if they are aware of our signature.
This also causes another problem as when we update a user to an admin, their permissions are not reflected live and would need to login again.
Rework withAuth HOC to update user permissions on the fly. Possibly a separate user API for authentication.
Implement a method to authenticate our users through referencing to our DB instead of solely relying on JWT passed. Suggestion: Talk to AJ