0

We have about 200 routes in our application. For each route, we check if the user has permission.

Therefore we have an express middleware that checks if the payload received contains either the value 1 (read) or 2 (write) for the user sending this request.

If the user has the permission or not, is stored inside our database and retrieved on login. From this point, it’s stored in the payload of our jwt token and send between front end and backend on every request which currently produces a pretty big overhead on each request.

My question is the following: Is there a way, to check for these permissions, but not having those stored in the payload and not receiving them in our ‘hasAccess’ function from database every time a route is accessed.

I thought about getting all users permission periodically and storing them in an in memory database like ‘redis’ and then checking the redis store inside the ‘hasAccess’ way.

Is that a effective/performant/secure way to solve the issue? Is there another way that is common out in the wild?

Thanks in advance!

floriantaut
  • 347
  • 1
  • 2
  • 11
  • This is a trade-off, and in fact one of the major purposes of using JWT session tokens. JWT allows you to no longer have to keep track of a user's session and permissions in your server's memory/disk, but it means that that data needs to be sent over the wire, taking up bandwidth. If this is undesirable, then the classical route of storing sessions on the server may be more appropriate for your application. – robere2 Feb 02 '23 at 19:46
  • Does this answer your question? [how to handle/manage a lot of permissions in access-token? what's the best approach?](https://stackoverflow.com/questions/74110906/how-to-handle-manage-a-lot-of-permissions-in-access-token-whats-the-best-appro) – Maria Ines Parnisari Feb 06 '23 at 18:26

0 Answers0