Hacker News new | ask | show | jobs
by seangrogg 3661 days ago
I hit the database on requests - I keep their identity in the JWT but not their permissions. And if they're hitting a protected route (the only time their identity is necessary anyways) you best be sure I'm checking their canonical permissions.
1 comments
cortesoft 3661 days ago
You might be, but many people use signed cookie sessions in order to avoid having to check the DB.
link