I feel like the best way to do this is to just use cornice or DRF then use js scaffolding that is completely unaware of your backend. No need to join them at the hip like this, except maybe for the token based auth?
Are you aware of any boilerplate repos or examples that take this approach? Seemingly every example I've seen assumes Node is the backend.
After thinking about it for a second this could be because I've been looking at universal/isomorphic projects but I'd imagine you should be able to do rendering in Node and still have a completely separate API project.
Token based auth is stateless, so your first assumption stands true -- no need to join them at the hip.
I've tried working with tools like Djangular and whatnot, and no matter how many times I've tried working within that ecosystem, I've always had better results, cleaner and simpler code by keeping the UI and Backend completely separate.
Token based auth doesn't need to be stateless. In fact in our current implementation it is not.
If you use stateless like JWT (we had this before) you end up having a huge problem: imagine a user wants to logout all the open accounts in different browsers.
How would you handle that? You would need to wait for the expiration of the token, a solution that is not that secure.
I think you didn't understand the issue. Imagine you want to implement a "logout from all my sessions" like Facebook or Google have (sessions in different devices)
After thinking about it for a second this could be because I've been looking at universal/isomorphic projects but I'd imagine you should be able to do rendering in Node and still have a completely separate API project.