My application will be built with nodejs, expressjs and pug template engine. The views will mainly be built on the server and sent to the browser. This will definitely be the case for a blog application I am planning. Some views might have interactivity using Ajax.
I do not want to save any authentication data in the browser. My idea is to obtain the Xano authentication token when the user logs in and store it in a node environmental variable. This will be deleted when they logout. So, when a view is visitied, node first checks if there is an Auth token in the .env variable. If not, the visitor is redirected to a login page, else they get access to the view. All non-public views will be handled like this. This way, no API end points are visible (except those in an Ajax call).
The code for checking if there is an auth token would look something like this:
exports.anAppPage = async (req,res,) => {
if (!process.env.AUTH_TOKEN) {
res.redirect('/login');
}
```Is this approach secure?
If possible, I would like to store the authentication token in Xano, perhaps in the database or some variable. Is this possible?
Thanks.