What's the better way of implementing security with MEAN.js

Question

I'm working with mean.js, and I have a little doubt about authentication and authorization here...

MEAN.js come with a out of the box passport.js implementation that seems to be working good enough for me just to know when a user is logged in. But at the moment of authorization some question pop up in my mind.. doing my research I reach some answers and I don’t know what is the best way of implementing security API calls in my app.

So far, I'm taking this solution:

Using express.all() function to set in one file all my authorization functions ( I guess it is a good practice right ? ).. creating a file with the following code example:

'use strict';
var passport = require('passport');
module.exports = function(app) {

    app.route('/private/p/*').all(function(req, res, next){
        if(!req.isAuthenticated()){
            res.send(401);
        }else{
            next();
        }
    });

    app.route('/private/byRoles/*').all(function(req, res, next){
        if(!req.isAuthenticated()){
            res.send(401);
        }else{
             var urlRoles = ['admin', 'godlike'];
            // ROLE LOGICS THAT ARE GOING TO BE ADDED TO MY USER
            // GETTING MY USER ID BY THE DE-SERIALIZE PASSPORT FUNCTION AND GETTING MY 
            // MONGO MODEL FOR MY USER, WITH THE INFO OF ROLES IN THERE AND DOING 
            // SOME LOGICS HERE ABOUT THE ROLES AND URL PATTERN.
            if ( hasRole(urlRoles, user.roles)){
                next();
                }else{
                   res.send(401);
                }
        }
    });
};

So far this is the solution that I'm planning to implement, but I would like to be sure of what I'm doing here... is there a better way of implementing authorization in mean.js ? Is this authorization middle-ware wrong implemented with passport? I don't sure if is necessary to implement another strategy to this.. or if this implementation has a security lack ( sure it has to ).. is better to use Oauth or using api token ??? what should be the architecture to secure an app made in MEAN.js supporting roles and permissions ?? also in the future I would need to secure my socket.. I was looking at passport-socketio.. but not sure if is there a better solution.

Answer 1

I use JWT's for my angular apps. There are many articles out there about the benefits for using tokens instead of sessions or cookies Cookies vs Tokens. Getting auth right with Angular.JS.

You can do everything you want with JWT, roles for backend and frontend, securing sockets is also possible and there are packages for this functionality. You do not need passport if you using tokens. You check the the credentials one time and store the token in the browsers local storage. There are many packages for express and JWT Express-JWT

For a closer look at JWT jwt.io