Hi, I'm quite new to doing security manually. I'm handling the client (Vue) and Server (Symfony) side of an application, but not the FusionAuth server, so I am logging users in through the FusionAuth system in place.
However, I am wondering about making API calls from my web app server to the fusionauth server as that user using the JWT. Basically, my setup is that I validate the client on my web app server via FusionAuth login, store the JWT, and create a secure session between the server and the client.
But every call that I am making to FusionAuth is with my server's API key, so essentially the user is asking my server to do things, and then my server is asking FusionAuth to do things with the server's credentials, not the user's credentials.
This leaves security "up to me", so to speak, where it's up to me to validate the JWT before I do any changes. I might be misunderstanding the security of the situation, but wouldn't it be better if I could update a user's info using the user's JWT instead of my API key?
That way if the user doesn't have access via FusionAuth anymore, I don't have to validate the JWT before the request, and therefore do two separate requests. The FusionAuth lists the update User api call as only being valid with an API Token, not with a JWT token. Which essentially means, if I messed up, I could accidentally update the wrong user since I have "sudo" access with each call, when it seems like I'd ideally only have that user's access (which I assume allows them to update themselves?).
Have I misconfigured something? Am I implementing this incorrectly?
Hope that all makes sense. Thanks!