Those were very helpful indeed! I wanted to say I’ve implemented it but alas I can only say I’m nearly there (left with step 7 below)
- Custom JavaScript in theme to get a JWT via /members/ssr
- Push JWT to my app, which validates it using
members_public_keyand returns the app cookie. - Cookie stores the email of the member, and has the same httpOnly, secure and sameSite settings.
- App is located as a subdir via nginx proxy.
- When user accesses the app, nginx checks if ghost generated cookie `ghost-members-ssr’ which stores the members email is the same as the apps generated cookie.
- On sign out, a custom JavaScript sends the members email to the app to remove the app cookie.
- If ghost cookie expires, app won’t authenticate since it requires both ghost and app cookies.
With this setup, I’ve adopted a hybrid approach to ensure a smooth auth experience across ghost and the app while implicitly benefiting from security features set by Ghost.
Personally I hope that members account will gain the ability to add names or handles. After tinkering with this possibility, the potential to extend Ghost to create simple, integrated communities instead of relying on third party services (Disqus) or fully featured platforms (Discourse) is closer to reality than I thought!