I have implemented Guardian
on one of my applications. My question, if I will be authorizing actions based on the role_id
defined in the users
table, are these two options equal in terms of security?
-
On accessing a protected path, use
resource_from_claims(claims)
to load the user object from the database and check ifrole_id == 1
. -
Or encode the
role_id
in the token itself (the encoded and signed claims) like:%{
“role_id” => “1”,
“sub” => “1”,
}
And then authorize actions based on this value without making the call to the database (users
table)?