Web site using backbone for frontend and nodejs for backend

I'm developing a new web site that will be a single paged app with some dialog/modal windows. I want to use backbone for frontend. This will call backend using ajax/websockets and render the resulting json using templates.
As a backend I'll use nodejs express app, that will return the json needed for client, it'll be some kind of api. This will not use server side views.
Client will use facebook, twitter, etc. for authentication and maybe custom registration form.
Client static resources, such as css, js, and html files will be handled by nginx (CDN later).

Questions that I have now:

  • How can I determine that a given user has the right to do some action in api(i.e. delete a building, create new building)? This is authorization question, I thought of giving user a role when they login and based on it determine their rights. Will this work?
  • Similar to the above question, will this role based security be enough to secure the api? Or I need to add something like tokens or request signing?
  • Is this architecture acceptable or I'm over engineering and complicating it?

Passport is an option for the authentication piece of the puzzle. I'm the developer, so feel free to ask me any questions if you use it.

  • I thought of giving user a role when they login and based on it determine their rights. Will this work?
    • Yes this will work. You can check for a certain role on the user after it's been fetched from the server. You can then display different UI elements depending on this role.
  • Will this role based security be enough to secure the api? Or I need to add something like tokens or request signing?
    • It wont be enough. Anyone could hop into the console and set something like user.admin = true. In your API you'll need to validate a user token from the request, making sure that the related user has the appropriate permissions.
  • Is this architecture acceptable or I'm over engineering and complicating it?
    • At the least you should have an API validation layer. That would make a decent enough start, and wouldn't be over-engineering.

For the authentication part of your question i would use everyauth which is an authentication middleware for connect/express. It supports almost every oauth-social-network-thingie.

For role management you could give node-roles a try. I didn't use it myself but it should help you out, because it checks the role on the server side. Of course that is only useful if your API is implemented in node.js. If that's not the case, you have to "proxy" the API calls over your node.js app.

I hope I could help you! :)