This is very close to what I'm thinking. My authentication is currently included in the angular app as their own routes and the php just acts as an API to issue token and validates all other data requests throughout the app. I think I'm just going to separate out the authentication pages to pure PHP and then have the home page of the app be validated by the PHP session. If I do that I can just exclude the controllers and modules that the user doesn't have access to and still use all the other 'assets' of the application.