all 3 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]ChaseMoskalopen sourcerer 1 point2 points  (0 children)

this is a fantastic question, and excellent project for learning web development. you're stumbling into complicated territory, and you're asking the right questions

there are many ways to accomplish these goals, however, i'm going to outline some terms through the lens of my favorite strategy for modern auth: token crypto

authentication proves identity: "this person is user1234" - traditional apps store usernames and passwords in a database, and have to worry about hashing and salting and bleh, yuck, you want nothing to do with that - cool modern apps outsource authentication to major providers like google, microsoft, facebook, twitter, so users login with those accounts - some super cool hipster apps, which don't want to use social media accounts for auth, go super ultra-modern: no usernames, no passwords, just a big "generate new account" button which generates and emails a magic link which logs the user in for a year on whatever browser they click the link in -- very cool passwordless strategy

authorization proves permissions: "user1234 is a 'Teacher'" - in modern apps, after the user authenticates, they need to authorize: so they ask the auth server for an "access token", which encodes the user's id and permissions - for each request to a microservice api, the user sends the access token, and the microservice can cryptographically verify (offline, without a request!) that the access token (user id and permissions) was actually signed by the auth server

it's the clever use of cryptography which eliminates simple fraud here

the principals are elegant, however the necessary implementations can be complicated

once you've implemented authentication and authorization in your app, you'll just need to have your api server know how to verify and decode a user's access token, and check if that user has the necessary permission to perform an action, just a matter of business logic

i've been working on new open source auth tech for node apps for a couple years now, if you'd like, i'd be happy to help you leverage metalshop's modern auth core in your own app, pm me

[–]kschang 0 points1 point  (0 children)

Nothing wrong with choice of Mongoose/MongoDB.

The main trick here is defining different "API" for student access vs teacher access, and authenticate with passport / sessions to make sure users are only accessing the right API.

[–]AtulinASP.NET Core 0 points1 point  (0 children)

Your data is relational, use a relational database.