This seems to confuse terminology a bit. The problem described isn't with using tokens (which is good standard practice), but specifically with using signed tokens and relying purely on the information in them.
Is that extra database call to get auth status really that costly? Having the client hold any kind of access control is scary to me.
This seems to confuse terminology a bit. The problem described isn't with using tokens (which is good standard practice), but specifically with using signed tokens and relying purely on the information in them.