I believe that you have a misunderstanding regarding 'what is happening here'.
This isn't 'client side authorisation' in the sense you are talking of.
Specifically it still relies on a /session route which only accepts valid authorization objects which can be though of as keys in a more 'traditional' 'server side authentication' approach.
This isn't 'client side authorisation' in the sense you are talking of.
Specifically it still relies on a /session route which only accepts valid authorization objects which can be though of as keys in a more 'traditional' 'server side authentication' approach.