There is a need to create a WeChat public account, which requires WeChat login. After the front-end gives me the code, I apply for an access token and get the user's information.
Does this mean that the user model does not require a password? If spring security is not used, I need to control permissions on some API interfaces. How do I judge the permissions requested by the front end?
It is said on the Internet that tokens are used. Every request on the front end carries the token. Is this token the access token that WeChat gave me?
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
Yes, similar to secretless login, you get the access_token from WeChat through code, and then get the user's information. If the user exists on the server, call spring security to generate the authenticated user object yourself, and return it to the client.