Essentially, I am facing the scenario of Implementing a REST api, wherein specific documents relating to workspaces can be accessed by those that either "own" the document/workspace, or those who've been added to a "shared with" list.
I want to ensure that these users' credentials are queried against the document's owner-id before making changes to it.
I feel this is appropriate for any further collections of documents extending this schema as well (e.g. uploaded files), because they don't have to be referenced in a parent-child relationship, and can be disassociated from these workspace instances. I can only see this being possible by acessing the database twice, one to find the doc/verify ownership, and one to modify it.
Would this sort of denormalization be appropriate when working with mongo, and is this the most efficient for communicating with the database in this situation?
I thought about using an Oauth2/jwt and a prebuilt authentication server for the system. Would I need to add some kind of field to granted tokens for this purpose and just compare it to the corresponding field in the document?
I thought I'd be able to find an existing answer to this, as it seems like it'd probably be asked a lot, however I wasn't successful.
Thanks
