React-router and express control rights issues

  node.js, question

When I was doing my blog today, I thought of the problem of permission. The first moment is to use ejs (server template engine) to return a field (taken from session), and then use mapStateToProps(){// in jsx of route to judge whether the variable exists, if there is a corresponding menu display}

app.get('*', function (req, res) {
 // Post.get(null, function (err, posts) {
 //   if (err) {
 //     posts = [];
 //   }
 // });
 console.log('**************************')
 res.render('index', {
 Title:' home page',
 user: req.session.user,
 success: req.flash('success').toString(),
 error: req.flash('error').toString(),
 env : 'development',
 pageAuthor:['01','02','03'].toString()
 });
 // res.renderToString('index',{
 //
 // })
 });
function mapStateToProps(state) {
 
 let routerState = 2;
 if (document.getElementById('user').value){
 routerState = 1
 bracket
 return {
 routerState : routerState
 bracket
 
 bracket
 export default connect(mapStateToProps)(Main)

But it didn’t get the desired effect. You must refresh the page variable before it appears.
My understanding is that ejs must be parsed by the server before it can be returned to the browser for parsing.
But I used react-router single page refresh.
I hope a great god can give me a solution, and if there are other better solutions, I can also offer ~ ~
Thank you ~ ~

Isn’t this your back-end mvc thinking?
Now that we have all done Single-page application, back-end communication only needs ajax. Just send ajax to the back-end for permission judgment.

The front end is not secure and all requests have to be verified by the back end again.
For example, I am going to enter the Content Manage System page through front-end routing. I have obtained my permission through ajax request. At this time, a menu button will be displayed to enter the background.
After I click the button to enter the background page, I will make another ajax request to obtain data. This time, the back end of the request will be verified according to the session, so the data is safe.
The authority obtained by the front end only presents some insensitive things to improve the user experience. All requests for data are verified by the back end according to the session and are not unsafe.