Registration:
POST /api/signup, the email / login and password + the user data you need are sent to the request body. Store this case in the database, of course, hash the password with bcrypt.
Login:
POST /api/login, the login and password are passed to the request body. Get the user from the database, hash the password, compare it with the saved one. If not ok - 401 goodbye, if ok:
Generate a JWT token, write the login and roles to the token, set the expiration date. The token must be signed HS256 or stronger.
Put the token in the response in the X-Auth-Token header or return it in the response or whatever. In addition, you return his role to the front so that the front knows what to draw.
The frontend saves the token in a cookie or localstorage and passes it with every request.
For every request you
1. See if there is a token in the header. If not, 403.
2. Validate it (be sure to set the signature algorithm yourself, and do not take it from the token itself), and see if it is rotten. If invalid or rotten - 403.
3. Get the email and roles from there. See if your endpoint is available to these roles. If not, 403.
4. ...
5. PROFIT!
From time to time, the token needs to be refreshed. You can also write down the user's IP and a bunch of other useful information in the token.
The keywords for Google are JWT auth, I don’t even know what else to add.

Pass the user status in the original html (inline js), or request it from the frontend when the application is initialized. And registration and authorization is no different, well, except that it goes ajax to api. Just upon completion, json is returned, for example, with the necessary data