Using a single application for user and admin (with different auth methods) vs separating them into two applications
Either option can work, if done correctly. In general, I would prefer to use the same application because it is simpler to maintain, particularly if the two applications share a lot of common code. However, there are some considerations which could tip the scales in favor of two distinct applications, mainly:
- It is easier to lock down a separate HR application to more than simply a login role. For example, the Employee app may be publicly accessible via the internet, but the HR app could be locked down to the internal network, or even certain user's workstations.
- It would be much harder to brute force a valid login for the HR app without having access to it.
- With a single app, it is possible for a developer to make a mistake and accidentally expose admin functionality to regular users. This obviously would not happen with separate apps. (This is why I stressed "if done correctly" in the first sentence.)