The time you were hiding jsreport behind firewall is gone. With the new jsreport release comes support for securing access to the reporting server.
You can secure jsreport server by enabling and configuring authentication extension. This will add shiny login page and secure API with basic authentication. You can find how to configure authentication extension here.
You can secure individual user access to jsreport by configuring authorization extension. You need to first provide an endpoint to your service responsible for authorization. jsreport will then ask your service first before performing an operation and you can decide what is the user authorized to do. Find more about authorization here.