Reputation: 2045
Server side role access routing for angular JS in MEAN
I am working on MEAN stack and my head insist on incorporating server side role authorization for routing. To put it simple, the solution must fit the need in the way that there is no way the user can trick the browser to access the page unless a proper access token is provided. I have search tutorial online, and all of the solution provided could still be bypass by tricking the browser with modification in code.
Example:
1) User have access token in cookies.
2) Client Side/Server Side decrypt the access token and identify user role
3) The user role is return to the logic for roles accessibility.
At the end of the day, user could still trick the browser by:
1) removing/replacing logic for the pieces of code that return user role
2) replacing the return value with specific user role to access it.
How could this be avoided?
$routeProvider.when('/admin/index', {
controller: 'AdminIndex',
templateUrl: 'AdminIndex.html',
access: {
roles: ['Admin']
});
});
Upvotes: 0
Views: 191
Answers (1)
Reputation: 944064
The client is entirely under the control of the user. You need to use the access token to determine what roles the user has on the server and limit access to the data needed to populate the pages there.
Don't worry about the user being able to access the Admin page, just worry about allowing them to get the data that only admins should have access to and about accepting requests (as authorised) from them to endpoints that change things on the server.
Upvotes: 1
Related Questions
- Role based access control of Mean stack web app
- SPA best practices for authentication and session management
- HapiJs routes access base on role
- design system with server controlled UI display in Angular(Front-end)+ Java(Back-end)
- AngularJS | angular-permissions role validation
- web application architecture (javascript client side + ASP.NET server side)
- Angular Js Security Issues Role Based Authorisation