Angular routing authorization security

Question

I am new to Angular and one of the things that I am trying to wrap my head around is the route authorization. I am coming from the .NET/IIS world where route authorization is as simple as decorating your API or MVC controller with the [Authorize] attribute.

I have read several posts and documents on how Angular handles routing. My concern is that the authorization is happening on the client. What prevents the user from firing up the dev tools, breakpoint the script execution, and changing the variables in the authorization service that control whether or not the user is authorized to access this route?

As I mentioned, I am new to Angular, so maybe I have misunderstood how the routing works. If this is the case, please correct me.

So, my question is: How can one achieve the same level of security with Angular routing as you would if using server-side routing authorization?

Thank you.

Answer 1

It is evident that pure client side solution cannot exist. Thus, only Angular routing cannot be used in cases when a certain route have to be securely restricted. I am thinking that routing has to be handled on both ends.

I am using Node so here is what I did:

//first evaluate the restricted route
app.get('/admin/*', function(req, res) {
    //authorization
    var authenticated = call_to_auth_service();
    if (!authenticated) {
        res.status(403);
        res.end();
    }
    else {
        //just remove the front /
        var url = req.url.replace('/admin/', 'admin/'); 
        res.render(url);
    }
});

//open access - everything else goes back to the index page and there the angular routing takes over
app.get('*', function(req, res){
    res.render('index');
});

This works, but I am not sure if this is the best approach. What do you think? Is this the proper way of handling the routing?

Thank you.