Reputation: 335
Angular 2 Route Guard Confiability
I'm developing an application that requires user authentication if you want to display certain pages ... I'm a little worried about letting the angular 2 guard handle all the permissions, should I add some verification in the backend that says if the user can or can't access a given URL? Is there a way that someone in the frontend can inject javascript code into my page and access a forbidden context by making the canActivate guard return true?
Upvotes: 1
Views: 130
Answers (1)
Reputation: 1652
should I add some verification in the backend that says if the user can or can't access a given URL?
Yes, you have to give roles to users, and send it to client, so the app decide locally if it can serve this url. BUT you have to keep this role/user association on server side too, because someone can edit the request.
Your server will only send data if your association says the user is authorized.
Is there a way that someone in the frontend can inject javascript code into my page and access a forbidden context by making the canActivate guard return true?
Sure, but even if it wasn't possible, you must never trust a client request.
Only trust your server side information, and compare it with the client request.
Upvotes: 2
Related Questions
- Angular v12, why the routing guard does not work as expected?
- Angular 2 Router - CanActivate Guard
- Protect angular derective via guard
- Angular 2 get current route in guard
- Non guarded routes in angular2
- angular2 route guards validations
- Angular 2 Route Guard logic
- angular2: CanDeactivate guard
- Angular2 CanActivate guard not working
- Angular 2 routing: Route guard validation fails when accessing the protected url directly