Angular 5: Is there way hide API call? or make it private?

Question

I started learning Angular and I noticed that every call I make to backend can be seen from developer tool. So when I got method/function like this:

getUser(userId){
    return this.http.post('server/page/get-user', {id:userId});
}

And then in some component I would call it like this:

this.userService.getUser(2).subscribe((data)=> {
    console.log(data)
})

What basically returns user information (name, address etc), based on what user id gets posted. If one wanted to get random user information, couldn't they just make API call to this endpoint, with random number in request payload and just get that user information?

I read something that one way to fix this is to use JWT, what basically encrypts the payloads, but isn't there option to like turn this api call usable only in my app? or make it at least hidden from developers tools?

Answer 1

Though this message was posted a long time ago. In my case, I send the request to a new window then just post the response back to my main window.

In that case, even if the user opens the network tab on the developer tools on the "opened browser" he can't see the logs.

Answer 2

In short, no.

You have ways of hiding requests by hitting endpoints that process your request, but since you start, consider you can't.

Let me explain further : Javascript runs in the client's browser. It means the client has full access to your front-end code : if he wants, he can completely break down your application.

The plus side is that it can only be broken on his own computer : the client can't mess with another client's browser.

On the other side, your server can be accessed by anything, but you're the one that has master control on it : you should secure it.

To do that, as you said, you can use JWT. But JWT is an authentication process, which is basically an encoded string. By decoding it, you can get client information, but they aren't fetch from the DB, they are fetch from the token itself.

If you want to secure your endpoints, you could for instance state that only the user with the ID provided by the token can access your endpoint : tokens can't be forged without the signature. This wouls secure your endpoint and prevent other users from making modifications.

On the other side, you could also prevent other applications from using this endpoint. For instance, if your user uses its token in an app other than yours, you could refuse that. But it's becoming a little more advanced, so for now, I think you should focus on securing your endpoint from other users.

Consider making another question with the tags corresponding to your backend language, which will be way more helpful than asking an Angular solution.

Answer 3

Is there way hide API call? or make it private?

No. The browser belongs to the user. What it does is under their control, not yours.

What basically returns user information (name, address etc), based on what user id gets posted. If one wanted to get random user information, couldn't they just make API call to this endpoint, with random number in request payload and just get that user information?

If you are running an unauthenticated API. Yes.

It sounds like you desire security through obscurity which is highly unreliable.

I read something that one way to fix this is to use JWT, what basically encrypts the payloads

Not really.

You need authentication / authorisation.

You need to identify the user (this could be through a username and password, OAuth with a provider like Facebook or Twitter, etc).

Then you need to make sure that user is allowed to read the data they are requesting. e.g. A user record can only be accessed by the user who owns the record or a user with the admin role.

isn't there option to like turn this api call usable only in my app?

No

or make it at least hidden from developers tools?

No