I have been reading a bunch of different posts and questions all over. I am new to Angular and looking for an example on how to secure an angular application with roles.
The little I have seen on the internet involves using a service to authenticate and get the user a token; I am presuming this token is then kept in a Angular service for the duration of the users session.
I'd like a example on how to set-up both the client side (angular) routing and model security (show / hide / enable / disable specific fields) and server side (web API).
What I have in mind so far is:
- Create a Security controller that a login form will post to and implement logic to issue a token
- Secure the remaining WebApi controllers with an Authorization attribute that will issue 403 where a token is missing / invalid
- Implement server side processing for resources (when authorized) that returns models and only the properties a user is authorized to see (customs data annotations on the model properties)
- Implement 403 handling on the client (not sure where to start here)
- Implement view rendering of the models where fields can be enabled / disabled based on roles (i.e. user can see but not edit) (directive(s))?
A concrete example on how to do this (correctly) - taking into account the current security precautions would be helpful.
