0

I have a MEAN stack application that uses JWT for authentication. I use Satellizer (an Angular module) to implement the JWT authentication flow. It sends the Authorization header with the bearer token whenever requests are made through the app.

My problem is when a request to a restricted url, lets say /dashboard is made through the address bar, the browser does not send an authorization header, thus blocking the request.

So what should I do to make the browser send the authorization header when making requests to restricted urls?

davidchoo12
  • 1,261
  • 15
  • 26

1 Answers1

1

If the user directly enters an address in the bar I'm afraid you can not do anything except redirect to the error form. The browser will not send specific headers

But if you are building the links that the user clicks, then you can add the JWT token in the URL link itself /dashboard?jwt=. In the server you will have to take into account this case of authentication

Be careful in this case, the browser could cache the URL and write it in some log. If the JWT is signed and not encrypted it could leak sensitive information if an attacker has read-access to the log files. Also it could be possible a session hijacking attack.

pedrofb
  • 37,271
  • 5
  • 94
  • 142
  • Agreed but I am not sure it is a good idea to send the token through the query string. Right? – Spomky-Labs Jan 06 '17 at 18:26
  • 1
    I agree with you. The browser can cache the URL and write it in some log. If the JWT is signed and not encrypted they can leak sensitive information if an attacker has read-access to the log files. Also could be possible a session hijacking attack. So, the OP should be careful using this option – pedrofb Jan 06 '17 at 18:36