0

I have the following scenario: an Angular 4 web app that consumes a Node.js REST API, which uses a company wide REST authentication service.

This REST authentication services returns a JWE token which I can decrypt using node-jose library, then my Node.js API checks the user's role to decide if he's allowed to use the web app.

Depending on the user role, the Angular web app may allow/deny the access to some routes, thus I'm using Guard routes.

So, my question is: Is it possible to append the user role to the original JWE token and return it to the Angular web app while still keeping it valid?

The request of the token and return to the web app is just this:

request.post('http://security.companyname.com/service/security/auth')
            .send({ username: req.body.username, password: req.body.password })
            .set('Content-Type', 'application/json')
            .then(authResult => {
                    res.json({
                        status: true,
                        token: authResult.text,
                        error: null
                    });
            })
            .catch(err => {
                res.json({ status: false, token: null, error: err.message });
                console.log(err.message);
            });
juliano.net
  • 7,982
  • 13
  • 70
  • 164
  • i dont think that's possible, as backend would reject that token, and if u are able to modify it from front end it just defeats the purpose of security – Dhyey Oct 30 '17 at 12:38

1 Answers1

1

No, if it were possible anyone could generate valid tokens. A JWT is signed with a secret key and any alteration to the content will invalidate the signature and the server must reject the token.

To create a valid token your application would need the secret key, and since you are working in a web application, the key would be unprotected in client side. You need to request server for a new token

pedrofb
  • 37,271
  • 5
  • 94
  • 142