CanActivate guard with service call

Question

I have a requirement where based on role I need to activate to the route. Please find code below:

  canActivate(): boolean {
    if(this.login_token) {
       this._Service.getUser(this.login_token).subscribe(
          (data) => {
             if(data.role === 'admin') {
               return true;
             }
          });
    } else {
           return false;
    }   
  }

And I have configured my route as shown below:

{path: 'user', children: childRoutes, canActivate: [AuthGuard]}

But even if my guards return to true still I am not able to route to user route. Please let me know if I am doing something wrong here. I have already explored lot of posts on SO to handle async call in guards but still no suucess

The user route is working without AuthGuard? – Javascript Hupp Technologies Jan 24 '18 at 09:59 — Javascript Hupp Technologies, Jan 24 '18 at 09:59
@JavascriptHuppTechnologies Yes – Tavish Aggarwal Jan 24 '18 at 09:59 — Tavish Aggarwal, Jan 24 '18 at 09:59

score 3 · Accepted Answer · edited Jun 20 '20 at 09:12

3

You're making an http call at every route change ?

Don't.

When you have a token in your front-end, it's better to either

Test if the token is a valid one
Make a request and let the backend decode the token.

If you make an http call at every route change, not only this will slow down your application, but mobile data users will have to pay for those calls and they won't like that.

What you should do instead is :

canActivate(): boolean {
  return this.login_token ? true : false;
}

If your backend is handling wrong tokens, or

canActivate(): boolean {
  try {
    return this.isTokenValid();
  } catch(error) {
    return false;
  }
}

isTokenValid(): boolean {
  // Test if token exists
  // Decode token
  // Check if token is not expired
  // return a boolean stating if it succeed
}

If your backend doesn't handle tokens (but it should so ...)

edited Jun 20 '20 at 09:12

Community

1
1

answered Jan 24 '18 at 09:51

Yes agree! Even I dont want to send call on every route change but look at my edited question.. I want to check if role is admin. We have used implementation which is not setting role in token. So please suggest me how can I do it? – Tavish Aggarwal Jan 24 '18 at 09:56
You are still making an HTTP call to check the roles. What you should do is store the roles in the token, decode the token, and check if one of the roles is an admin role, in the `isTokenValid` function. – Jan 24 '18 at 10:00
okay got your point. One thing is I wont be getting role in token from server. So If I encrypt the role in JavaScript and store it in LocalStorage, wont it be security issue.. as anyone can manipulate the role? – Tavish Aggarwal Jan 24 '18 at 10:06
`I wont be getting role in token from server`, Well then, put the roles in the token ! **You** chose what to put in the token, so take advantage of it ! And yes, it will be a security issue, you should not do that ! – Jan 24 '18 at 10:31
I am using oauth2-server(https://www.npmjs.com/package/oauth2-server) for token generation and token generated by package is not returning role based token. Still I am exploring on it. And yes I agree with you. :) – Tavish Aggarwal Jan 24 '18 at 11:09
I spent 10 seconds on their documentation and **[I found this](https://oauth2-server.readthedocs.io/en/latest/api/oauth2-server.html#token-request-response-options-callback)** (options.allowExtendedTokenAttributes). This is what I'm talking about :) – Jan 24 '18 at 11:11

CanActivate guard with service call

1 Answers1

Don't.