1

I have a website with Angular. I implemented the auth with jwt. I know we can prevent the user to go to the restricted routes with Angular Route Guard.

Usually in SPAs all routes (html) are downloadable. Just we handle unauthorized routes in server by responding 403 code. So it's safe that user can see the html bu can't get any data. But in a specific project, we even don't want user to be able to see the html of admin panel (Since he can know about structures)

Any idea? Should I use the usual scenario with Route Guard or I should just have a separated panel (For example within an unknown directory)?

Vahid Najafi
  • 4,654
  • 11
  • 43
  • 88
  • You can just lazy load those routes and no html be sent to unauthorised users. – Roberto Zvjerković Jun 22 '19 at 17:09
  • @ritaj I've already used lazy loaded. But I don't think it solves the problem. I will rely on the token which is saved in browser storage (either localStorage or cookie). Then I must decode my `jwt` to see if it's admin or not. (So user can do it too) – Vahid Najafi Jun 22 '19 at 18:04
  • Whats wrong with it ? – Antoniossss Jun 22 '19 at 22:16
  • So if you resolve the route loading as false for non-admins, no html will be sent to the browser. – Roberto Zvjerković Jun 23 '19 at 08:26
  • @Antoniossss What else you need to know? As I described, I don't want the user to be able to download admin templates. – Vahid Najafi Jun 23 '19 at 14:02
  • @ritaj How should I evaluate `non-admins`? That's either a flag from server or inside the jwt token. In both user can cheat and give the wrong value to my guard. – Vahid Najafi Jun 23 '19 at 14:05
  • And Iv asked what is wrong with route guards – Antoniossss Jun 23 '19 at 19:15
  • How are you going to download file without knowing its name (prior lazy-loading, you wont) – Antoniossss Jun 23 '19 at 19:29
  • @Antoniossss I mentioned it in my last comment. Am I missing something? – Vahid Najafi Jun 24 '19 at 05:14
  • All you say is that "you dont think it solves the problem". *Am I missing something?* You are missing actual argumentation why is that – Antoniossss Jun 24 '19 at 06:36
  • @Antoniossss I mean this comment: How should I evaluate non-admins? That's either a flag from server or inside the jwt token. In both user can cheat and give the wrong value to my guard. – Vahid Najafi Jun 24 '19 at 06:43
  • If you are affraid of beeing debuged, you will have to secure GET endpoint path that serves given module - thats server side. – Antoniossss Jun 24 '19 at 06:47
  • But I don't have any api for client-side routes. How it can be possible? – Vahid Najafi Jun 24 '19 at 07:09
  • What do you mean API for client-side routes? You do know that lazy loaded modules are fetched when required and not prefetched right? So there is additional GET when you load module that gets actual module JS. Secure that action on server side. – Antoniossss Jun 24 '19 at 09:04
  • I know how lazy loaded modules work, but for a basic app, Angular takes care of it. I don't know how to handle it in my angular application (I mean having an additional GET when I load module that gets actual module JS) – Vahid Najafi Jun 24 '19 at 11:19

1 Answers1

2

You can secure backend API's with an admin token so any user who want to get/post/delete any critical data need a valid token that can let him access.

Never let your 'secret key' or any authentication decoding data in the front.

In node.js you can add an admin middlware that check if the user is an admin or not (after decoding the token sended from the front website).

check this article it might help.

nodejs securing api's

Abdulrahman Falyoun
  • 3,676
  • 3
  • 16
  • 43
Hassen Fadhlaoui
  • 167
  • 1
  • 13
  • Frontend routing has nothing to do with backend. – Vahid Najafi Jun 22 '19 at 18:04
  • As I mentioned in the question, I've already secured the api. – Vahid Najafi Jun 22 '19 at 18:05
  • @VahidNajafi you are wrong - after all - backed serves FE initially. This is the moment you can apply security. – Antoniossss Jun 24 '19 at 06:48
  • Never had to do that - so no. But its straighforward. Module JS is named `123151829412491501u512something.js` (that is generated on build time). You have to secure access to that file. So that includes dynamic server configuration settings. In Apache httpd this can be probably done with .htaccess. You would have to figure out how to secure endpoint based on required rules, and then you would only have to inject JS filename to .htaccess - as a part of build script or at leasti distribution package. IDK if something similar is available on nginx – Antoniossss Jun 24 '19 at 09:05
  • Thank you for the information. I must search about it, maybe could be able to find something that implements this feature. – Vahid Najafi Jun 24 '19 at 11:20