1

I'm not much experienced in JavaScript programming or Angular app development, but my general understanding is, when JavaScript reaches the client end, it can be tampered.

I've come across some sample implementation of role-based authorization in Angular app where the user roles are sent to the client on successful login (even though they are using JWT, which is supposed to be "self-contained"). The user role values are then saved on the client side (local storage or variable), and used in canActivate route-guard.

(I'm aware that the values used in canActivate will decide only whether to activate the route and render the component in question, and the real role validation happens on server side when the component code tries to fetch data.)

My question is, can these client-stored values be tampered, or Angular has any ability to provide any code-safety?

Thanks in advance.

atiyar
  • 7,762
  • 6
  • 34
  • 75
  • 4
    _"can these client-stored values be tampered?"_ - Anything on the client side can be tampered. – Joseph Sep 28 '19 at 12:18
  • Yes they are on risk always, there are few libraries for client-side data encryption which you can try before saving in storage or cookies to make it harder for any attack. For e.g. https://www.npmjs.com/package/simple-crypto-js – Bilal Siddiqui Sep 28 '19 at 12:22

1 Answers1

1

Yes.

All code running within a browser, and all the data, is subject to manipulation by the user.

You don't even know it is a browser that is running the code, it could be some other tool designed specifically to subvert your application.

Richard
  • 106,783
  • 21
  • 203
  • 265