0

I'm trying to protect routes with two subscriptions: Gold and Platinum. At the moment, I've created a new canActivate guard for each subscription: 

{
    path: 'messages',
    component: MessagesComponent,
    canActivate: [AuthGuard, PlatinumSubscription]
},
{
    path: 'inbox',
    component: InboxComponent,
    canActivate: [AuthGuard, GoldSubscription, PlatinumSubscription]
},

Is there a better way to validate their subscription without creating brand new canActivate classes?

Aluan Haddad
  • 29,886
  • 8
  • 72
  • 84
mtchdev
  • 66
  • 11
  • 1
    In my opinion you are doing it right. Keeping guards to "single purposes" has helped me a lot, makes it much easier to apply them as needed and makes them much easier to reason about. Since you sometimes need multiple subscriptions for a route, having multiple guards is a good pattern. – Jason Awbrey Nov 24 '19 at 15:05
  • I agree with Jason but it's worth noting that your guards are not really protecting anything. You need server side access restrictions to actually implement what you've described – Aluan Haddad Nov 24 '19 at 17:15
  • To further secure on the server side like Aluan suggested, the token that your server hands out when the user signed in can contain additional information, such as their role, subscription type etc... Then on your server side you can validate the request with that token to see if they're allow. – noobius Nov 24 '19 at 17:30
  • 1
    Also note that if you want to have such protection for **lazy-loaded modules**, you should use `CanLoad` instead of `CanActivate`. The former **won't load** the module if the guard returned false, whereas the latter will load the module, even though it won't be shown to the user. – Andrei Gătej Nov 24 '19 at 22:11

0 Answers0