Angular 7 - what is the best approach for guards












1














I'm new to Angular. I have covered a few of Angular tutorials and as a backend developer, I am wondering how it is acceptable that a user can navigate to protected templates with fake JWT... In my app, I created /dashboard including guard.



{ path: 'dashboard', component: HomeComponent, canActivate: [AuthGuard]}



The body of my guard method:



  canActivate(): boolean {

    if (this.authenticationService.isAuthenticated()) {

      return true;

    } else {

      this.router.navigate(['/']);

      return false;

    }

  }


whereas isAuthenticated is a service method (I use angular2-jwt as jwtHelper):



  isAuthenticated(): boolean {

    const token = localStorage.getItem('token');

    if (!token) { return false; }

    return !this.jwtHelper.isTokenExpired(token);

  }


I can put any JWT to my local storage and it passes because it checks only if JWT has a valid format. Even if I add interceptor which forbids fetching data from server still user is able to navigate to a protected template. I don't accept that solution. What is the best approach to handle that? Does every navigation between templates (e.g /dashboard -> /admin should be requested to the server to check if the JWT is valid? If so, how to achieve that? Unless what is the best practice to make my protected templates invisible for authenticated users and make it invulnerable on fake JWT?






angular







share|improve this question


















  • 1




    I don't accept that solution: why? Anything the user might see by cheating like that is some static HTML code that is in the bundle that is already downloaded, or data that the page fetches from the server. But the server should prevent him/her from downloading this data if the JWT token is fake. So there's no security problem. Actual security checks must be on the server. The guards exist for ergonomic reasons.
    – JB Nizet
    19 hours ago












  • Does it really matter though? User will only view HTML without data so it shouldn't be a problem. edit: Exactly like @JBNizet said
    – Maciej Kasprzak
    19 hours ago












  • hmm, so it is OK if any user can go into the admin panel to check how it looks like? (I know he won't see any data but still, it's weird to me that he can do it)
    – mike927
    19 hours ago






  • 2




    If you don't want a user to even see the code of an admin panel, then make it a lazy loaded module, and prevent it to be downloaded on the server. But really, nobody cares what the admin panel looks like.
    – JB Nizet
    19 hours ago










  • If the user is sophisticated enough to put a fake user token into local storage, he is likely sophisticated enough to change the code of your auth guard so it always returns true ...
    – meriton
    19 hours ago
















1














I'm new to Angular. I have covered a few of Angular tutorials and as a backend developer, I am wondering how it is acceptable that a user can navigate to protected templates with fake JWT... In my app, I created /dashboard including guard.



{ path: 'dashboard', component: HomeComponent, canActivate: [AuthGuard]}



The body of my guard method:



  canActivate(): boolean {

    if (this.authenticationService.isAuthenticated()) {

      return true;

    } else {

      this.router.navigate(['/']);

      return false;

    }

  }


whereas isAuthenticated is a service method (I use angular2-jwt as jwtHelper):



  isAuthenticated(): boolean {

    const token = localStorage.getItem('token');

    if (!token) { return false; }

    return !this.jwtHelper.isTokenExpired(token);

  }


I can put any JWT to my local storage and it passes because it checks only if JWT has a valid format. Even if I add interceptor which forbids fetching data from server still user is able to navigate to a protected template. I don't accept that solution. What is the best approach to handle that? Does every navigation between templates (e.g /dashboard -> /admin should be requested to the server to check if the JWT is valid? If so, how to achieve that? Unless what is the best practice to make my protected templates invisible for authenticated users and make it invulnerable on fake JWT?






angular







share|improve this question


















  • 1




    I don't accept that solution: why? Anything the user might see by cheating like that is some static HTML code that is in the bundle that is already downloaded, or data that the page fetches from the server. But the server should prevent him/her from downloading this data if the JWT token is fake. So there's no security problem. Actual security checks must be on the server. The guards exist for ergonomic reasons.
    – JB Nizet
    19 hours ago












  • Does it really matter though? User will only view HTML without data so it shouldn't be a problem. edit: Exactly like @JBNizet said
    – Maciej Kasprzak
    19 hours ago












  • hmm, so it is OK if any user can go into the admin panel to check how it looks like? (I know he won't see any data but still, it's weird to me that he can do it)
    – mike927
    19 hours ago






  • 2




    If you don't want a user to even see the code of an admin panel, then make it a lazy loaded module, and prevent it to be downloaded on the server. But really, nobody cares what the admin panel looks like.
    – JB Nizet
    19 hours ago










  • If the user is sophisticated enough to put a fake user token into local storage, he is likely sophisticated enough to change the code of your auth guard so it always returns true ...
    – meriton
    19 hours ago














1












1








1


0





I'm new to Angular. I have covered a few of Angular tutorials and as a backend developer, I am wondering how it is acceptable that a user can navigate to protected templates with fake JWT... In my app, I created /dashboard including guard.



{ path: 'dashboard', component: HomeComponent, canActivate: [AuthGuard]}



The body of my guard method:



  canActivate(): boolean {

    if (this.authenticationService.isAuthenticated()) {

      return true;

    } else {

      this.router.navigate(['/']);

      return false;

    }

  }


whereas isAuthenticated is a service method (I use angular2-jwt as jwtHelper):



  isAuthenticated(): boolean {

    const token = localStorage.getItem('token');

    if (!token) { return false; }

    return !this.jwtHelper.isTokenExpired(token);

  }


I can put any JWT to my local storage and it passes because it checks only if JWT has a valid format. Even if I add interceptor which forbids fetching data from server still user is able to navigate to a protected template. I don't accept that solution. What is the best approach to handle that? Does every navigation between templates (e.g /dashboard -> /admin should be requested to the server to check if the JWT is valid? If so, how to achieve that? Unless what is the best practice to make my protected templates invisible for authenticated users and make it invulnerable on fake JWT?






angular







share|improve this question













I'm new to Angular. I have covered a few of Angular tutorials and as a backend developer, I am wondering how it is acceptable that a user can navigate to protected templates with fake JWT... In my app, I created /dashboard including guard.



{ path: 'dashboard', component: HomeComponent, canActivate: [AuthGuard]}



The body of my guard method:



  canActivate(): boolean {

    if (this.authenticationService.isAuthenticated()) {

      return true;

    } else {

      this.router.navigate(['/']);

      return false;

    }

  }


whereas isAuthenticated is a service method (I use angular2-jwt as jwtHelper):



  isAuthenticated(): boolean {

    const token = localStorage.getItem('token');

    if (!token) { return false; }

    return !this.jwtHelper.isTokenExpired(token);

  }


I can put any JWT to my local storage and it passes because it checks only if JWT has a valid format. Even if I add interceptor which forbids fetching data from server still user is able to navigate to a protected template. I don't accept that solution. What is the best approach to handle that? Does every navigation between templates (e.g /dashboard -> /admin should be requested to the server to check if the JWT is valid? If so, how to achieve that? Unless what is the best practice to make my protected templates invisible for authenticated users and make it invulnerable on fake JWT?






angular




angular






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked 19 hours ago









mike927

320214




320214








  • 1




    I don't accept that solution: why? Anything the user might see by cheating like that is some static HTML code that is in the bundle that is already downloaded, or data that the page fetches from the server. But the server should prevent him/her from downloading this data if the JWT token is fake. So there's no security problem. Actual security checks must be on the server. The guards exist for ergonomic reasons.
    – JB Nizet
    19 hours ago












  • Does it really matter though? User will only view HTML without data so it shouldn't be a problem. edit: Exactly like @JBNizet said
    – Maciej Kasprzak
    19 hours ago












  • hmm, so it is OK if any user can go into the admin panel to check how it looks like? (I know he won't see any data but still, it's weird to me that he can do it)
    – mike927
    19 hours ago






  • 2




    If you don't want a user to even see the code of an admin panel, then make it a lazy loaded module, and prevent it to be downloaded on the server. But really, nobody cares what the admin panel looks like.
    – JB Nizet
    19 hours ago










  • If the user is sophisticated enough to put a fake user token into local storage, he is likely sophisticated enough to change the code of your auth guard so it always returns true ...
    – meriton
    19 hours ago














  • 1




    I don't accept that solution: why? Anything the user might see by cheating like that is some static HTML code that is in the bundle that is already downloaded, or data that the page fetches from the server. But the server should prevent him/her from downloading this data if the JWT token is fake. So there's no security problem. Actual security checks must be on the server. The guards exist for ergonomic reasons.
    – JB Nizet
    19 hours ago












  • Does it really matter though? User will only view HTML without data so it shouldn't be a problem. edit: Exactly like @JBNizet said
    – Maciej Kasprzak
    19 hours ago












  • hmm, so it is OK if any user can go into the admin panel to check how it looks like? (I know he won't see any data but still, it's weird to me that he can do it)
    – mike927
    19 hours ago






  • 2




    If you don't want a user to even see the code of an admin panel, then make it a lazy loaded module, and prevent it to be downloaded on the server. But really, nobody cares what the admin panel looks like.
    – JB Nizet
    19 hours ago










  • If the user is sophisticated enough to put a fake user token into local storage, he is likely sophisticated enough to change the code of your auth guard so it always returns true ...
    – meriton
    19 hours ago








1




1




I don't accept that solution: why? Anything the user might see by cheating like that is some static HTML code that is in the bundle that is already downloaded, or data that the page fetches from the server. But the server should prevent him/her from downloading this data if the JWT token is fake. So there's no security problem. Actual security checks must be on the server. The guards exist for ergonomic reasons.
– JB Nizet
19 hours ago






I don't accept that solution: why? Anything the user might see by cheating like that is some static HTML code that is in the bundle that is already downloaded, or data that the page fetches from the server. But the server should prevent him/her from downloading this data if the JWT token is fake. So there's no security problem. Actual security checks must be on the server. The guards exist for ergonomic reasons.
– JB Nizet
19 hours ago














Does it really matter though? User will only view HTML without data so it shouldn't be a problem. edit: Exactly like @JBNizet said
– Maciej Kasprzak
19 hours ago






Does it really matter though? User will only view HTML without data so it shouldn't be a problem. edit: Exactly like @JBNizet said
– Maciej Kasprzak
19 hours ago














hmm, so it is OK if any user can go into the admin panel to check how it looks like? (I know he won't see any data but still, it's weird to me that he can do it)
– mike927
19 hours ago




hmm, so it is OK if any user can go into the admin panel to check how it looks like? (I know he won't see any data but still, it's weird to me that he can do it)
– mike927
19 hours ago




2




2




If you don't want a user to even see the code of an admin panel, then make it a lazy loaded module, and prevent it to be downloaded on the server. But really, nobody cares what the admin panel looks like.
– JB Nizet
19 hours ago




If you don't want a user to even see the code of an admin panel, then make it a lazy loaded module, and prevent it to be downloaded on the server. But really, nobody cares what the admin panel looks like.
– JB Nizet
19 hours ago












If the user is sophisticated enough to put a fake user token into local storage, he is likely sophisticated enough to change the code of your auth guard so it always returns true ...
– meriton
19 hours ago




If the user is sophisticated enough to put a fake user token into local storage, he is likely sophisticated enough to change the code of your auth guard so it always returns true ...
– meriton
19 hours ago












1 Answer
1






active

oldest

votes


















0














Have you looked into JWT claims? You could put metadata in there that tells you something about the user's access rights that you could use to determine whether or not the user should have access to the route. See: https://jwt.io/introduction/






share|improve this answer





















  • Well, I am not sure if you got me correctly. JWT works fine everytime it's checked on the server side. My doubt was if it's OK if the user can navigate to another protected template with fake JWT in local storage. Is it clear that for you?
    – mike927
    19 hours ago











Your Answer






StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53943014%2fangular-7-what-is-the-best-approach-for-guards%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









0














Have you looked into JWT claims? You could put metadata in there that tells you something about the user's access rights that you could use to determine whether or not the user should have access to the route. See: https://jwt.io/introduction/






share|improve this answer





















  • Well, I am not sure if you got me correctly. JWT works fine everytime it's checked on the server side. My doubt was if it's OK if the user can navigate to another protected template with fake JWT in local storage. Is it clear that for you?
    – mike927
    19 hours ago
















0














Have you looked into JWT claims? You could put metadata in there that tells you something about the user's access rights that you could use to determine whether or not the user should have access to the route. See: https://jwt.io/introduction/






share|improve this answer





















  • Well, I am not sure if you got me correctly. JWT works fine everytime it's checked on the server side. My doubt was if it's OK if the user can navigate to another protected template with fake JWT in local storage. Is it clear that for you?
    – mike927
    19 hours ago














0












0








0






Have you looked into JWT claims? You could put metadata in there that tells you something about the user's access rights that you could use to determine whether or not the user should have access to the route. See: https://jwt.io/introduction/






share|improve this answer












Have you looked into JWT claims? You could put metadata in there that tells you something about the user's access rights that you could use to determine whether or not the user should have access to the route. See: https://jwt.io/introduction/







share|improve this answer












share|improve this answer



share|improve this answer










answered 19 hours ago









Brother Woodrow

2,9312813




2,9312813












  • Well, I am not sure if you got me correctly. JWT works fine everytime it's checked on the server side. My doubt was if it's OK if the user can navigate to another protected template with fake JWT in local storage. Is it clear that for you?
    – mike927
    19 hours ago


















  • Well, I am not sure if you got me correctly. JWT works fine everytime it's checked on the server side. My doubt was if it's OK if the user can navigate to another protected template with fake JWT in local storage. Is it clear that for you?
    – mike927
    19 hours ago
















Well, I am not sure if you got me correctly. JWT works fine everytime it's checked on the server side. My doubt was if it's OK if the user can navigate to another protected template with fake JWT in local storage. Is it clear that for you?
– mike927
19 hours ago




Well, I am not sure if you got me correctly. JWT works fine everytime it's checked on the server side. My doubt was if it's OK if the user can navigate to another protected template with fake JWT in local storage. Is it clear that for you?
– mike927
19 hours ago


















draft saved

draft discarded




















































Thanks for contributing an answer to Stack Overflow!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.





Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


Please pay close attention to the following guidance:


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53943014%2fangular-7-what-is-the-best-approach-for-guards%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Monofisismo

Image
Monofisismo (do grego: monos - "único, singular" e physis - "natureza") é o ponto de vista cristológico que defende que, depois da união do divino e do humano na encarnação histórica, Jesus Cristo, como encarnação do Filho ou Verbo ( Logos ) de Deus, teria apenas uma única "natureza", a divina, e não uma síntese de ambas. O monofisismo é contraposto pelo diofisismo (ou "diafisismo"), que defende que Jesus preservou em si as duas naturezas. Historicamente, o monofisismo se refere primordialmente à posição dos que (especialmente no Egito e, em menor grau, na Síria) rejeitaram as decisões do Concílio de Calcedônia em 451 (o quarto concílio ecumênico). Os membros mais moderados entre eles, porém, defendem a teologia "miafisita", que se tornou a oficial para as Igrejas Ortodoxas Orientais. Muitos ortodoxos orientais, porém, rejeitam essa classificação, mesmo como um termo genérico, mas ele é amplamente utilizado na literatura históri...
Read more

Angular Downloading a file using contenturl with Basic Authentication

Image
0 I have a contentUrl when user clicks on that,file should be downloaded. If I try to browse the contentUrl in the browser it asks for Userid and password.I believe this is Basic Authentication.I dont want user to enter UserId and Password so I am passing it Authorization(Please see below code). Url looks some thing like this: http://XXX.XXX.XX.XXX:8080/flowable-rest/service/runtime/tasks/90875/attachments/90555/content let username : string = 'admin'; let pwd : string = 'test'; let headers = new Headers(); headers.set('Accept', 'text/json'); headers.append('Content-Type', 'application/json'); headers.set('Access-Control-Allow-Origin', '*'); headers.set('Access-Control-Allow-Methods','POST, GET, OPTIONS, PUT, DELETE'); head...
Read more

Olmecas

Image
Monumento 1, uma das quatro cabeças colossais encontradas em La Venta, com altura aproximada de 3 metros Olmecas é a designação do povo e da civilização que estiveram na origem da antiga cultura pré-colombiana da Mesoamérica e que se desenvolveram nas regiões tropicais do centro-sul do atual México durante o pré-clássico, próximo de onde hoje estão localizados os estados mexicanos de Veracruz e Tabasco, no Istmo de Tehuantepec, numa zona designada área nuclear olmeca. A cultura olmeca floresceu nesta região aproximadamente entre 1500 e 400 a.C., [ 1 ] e crê-se que tenha sido a civilização-mãe de todas as civilizações mesoamericanas que se desenvolveram posteriormente. [ 2 ] No entanto, desconhece-se a sua exacta filiação étnica, ainda que existam numerosas hipóteses colocadas para tentar resolver esta questão. O etnónimo olmeca foi cunhado pelos arqueólogos do século XX, e não devem confundir-se com os muito posteriores olmecas-xicalancas que ocuparam vários locais do México...
Read more