I have an authorization dilemma on an angular/node architecture:
After signin, the user requests permissions from the node REST endpoint. After that, the Angular client takes that and saves it into LocalStorage. That's all well and good, but I'm concerned that there is a chance that a malicious user can go find the permissions in LocalStorage and, quite easily, upgrade his permissions to, say, allowdelete: true and so on. Angular would then happily consume that new permission and allow the user to do whatever he chooses to do (until he hits the API server, where the permission is validated once again before it's carried out).
I've considered two options
Option 1: Wrap the permission up as a JWT
This allows pdr-api to sign the token so that we can check if it's been tampered with.
By taking this option, I gather that I'll need to:
1) Always verify the token before I trust the payload
2) According to this SO post (JWT Verify client-side?), the validation of the signature should only happen on the server.
Option 2: Just grab the permissions anyways and not worry about it
It'll be a known limitation. The risk is relatively low because even if they can get into the unauthorized parts of the app, the API server won't even give it the time of day because they're not authorized.
.
If I go with Option A, at that point, I might as well just ask the API server every time we need a permission because it would be similar to hitting the server to verify the token... right?
I'm leaning towards Option B. Is that a sound (secure) decision? Anyone have any other ideas? Authentication is handled through cookies and passport.js, so I'm not even worried about that.... Just authorization.
