Is authentication in web API necessary when there is already authentication in my angular app

Question

I am building an angular app. I am checking the user's roles and then authenticate or not once he logs in. I am using a web API in angular. Are web API calls also needs to be authenticated per each user or is enabling CORS only for that url fine?

Answer 1

Yes, it is necessary, if you have sensitive user data that cannot be accessible to others, only enabling CORS is not enough.

There are tools that let you edit your request and fake the origin. So if you have no method of authentication in the API Call, externals can have access to your API without logging in by faking the origin. More about that on this post: https://medium.com/netscape/hacking-it-out-when-cors-wont-let-you-be-great-35f6206cc646

Citing other post here:

Remember: CORS is not security. Do not rely on CORS to secure your site. If you are serving protected data, use cookies or OAuth tokens or something other than the Origin header to secure that data. The Access-Control-Allow-Origin header in CORS only dictates which origins should be allowed to make cross-origin requests. Don't rely on it for anything more.

That said, if you have to exchange data between the application and server you have to authenticate your user in a safe way each time that occurs, after the log in, without storing the password. For that you can use Sessions or JWT( A nice guide on JWT is the following: http://jasonwatmore.com/post/2018/05/23/angular-6-jwt-authentication-example-tutorial)