0

I want to improve my security of my web-applications and started to look for actual security concepts for Angular >= 10.

So I came over HTTPOnly cookies, which seemed to be state-of-the art. Since now, I only worked with "Standard" JWT tokens and extracted the props e.g. iat, exp and my data from the jwt and built related guards based on it.

But if I understood it correct as stated here HTTP Only Stackoverflow Question the cookie can not be accessed on the client side.

So my question to you is:

How can I build up a role based guard on the client side, without accessing the cookie and not duplicating the effort to still send the jwt-token via the request header.

Thanks a lot in advance for your comments! Best regards Ragitagha

Update: A related, but not identical discussion about cookies and jwt is running here: to other related discussion

But still a "best practice" is missing for me!

ragitagha
  • 15
  • 2
  • 6

1 Answers1

0

In general, you can't ignore your backend. There should be some access rules to be implemented on another end so only authorized users will have the required access. The issue is that any user can easily update local storage or redux state so the client-side will be compromised.

urDMG
  • 428
  • 1
  • 6
  • 14
  • I am totally with you, and I already have RouteGuards on my backend. But imagine a frontend with different roles and views, based on the roles, within the jwt. But without access to this jwt, I can only return the user object and do it based on the data included there, or return the jwt too. What do you think is the better way ? Thanks a lot in advance, best regards Ragitagha – ragitagha Apr 26 '21 at 08:26
  • @ragitagha I was thinking about it for a while and I think that the best thing you can do is to use Angular Universal or dynamic bundles/modules on the server. It sounds like overkill but it will do the job =) It could be automated etc, but it might be a bit complex. Simple token verification on a backend will do the same job and will not allow CRUD for anauthorized users. – urDMG Apr 26 '21 at 17:29
  • 1
    jup, I agree, funny, that a not identical but related discussion is running here: [to other related discussion](https://stackoverflow.com/questions/37582444/jwt-vs-cookies-for-token-based-authentication?rq=1). Thanks a lot ! – ragitagha Apr 26 '21 at 17:43