Angular2 share and mantain user secure data in all components

1
votes

I have an angular2 app that authenticates through OAuth2 with password grant type. I store the session token on sessionStorage, and I need to store another data more secure, like user current roles.

I know that I can store more information in sessionStorage or localStorage, but this is easy modified by user. Although really, if the user modifies the sessionStorage, my backend is secured because check the token against user roles.

What happens is that if the user modifies his role he could see some hidden options, and i dont want this.

I think of two solutions, and i want listen some tips.

  1. Save the role in sessionStorage encrypted, suggestion about this? what encryptation i should use?
  2. Having a global service like is explained on angular docs, which is used by my navbar-component and load data on ngOnInit (because routes).

Any suggestion? Thanks.

1
securityangulartypescript
Even if they see hidden options, they shouldn't be able to act on any of them because you should be authenticating and checking permissions in your backend. I would make a service where you hold all of this information, and not worry about encrypting it.Steveadoo

1 Answers

2
votes

We have in our dashboard the same case of yours.

Approaching the second option its a bit messy because you need to think what happen if the user reloads the page. The service when you are reloading the page will loose the data and you will not know what where the roles for the user. You can fix this issue by running http in the app component when init.

For the case of encrypting read this: https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage

For now we use the approach of a Global Service. (Service are Singelton)