I'm trying to implement JWT authentication and authorization, however I'm worried about JWT tampering in the front-end part. I got the backend working smooth and safe now. Now I'm implementing JWT authorization and authentication in Angular 5. I'm a beginner at implementing JWT tokens so bear with me and hopefully you people can shed some light on this.
I know that whenever you tamper the token, the JWT gets invalidated because of the signature. The backend will then refuse to process the request, however suppose the following scenario in the frontend:
1 - Evil user logs in with a normal account and receives a JWT token from the backend.
2 - Evil user tampers with JWT token by adding an extra "admin" role to the payload (this invalidates the jwt)
3 - Evil User tries to access a protected route holding the tampered JWT token
4 - Route guard checks whether token is expired (by checking the expiry claim in the payload?)
5 - User decides to tamper the JWT again to increase the JWT expiry claim (The JWT token is still invalid according to the backend)
6 - Route decodes the JWT and sees that the JWT is not expired and that the user has the admin role and gives access to the page the evil user and sees the rendered HTML (Backend operations are safe because the token gets validated first)
Am I missing something? How can I prevent this from happening? I want to prevent the user from accessing the page even if it would be half-working.
