I'm currently learning authentication and authorization by developing a simple web application using .NET Core and React. I have my backend set up with a bunch of protected routes using jwt. Right now after logging in I get an access token, a refresh token and the current user role and store them in a cookie. This works fine, however, if the user were to edit his role to lets say Admin, I would run into some issues. He still does not have access to admin endpoints as the server gets the actual role from the access token, but admins user interface is rendered. There is a similar issue with the token itself, in my current implementation the user is considered to be authenticated if the cookie is not undefined so a guest user could put some gibberish in there and also see some navigation components he is not supposed to see. I see a lot of examples online of people using localStorage for storing user information, but I think this would run into the same issue. My main question is if this is a big security problem in the first place (as the user only gets to see some extra buttons which do nothing when clicked) and if it is, what is a good way to solve it? I was thinking about getting the current user role from the server (and validate the token itself at the same time), but I would need to do that every time I want to render a navigation component so it sounds pretty clunky.
0
votes
1) localStorage is a good way. 2) You will probably duplicate logic between the client and server pieces to provide the best user experience. 3) periodically re-check the current user's authorization from the client by calling the server, updating localStorage and alter your UI. 4) ideally these changes are infrequent. 5) the cache duration is how long you can allow a user to change from admin to non-admin or valid to revoked. 6) Consider creating an authorization attribute you can apply at the controller class level to handle "admin" functions and pay the price of checking on every call.
- No Refunds No Returns
1 Answers
0
votes
Tokens in JWT are desigend to not be modifiable by anyone (the content of the token would not match its signature), if the permissions changes, for example by acquiring admin rights, the backend needs to serve a new token.
Concerning security: You should always let the backend check the jwt token and weather the user is allowed to perform the specific action by the information in provided within the token (e.g. role or permission).
Displaying admin pages or hiding them is solely an user service, not a security concept. That way someone could change the localStorage how they like and possibly view the admin pages, but cannot actually perform any admin related operations in the backend systems.
