How to check access rights (roles) on the client and server?

V

Vyacheslav2019-04-06 11:31:05

Android

Vyacheslav, 2019-04-06 11:31:05

Hello,
I am writing api on nodejs + expressjs (separate api-server)
client on nuxtjs(SSR) and android app is also planned
Authorization is implemented with JWT
The question is how the access check by roles for the client is implemented, for example, for nuxtjs, you can pull the check for a specific route from the api-server (the page is first rendered on the nuxt client-server), then how things will be for dependent components, will such a process be redundant - i.e. for example, we go to the post page, the server requests api to view the page, then renders and gives it to the user, the user clicks on the button and, depending on his rights, the required component is rendered - how to safely check access control to the desired component? the question arose from the understanding that on the client, handles in the code can change all this. In general, tell me how you can safely check user rights to pages and components? Alternatively, you can send in a token, but as far as I understand this option is also not safe

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

A

Alexey Shashenkov, 2019-04-06
@lmnsky84

you can do anything on the client, but the server should not care, even if someone gets to the bottom of the delete user button (v-show=false - for example), you, as a backend, should not care - if there are no rights to access this method, it should not be executed. And the ui just has to follow the server, no access - no elements on the page. Well, in any case, v-router has hooks with which you can check access to transitions. If you can cache the access model well, then this will not incur overhead costs for rendering.