So, I’ve been working on a MEAN stack app for a while now, and I need some help with securing routes.Some details about how the data is organized:- The app will have multiple firms. Under each firm, there can be multiple users.- These users can be of different roles (such as client, admin, etc.) Each user can only belong to one firm.- I want to compartmentalize the data based on user roles. The application has some pages that are only accessible to users of certain roles.-A single user can have multiple roles. At login or during a session, they can choose the role they would like to use to view the application.I’ve already implemented JWT-based authentication. There are a couple of downsides to this:- If a user is already logged in, his token, which is used to authenticate his access to the server, will be stored in the local storage. From what I’ve implemented so far, if the user has access to this data, they can hit the API and get pretty much anything (provided they know the URL for it).- Say I’m a user for Firm A. Since the backend API routes are the same for all users, I can access the information of all the users in the database (even those who are under different firms). How can I stop this? One way would be to get the user’s firm ID and restrict the access to just that firm, but this has to be done in each controller individually. Also, this still allows them to obtain data for other users in the same firm.- I have role-specific data stored in the DB. How can I restrict the access to this based on the user role? Is there a way to do this globally?Thank you for ya time redditors!
Submitted October 03, 2019 at 04:18AM by the-ML-noob
No comments:
Post a Comment