1

So i am inheriting a team and a large project that should have been built with a restful back end. For the time it is only reporting and we all agree to build out a web API (separate project) with using AngularJS in the current MVC project and slowly migrate everything to the web API back end.

There is a lot of authentication built already in the MVC project, so I was thinking if I generated a token that would indicate the roles the person had and passed it to the AngularJS front end to pivot the screen (such as read vs write capabilities) based on the token and then for authentication for the web API it expects that same token to come through.

What thoughts do you guys have on this?

Improve this question
1
  • 2
    It should work, as long as you keep the first rule of Web APIs in mind: You can't trust that the information you receive hasn't been tampered with or that it has been validated. So, you can't trust that you receive the same token back, but you have to check on the server that the token matches what you sent out.
    – Bart van Ingen Schenau
    CommentedNov 1, 2015 at 7:03

1 Answer 1

Reset to default
1

I think you will fall down on the practicality of this solution.

Embeding the roles in the key can be done no prob, but it will provide no extra security for client side functionality.

If you are retrieving the Data for say a form which may be editiable for example, simply include an IsEditable field in the data and have the server do the hard work rather than trying to code it all in js

Improve this answer

    Start asking to get answers

    Find the answer to your question by asking.

    Ask question

    Explore related questions

    See similar questions with these tags.