TechQA.

Which permissions define visibility for SPA pages

44 views Asked by At

I have a ASP.NET React Web Application. For authentication I use Auth0, using the server side (C#) as Backend-For-Frontend (see this blog for more details). So all the client side (React) see, are the cookies the server returns. The cookies are sent along automatically, allowing for easily forwarding the users access token, without the user ever seeing it. For instance like this:

[HttpGet]
public async Task Get()
{
    var accessToken = await HttpContext.GetTokenAsync("Auth0", "access_token");
    var httpClient = _httpClientFactory.CreateClient();
    var request = new HttpRequestMessage(HttpMethod.Get, new Uri(_apiEndpoint, "WeatherForecast"));
    request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);
    var response = await httpClient.SendAsync(request); 
    // ...do something with response
}

But what if I also want to hide the UI element corresponding to this endpoint, in my client? As mentioned, all the client see are the cookies. If the weather forecast in this example requires a permission watch:weather_forecast, how would I know whether or not to hide the UI element, when the client doesn't even know the concept of permissions?

My best take on this would be to make an endpoint where the client can fetch the permissions, so that it has something to check against. But on the other hand, this would also mean exposing a lot of what I just managed to hide...

Either way, it feels like this should be a solved problem. Isn't there an existing pattern for this interaction between client and server, when using the Backend-For-Frontend pattern?

c# reactjs authentication authorization backend-for-frontend
Original Q&A
1

There are 1 answers

3
Greg Fenton On

From that blog post, in the UI I would be checking the claims in the return from GetUser() and using the information therein to determine which parts of the UI the user should have access to.

Note: you cannot trust the front-end. The ability to change values via a JS Console or whatnot means that a mildly savvy hacker could "turn on" the parts of the UI that you are disabling via the claims check. So any "sensitive operations" that you'd want to do should be done on the backend, not in the UI itself.

Related Questions in C#

Related Questions in REACTJS

Related Questions in AUTHENTICATION

Related Questions in AUTHORIZATION

Related Questions in BACKEND-FOR-FRONTEND

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions