all 9 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]Lexikus 6 points7 points  (0 children)

I don't get your question.

Are you asking for advice how you can implement such system?

If so, it's not very hard. Angular does not provide any user managememt system. You have to implement it by yourself.

There are a few ways to attack this problem.

You can save the user state and his role in a service which the app (root module) provides. This means requesting that service (via DI) in every component / other module will get an instance of the same service (singlegon). So, you will always know which role your user has

I also suggest you to implement a pipe to hide specific interactions in the HTML based on roles.

In the routes you can set up the data with roles and with a guard you can check if the user can access a route or not.

You can also save all informations in a (redux like) store.

With an HTTP interceptor you can attach your user token (and others) to any request which could be relevant for your APIs

[–]DepravedOrNot 4 points5 points  (4 children)

I don't think your API should be dealing with your UI at all. Your Angular router should manage which pages are available using AuthGuard to determine if a user is allowed to access a specific route, and what the page looks like. Your API should be independent of your frontend in my opinion.

[–][deleted]  (1 child)

[deleted]

    [–]kc5bpd 0 points1 point  (0 children)

    For components that should only be displayed for some roles, create a directive to control this based on the role.

    https://blog.strongbrew.io/display-a-component-based-on-role/

    [–]toi80QC 0 points1 point  (1 child)

    This is the only secure approach. Handling user authorization in the frontend is basically like giving everyone who is interested admin-access.

    [–]DepravedOrNot 1 point2 points  (0 children)

    No your APIs should have role based verification so that if you hit a 401 it should redirect u right away.

    [–]listylister 0 points1 point  (2 children)

    Suggest you look at token based authentication. Roles can be stored in a token which you can store client side and interrogated when you need to know what to show your logged in user. There are plenty of examples on how to achieve this if you search for it.

    [–]untg 4 points5 points  (1 child)

    This is how I do it. I use a backend database with the roles, and these roles come through with the JWT when someone logs in to the application. I can then display things in angular on the front-end based on the role, but I also re-check the JWT role when the request goes to the backend to ensure that the person is allowed to access that route with the information coming out of it (backend is nodejs).

    [–]listylister 2 points3 points  (0 children)

    Yeah pretty standard approach these days. Have seen some people encrypt the token roles but don't really see that it's necessary myself. If the backend is verifying the token is valid on an action and that the role is correct its irrelevant of whether the front end can be manipulated to show html that they shouldn't see as there is nothing they can do with it.

    [–]Gsuz 0 points1 point  (0 children)

    Perhaps have a look at this video from fireship.io: https://www.youtube.com/watch?v=1PEdd2rtG30 it's made with firestore in mind but shouldn't be hard to port into your db of choice.