"Conditional Components Visibility" How is that in terms of performance? Instead of doing ngIf in constructor once, we do checks for each html tag. If I have 100 buttons, I iterate the forRoles() method many times. Thank you for your courses!
Mihai 👋 I am not sure if I understand "iterate the forRoles() method many times". You don't have to check the visibility for each HTML tag. Just apply the directive to the components that require it. Does it make sense?
Can you please explain, how to add the cors access to the external api while the browser is not blocking on the basis of cors policy. This part was missing in the video.
Thank you for your clear explanation regarding the two different ways of authentication over the web applications including its good parts and bad parts.
😂😂 I can send any invalid token, and then I intercept the * RESPONSE * traffic from the backend (all this can be done with Burpsuite) then I modify the response as if it were a simple notepad making it look like that token has been valid with a status 200 and also add some valid headers to that response, doing this angular will see that the token has been "valid" and would give me access to pass the Guard. Therefore protecting routes on the client side is not secure. The only thing that can be protected are things on the server side, on the client protecting something is a 💩
Yes, that is correct. Who said that this cannot be bypassed? I think you missed the point here. 😋 You can even download the whole JS bundle from the server and read it and stick a "HACKER" on your forehead... 😂
Hi Bartosz, Thanks for this content. Also, I am unable to see the newly streamed video on *Role based authentication*. Can you please provide the link or way to access that video.
One question - I can bypass the login screen by creating a Key-Value pair manually in localStorage named JWT_TOKEN. Now I know that the random number API call will fail because the token I have manually created in localStorage will be invalid, but still being able to bypass the login screen like this feels wrong. Is there any better way of implementing the isLoggedIn() method in auth.service?
@@DevAcademyCom he seems to be out on a one-man mission against PWAs as he left some choice worked on Maximiliano Firtman's video the other day as well: ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-kYAkrgeDLbw.html
@@orionrush PWA helps lazy coders but offers no advantages for end users like me. Sure, I could "install" your "app" from a random website, but why should I when we've been taught for years to only install apps from the store? Stores might not be perfect, but they keep out at least some of the malware. We need a gatekeeper or paywall of some sort to keep malware out of the ecosystem. Not promote technology that allows it to spread. Also, building everything on the same code base and working web-first means desktop users get an inferior experience as most developers never get past the phone UI/UX design. I'm not using PWAs until developers stop jumping on the bandwagon and start thinking about end users and security instead of their own convenience.
Isn't there something missing in "handle401Error ()"? If the API returns a 401 at "refreshToken" -> shouldn't that be caught - so that you can show an error message in the application? And shouldn't "isRefreshing" be set to false again?
Great video, thanks a lot! When the refreshToken() gets an HTTP 401 I would like to logout the user and redirect to the login page. Does anybody know how to do this? I have tried with no success. Since token.interceptor has the method handle401Error() I suppose it should be there. Any help is appreciated....
In the handle401error function after the switchMap use catchError and if the error status is 401 you can delete everything from localstorage and use router to redirect to login page. If you use refreshtoken which will be invalid after logout then you should delete it from the db.
@@pipacs_o1962 can you show me the code for this? return this.auth.refreshToken() .pipe(switchMap((newToken: string) => { // did we get a new token retry previous request debugger this.isRefreshingToken=false; console.log(newToken); this.tokenSubject.next(newToken); // return next.handle(this.setTokenInHeaders(req, newToken, baseUrl)); return next.handle(this.setTokenInHeaders(request, newToken, baseUrl)); }), catchError(error =>{ if(error.status == 401){ localStorage.removeItem('token'); localStorage.removeItem('refreshtoken'); localStorage.removeItem('menu'); localStorage.removeItem('pref'); localStorage.removeItem('username'); this.globals.changeSharedData({ showLogin: true }); this.router.navigate(['/login']); return Observable.throw('error is caught'); } else{ return throwError('error is thrown'+error) } }) ); } trying this but the error is always thrown. It is not catching the error