So i am inheriting a team and a large project that should have been built with a restful back end. For the time it is only reporting and we all agree to build out a web API (separate project) with using AngularJS in the current MVC project and slowly migrate everything to the web API back end.
There is a lot of authentication built already in the MVC project, so I was thinking if I generated a token that would indicate the roles the person had and passed it to the AngularJS front end to pivot the screen (such as read vs write capabilities) based on the token and then for authentication for the web API it expects that same token to come through.
What thoughts do you guys have on this?
Best Answer
I think you will fall down on the practicality of this solution.
Embeding the roles in the key can be done no prob, but it will provide no extra security for client side functionality.
If you are retrieving the Data for say a form which may be editiable for example, simply include an IsEditable field in the data and have the server do the hard work rather than trying to code it all in js