0

Let's imagine I have a website with a React front-end that renders two pages, one is "View Data" and the other is a welcome page with a login form.

Scenario: You log in and the server accepts it and you get a JWT. When you click on "View Data" the server is sent the Token and it views it as valid. What does the server send back to allow the front-end to display the page, does it just resend the token? Couldn't the front end save it? Can't a REST response be spoofed/modified within the browser developer tools? If not, I know you can set JavaScript variables and such, so I'd have to imagine that it wouldn't be difficult to access the protected page. I can protect the data, but I don't understand how to properly protect the page itself.

To reiterate the various questions:

  1. What does the server send back, does it just resend the token?
  2. Can't a REST response be spoofed/modified within the browser developer tools
  3. If not, I know you can set JavaScript variables and such, so I'd have to imagine that it wouldn't be difficult to access the protected page. If this is the case, what is the solution?
AndrolGenhald
  • 15,436
  • 5
  • 45
  • 50
Geth V
  • 1
  • "views it as valid" - That's the important part. You have to check the validity of the token. – AndrolGenhald Dec 18 '18 at 19:42
  • How? The client shouldn't have access to the secret, and thus can't validate the token. Validating on the server is fine, but then the entirety of my original question stands unanswered. – Geth V Dec 18 '18 at 20:35
  • I'm not really clear on what you're asking. Why would the server resend the token? As far as REST queries though, yes that'd be easy to do, perhaps with a browser's tools, but if not then certainly with curl. – AndrolGenhald Dec 18 '18 at 20:39
  • The topic is about securing webpages that are not meant to be visible unless logged in, so that means you have to send the token to the server to verify if the token is valid. – Geth V Dec 19 '18 at 00:47
  • I tried to edit the above but stack exchange isn't cooperating. The topic is about securing webpages that are not meant to be visible unless logged in, so that means you have to send the token to the server to verify if the token is valid. The client can't validate tokens. What specifically is the server supposed to send back that says "yes, show the user this page?" – Geth V Dec 19 '18 at 00:55
  • I think things are becoming a bit more clear, so I take it you're using some sort of js frontend that handles all the pages? – AndrolGenhald Dec 19 '18 at 14:13
  • That is correct, React to be specific. It has a router package that I will be using and certain pages should redirect if the person isn't logged in or if they don't have a valid token. But it requires sending the token to the server to see if it's valid, so I want to know what to send back to the client, and I am wondering if there's a way to prevent the user from spoofing the response (because the client side can't validate tokens, they might be able to render the page anyway. Granted, the data will still be safe) – Geth V Dec 19 '18 at 14:24
  • Side note: If you give the client all the data, and then expect them to do a server call to allow (or prevent) access, you're doing the exact same thing as video game DRM. As near as I'm aware, _all_ game DRM has been breached, and the data repurposed... despite them spending millions or billions of dollars on the attempts. The only way to prevent the compromise is to **not** give out the necessary data. Good luck. – Clockwork-Muse Dec 19 '18 at 23:03
  • I will not be sending the data unless the server validates the token first. – Geth V Dec 20 '18 at 14:20

1 Answers1

1

I think the issue here is a misunderstanding of what needs protected. Let me lay out your situation to make sure I understand it:

  • You have a JS frontend that renders all pages
  • You have some pages that shouldn't be accessed without authentication
  • You're not sure how to protect those pages, given that users may spoof "show this page" responses to the client

The important question is, does the page need protected, or does the data on the page need protected?

If it's just the data that matters, simply have the server avoid sending the data unless the user is authenticated. The user can display the page all they want, but they won't have the data that makes the page useful, so it doesn't really matter.

If the page itself must be kept secret (are you sure? It seems odd to me to keep a layout secret...) then you must not include it in your frontend. If you put it in your frontend and send it to unauthenticated users, they will be able find it if they're determined.

AndrolGenhald
  • 15,436
  • 5
  • 45
  • 50