0

I am writing an application using angular. Once the server authentication is done I may have to store few details in the client side. e.g user name , password, location, roles etc which is required for processing other components in the angular. I am aware about localStorage and sessionStorage method to store the data. Due to sensitive data I cannot use that type of storage. Would like to know any other alternate way to store data in angular?

Tibebes. M
  • 5,841
  • 4
  • 12
  • 34
JAVA_CAT
  • 563
  • 2
  • 11
  • 26
  • what type of storage are you looking for then? (what are the requirements?) – Tibebes. M Sep 22 '20 at 17:55
  • once authenticated based on the role lot of action needs to be done in client side like showing menus , enabling /disabling buttons etc. For this I need to store Role. Similarly few other keys as well. – JAVA_CAT Sep 22 '20 at 17:57
  • The widely used practice is to use [JWT claims](https://jwt.io/introduction/) for the information need and save the tokens inside `localStorage`. And you can [decode to these claims](https://stackoverflow.com/questions/38552003/how-to-decode-jwt-token-in-javascript-without-using-a-library) in client side safely (if the token isn't encrypted). That being said, storing passwords in plain text in the database let alone sending them to client side is a wrong practice (in terms of security risk). – Tibebes. M Sep 22 '20 at 18:01
  • Token is fine. But what about an application which restrict users to use some of the functionalities based on the role?. Role is nothing but "Admin", "contractor" etc etc – JAVA_CAT Sep 22 '20 at 18:05
  • you can encode them inside the jwt token (in server) and the client side can decode and operate accordingly. and server should verifies each request made for vallidity – Tibebes. M Sep 22 '20 at 18:07
  • We have a different authenticating system. If the user authenticated then shares valid role. Not using JWT any way. – JAVA_CAT Sep 22 '20 at 18:15
  • @Tibebes.M just check this https://developer.mozilla.org/en-US/docs/Learn/JavaScript/Client-side_web_APIs/Client-side_storage#Storing_complex_data_%E2%80%94_IndexedDB – JAVA_CAT Sep 22 '20 at 18:35
  • I'm not sure I understand what point you're making. But just know that, using `IndexDB` won't help much securing the data. And as a general rule, I would advise you to never let the password leave the server. – Tibebes. M Sep 22 '20 at 18:48

1 Answers1

3

Storing the password on the client side is not a good idea, even if it is hashed. Try storing a token instead. You could also consider using an encryption library on the front end but you run the risk of slowing down the UI.

xerxes666
  • 78
  • 1
  • 12
  • Ok so storing an encrypted values in localstorage is the only way rt? Slowing down is a concern but what is the best option ? , because based on the role lot of action needs to be done in client side like showing menus , enabling /disabling buttons etc. – JAVA_CAT Sep 22 '20 at 17:54
  • 1
    I think you can get by with client-side encryption if you do not expect the user to be frequently saving sensitive data. Ideally, sensitive data should be encrypted and stored on the server side in a database. Usually usernames, server generated tokens, and maybe some metadata can be stored on the client side without encryption as they aren't that sensitive and this won't effect UI performance too much. – xerxes666 Sep 22 '20 at 18:03
  • Could you please provide some insight on the javascript/typescript based encryption ? – JAVA_CAT Sep 22 '20 at 18:08
  • 1
    Using encryption libraries would be your best bet. Look into this: https://bitwiseshiftleft.github.io/sjcl/. – xerxes666 Sep 22 '20 at 18:10
  • 1
    How about this https://developer.mozilla.org/en-US/docs/Learn/JavaScript/Client-side_web_APIs/Client-side_storage#Storing_complex_data_%E2%80%94_IndexedDB – JAVA_CAT Sep 22 '20 at 18:35