I want to create a very light weight single page application so I’m planning to forgo any library or framework on the frontend. That means I’m planning to use only vanilla Javascript, HTML, and CSS on the frontend. Since I’m more familiar with Dotnet than other technologies I decided to use it instead of other backend technologies which I know very little about. To keep my project as light as possible, I want to use Dotnet sparingly so I’ll only use Dotnet Core Web API 2.0 and a database but not Dotnet MVC, Webform, etc. on the backend.
The way I want my app to work is the user needs to login with his/her credential which will be sent to the backend via ajax for authentication and authorization purposes. Then functions within the Dotnet Web API will filter the user’s input to render it safe for further processing. A Web API function will query a database using ADO DotNet to verify the user’s password and check the user assigned role. Next the user will be granted access to various resources on the database and server depending on his/her role after his/her credential has been verified. Finally the requested data will be returned to the frontend to be displayed and cached. Would it be possible to implement role based authentication and caching on my web app with just Dotnet Web API and a database? I have seen articles on securing Dotnet Web API using JWT but I’m not quite sure if it is safe to use and whether this is adequate to secure not just the Web API but also secure my single page app as well.
Sure it is. It depends on your implementation and how good you are in developing secure applications
I am not sure what you mean by this sentence, but you can always only secure the things which are on the backend. You can never secure anything on the frontend as the user can edit and change everything what is send to the browser.
At the end a few very importing points:
Use TLS (HTTPS) for transfer
Setup your web server correctly. There are so many things you should take care of when configurations Apache to not open all doors for hackers.
Do not store passwords anywhere. Always store only a hash of it.
Do not disable any TLS verifications because there are problems with certificates
When I said “I have seen articles on securing Dotnet Web API using JWT but I’m not quite sure if it is safe to use and whether this is adequate to secure not just the Web API but also secure my single page app as well.” What I meant was I have seen articles on why JWT can be used to secure SPAs and I have also seen articles saying the opposite. I don’t know if or how the Dotnet framework is able to get around the shortcomings of JWT.
I’m confused by your statement “You can never secure anything on the frontend as the user can edit and change everything what is send to the browser.” If the frontend is populated with data from the backend where only authenticated users can have access to, then why wouldn’t you be able to secure the frontend? After all isn’t that the whole idea behind querying the backend to get authorized resources to populate a SPA?
The backend must be secured to only deliver data which the user should have access to. As far as the backend delivers the data to the frontend, you can no longer take control of what the user is doing with it (in the frontend). That’s why you need to validate all data which is sent to the backend because this could be any data, not only what you expect your frontend to sent to the backend.
JWT is just a type if authorization. It is very popular at the moment because its pretty easy to integrate. But it has nothing to do with the language or frameworks you use or what kind of application you want to develop. JWT is also only as secure as you implement it. It is a tool not a solution.
