Ant-design-pro: Authorization Can be bypassed via localStorage.setItem()

Created on 22 Feb 2019  路  2Comments  路  Source: ant-design/ant-design-pro

Hello,

It seems that authorization can be bypassed altogether when users open their browser console and type the following (dependent upon the authorization defined in routes:

localStorage.setItem('antd-pro-authority', "[\"admin\"]");

You can test this for yourself by following these steps:

  1. Navigate to https://preview.pro.ant.design on a private browser
  2. log out of the admin
  3. Run localStorage.setItem('antd-pro-authority', "[\"admin\"]"); in your browser console
  4. Navigate to https://preview.pro.ant.design and see the dashboard

Is this a known bug? Is this authorization strategy just here temporarily for mock/demo purposes and meant to be refactored by developer?

picture Popesites

Most helpful comment

Yes, this is for demo purpose.

You can check how auth2 and JWT token plays together.

You can close the issue if this answers your question

picture chapskev on 26 Feb 2019
👍3

All 2 comments

Yes, this is for demo purpose.

You can check how auth2 and JWT token plays together.

You can close the issue if this answers your question

chapskev picture chapskev on 26 Feb 2019
👍3

Ok thanks, I was able to implement JWT strategy to secure the application.

Popesites picture Popesites on 26 Feb 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

RichardStark picture RichardStark  路  3Comments
952425340 picture 952425340  路  3Comments
renyi818 picture renyi818  路  3Comments
happier2 picture happier2  路  3Comments
2uncle-code picture 2uncle-code  路  3Comments