Ant-design-pro: Authorization Can be bypassed via localStorage.setItem()

Created on 22 Feb 2019  ·  2Comments  ·  Source: ant-design/ant-design-pro

Hello,

It seems that authorization can be bypassed altogether when users open their browser console and type the following (dependent upon the authorization defined in routes:

localStorage.setItem('antd-pro-authority', "[\"admin\"]");

You can test this for yourself by following these steps:

  1. Navigate to https://preview.pro.ant.design on a private browser
  2. log out of the admin
  3. Run localStorage.setItem('antd-pro-authority', "[\"admin\"]"); in your browser console
  4. Navigate to https://preview.pro.ant.design and see the dashboard

Is this a known bug? Is this authorization strategy just here temporarily for mock/demo purposes and meant to be refactored by developer?

picture Popesites

Most helpful comment

Yes, this is for demo purpose.

You can check how auth2 and JWT token plays together.

You can close the issue if this answers your question

picture chapskev on 26 Feb 2019
👍3

All 2 comments

Yes, this is for demo purpose.

You can check how auth2 and JWT token plays together.

You can close the issue if this answers your question

chapskev picture chapskev on 26 Feb 2019
👍3

Ok thanks, I was able to implement JWT strategy to secure the application.

Popesites picture Popesites on 26 Feb 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

gaoqiang19514 picture gaoqiang19514  ·  3Comments
yjz1004 picture yjz1004  ·  3Comments
zhongjiewu picture zhongjiewu  ·  3Comments
yadongxie150 picture yadongxie150  ·  3Comments
zhuanglong picture zhuanglong  ·  3Comments