Hello, I am using the frontend token payload to store user role and I am using this payload to check for access role in the backend, how safe is this approach? I manipulated the frontend token to change the role but the backend still sees my correct, true role instead of the manipulated role. So I assume this is safe?
07/18/2022, 12:38 PM
Hey @wdjzr . Yea.. essentially, the frontend stores the access token's in a separate token which is only read on the frontend.
The backend reads the access token payload from the actual access token - which is httpOnly cookie (so frontend JS cannot read/ write it), and is also crypto signed so that someone cannot manipulate the contents of it manually either.