If I were to provide a fake JWT, I realized Angular would "accept it" as logged in as most tutorials just check if a JWT key is set in localStorage (and if it's not expired.)
Is there something I'm missing about using JWT? I feel the client needs to check to check if the token actually came from the server. Consider this scenario:
User goes to route /#/admin with fake JWT that looks something like: {'username': 'hacker', 'role': 'admin'}. Now the user sends a token to the server, which checks signature (& expiration), since the secret signing key is wrong, the user receives a 401/403 response from the (API) server, and the client hangs (blank screen with toolbar) as no valid response came from server.
Is this "safe" or "okay" that a user can bypass my Guard with a fake JWT since they cannot get any data from server anyways?
It's in fact normal.
If the user's token gets rejected by the server you should log him out.
Even though he can pass the guard, he will never have any data from your admin panel as the server should reject every single request due to invalid JWT. So you should not worry.