I have a dotnet asp core 3 backend that defines roles and permissions for my WebAPI. Now I need at frontend side (javascript) get these permissions to show correct UI to the user, etc.
How do you ussually accomplish this task? I have 2 options,but don't know which one could fit better or is more maintanable:
1) Mirror the ACL(Acess control list) (Seems the worst one related to maintenance). By mirroring I mean having a copy of the acl hardcoded in frontend
2) Send the ACL when the user initially logs in?
3) Insert your better option here? :)
On the other hand, is there any javascript library that integrates with asp dot net core identity system and does this seamlessly?
I had to do this for an app that integrates with a legacy auth scheme, so I wasn't using any built in auth system like the .NET Core Identity package. What I did was package the ACL into an encrypted auth token (we have 800+ binary permissions which I actually reduced to individual bits), but I also sent it in an unencrypted form as a part of the login response.
This way the client can just read the unencrypted data to construct the UI, and the backend can decrypt the token on every request to decide whether to allow the request without reading from the DB for permission data.
At the moment I'm not aware of any scheme that alleviates the trouble of having to write code for the UI and backend to check permissions; one being hackable, because it is just for UI purposes, and one being secure, for auth purposes.