How to check the token validity before routing?

I’m setting up a web application with angularjs routing (ngRoute) and expressjs in the backend.

I have a doubt, I don´t understand why the “standard” solution to check if user is logged or not is look up for the token in the local storage. I mean, its validity is not checked at any time. It is possible for the user to insert the token manually in the browser.

I am aware that when the user tries to perform an operation the server side would realize that the user is not logged, but I think is still possible for a user who inserts manually the token to access some private routes (for example, a creation form).

I don´t know how to resolve this problem. I was trying to ask the server for the validity in the app run. The problem is that the program does not wait for the promise before routing for the first time.

var appRun = function($rootScope, $location, $route, $timeout, API_URL, auth, authToken) {

    $rootScope.$on('$locationChangeStart', function(event, next, current) {
      var routeUrl = '/' + current.replace(API_URL, '').split('/')[1];
      routeUrl = getRouteParams(routeUrl);

      var routeObj = $route.routes[routeUrl];
      var userProfile = authToken.isAuthenticated(), redirectPath;

      //not valid route
      if (!routeObj) {
        redirectPath = getRedirectPath(userProfile);

      //restricted route
      else if (routeObj.restricted && userProfile !== 'LOGGED') {
        redirectPath = getRedirectPath(userProfile);
//In auth service...

 getProfile: function() {
        if (!(!!authToken.getToken())) { 
            return authToken.setUserProfile('FORBIDDEN') 

        //if the token exists check it
        return $http.get(API_URL + '/auth')
          .then(function(response) {
            return response;
          .catch(function(error) {
            return authToken.setUserProfile(;


Source: AngularJS