Static Angular App calling Azure Functions. Is it a security issue?

Published

I have a node.js app which does authentication/authorization. I have an Azure Function which accepts auth token (validates and) executes the business logic behind (exposed through CORS). I have a static website with Angular app which redirects to node.js for auth, gets the token and calls Azure function (directly) with the same. For all subsequent requests from angular, we use the same token.

My fear: If any network sniffing tool gets hold of token, there could be a possible attack on our business, as the respective tool will have everything to execute Azure function(s) on user’s behalf. I tested the same using cURL and was able to execute Azure function directly (with the token captured from dev tools).

Question:

  • Are there any flaws in above architecture
  • If so, what’s the best approach
  • If not, is my fear valid?
  • Is it a good idea to expose Azure functions directly to public (even though it accepts only authorized requests).

Thanks

Source: Angular Questions

Answers

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Still Have Questions?


Our dedicated development team is here for you!

We can help you find answers to your question for as low as 5$.

Contact Us
faq