Static Angular App calling Azure Functions. Is it a security issue?
I have a node.js app which does authentication/authorization. I have an Azure Function which accepts auth token (validates and) executes the business logic behind (exposed through CORS). I have a static website with Angular app which redirects to node.js for auth, gets the token and calls Azure function (directly) with the same. For all subsequent requests from angular, we use the same token.
My fear: If any network sniffing tool gets hold of token, there could be a possible attack on our business, as the respective tool will have everything to execute Azure function(s) on user’s behalf. I tested the same using cURL and was able to execute Azure function directly (with the token captured from dev tools).
Are there any flaws in above architecture
If so, what’s the best approach
If not, is my fear valid?
Is it a good idea to expose Azure functions directly to public (even though it accepts only authorized requests).