Current Architecture: We are using spring cloud gateway to act as application gateway to hide various applications and act as central point. These applications are varied, some are web servers, dashboard servers like powerbi and even simple micro services that output json.
We created a new frontend with react that simply lists all the pages in navbar and upon clicking the page it expects response that is embedded inside an iframe in frontend. We use basic auth to authenticate users with simple username and password.
Finally there is nginx which is acting as reverse proxy to hide frontend and application gateway as we need frontend to access content inside iframe without violating same-origin policy. So user typically interacts with frontend through nginx and even frontend sends request to gateway via nginx.
Problem: Implementing authentication and authorization via gateway. Even though users would not have access to certain pages in frontend for which they are not authorized, they can still copy that link from someone else and request for the resource directly. For example: A dashboard which user is not authorized to view. Since application gateway does not check authorization it responds back with a dashboard.
We tried to stop this from happening by forwarding the username in header to gateway, Gateway then checks whether user is authorized or not to access the resource. This works partly but faces security issues as someone can manipulate that part of header and still receive dashboard back.
I was expecting this to be foolproof but it was not. For the above context is there any standard way of authorization check of users logged in with basic auth in gateway?