Because you are saving whole user information (except password but it doesn't matter) in localStorage you can easily change the role inside the token to Admin and then use the app with admin privileges, and localStorage has to contain Role and Token from user object at all times if you want to keep the user logged in and able to refresh the page.
Because you are saving whole user information (except password but it doesn't matter) in localStorage you can easily change the role inside the token to Admin and then use the app with admin privileges, and localStorage has to contain Role and Token from user object at all times if you want to keep the user logged in and able to refresh the page.