angular.js - Security issues of single-page applications
某草草
某草草 2017-05-15 16:50:15
0
4
723

Background

Backend

nodejs is responsible for the back-end logic, and the http server uses nginx

Front end

Built using angularjs

Structure

'
+---------+       +-----------+      +--------+    +------+
|         |       |           |      |        |    |      |
|         +------->           +------>        +---->      |
|         |       |           |      |        |    |      |
|         |       |           |      |        |    |      |
| browser |       |   nginx   |      | nodeJs |    |  DB  |
|         |       |           |      |        |    |      |
|         <-------+           <------+        <----+      |
|         |       |           |      |        |    |      |
|         |       |           |      |        |    |      |
+---------+       +--+-----^--+      +--------+    +------+
                     |     |                               
                     |     |                               
                  +--v-----+--+                            
                  |           |                            
                  |           |                            
                  |    HTML   |                            
                  |           |                            
                  |    CSS    |                            
                  |           |                            
                  |    JS     |                            
                  |           |                            
                  +-----------+                    
'        

Description

The RESTFUL interface must be used for permissions, using tokens. The backend determines the user's permissions based on the token, and then returns the data.

Question

~~Is it necessary to add permission authentication for files like HTML? For example, some pages are not meant to be seen directly, but now it is obvious that HTML does not pass nodejs verification permissions. ~~

If the scope is expanded to some other static files, such as some doc files, then how should this permission determination be done?

某草草
某草草

reply all(4)
小葫芦

Write the routing file variable in the place where the server sends the first HTML to the browser after logging in. When logging in, list all the files that the user can access, and set the inaccessible ones to 404, and then ng sets the routing When reading these files, if the user directly accesses the route that cannot be reached, a 404 page will be displayed.
You can also write the user identification code in this file, and it is not impossible to modify the global ajax through ng.

phpcn_u1582

I think you are overthinking. There is no difference in security between single-page applications and ordinary web pages. They both use ajax to interact with the server
As for RESTful, it is just an architectural style. Using this style will not cause any qualitative changes to security

洪涛

http://stackoverflow.com/questions/15938730/require-authentication-for-directory-except-one-page-with-passport-js-node-j


你需要auth_basic

PHPzhong

It has no impact on security

For example, take the administrator page admin.html. Even if ordinary users can construct a URL to enter this page, various operations and data acquisition will fail because there is no legal token.

It can be seen that security only depends on the permission verification of the token by restful in the background

Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template