search

Home  >  Q&A  >  body text

angular.js - Security issues of single-page applications

Background

Backend

nodejs is responsible for the back-end logic, and the http server uses nginx

Front end

Built using angularjs

Structure

'
+---------+       +-----------+      +--------+    +------+
|         |       |           |      |        |    |      |
|         +------->           +------>        +---->      |
|         |       |           |      |        |    |      |
|         |       |           |      |        |    |      |
| browser |       |   nginx   |      | nodeJs |    |  DB  |
|         |       |           |      |        |    |      |
|         <-------+           <------+        <----+      |
|         |       |           |      |        |    |      |
|         |       |           |      |        |    |      |
+---------+       +--+-----^--+      +--------+    +------+
                     |     |                               
                     |     |                               
                  +--v-----+--+                            
                  |           |                            
                  |           |                            
                  |    HTML   |                            
                  |           |                            
                  |    CSS    |                            
                  |           |                            
                  |    JS     |                            
                  |           |                            
                  +-----------+                    
'

Description

The RESTFUL interface must be used for permissions, using tokens. The backend determines the user's permissions based on the token, and then returns the data.

Question

~~Is it necessary to add permission authentication for files like HTML? For example, some pages are not meant to be seen directly, but now it is obvious that HTML does not pass nodejs verification permissions. ~~

If the scope is expanded to some other static files, such as some doc files, then how should this permission determination be done?

某草草某草草2756 days ago703

reply all(4)I'll reply

  • 高洛峰

    高洛峰2017-05-15 16:52:15

    Write the routing file variable in the place where the server sends the first HTML to the browser after logging in. When logging in, list all the files that the user can access, and set the inaccessible ones to 404, and then ng sets the routing When reading these files, if the user directly accesses the route that cannot be reached, a 404 page will be displayed.
    You can also write the user identification code in this file, and it is not impossible to modify the global ajax through ng.

    reply
    0
  • phpcn_u1582

    phpcn_u15822017-05-15 16:52:15

    I think you are overthinking. There is no difference in security between single-page applications and ordinary web pages. They both use ajax to interact with the server
    As for RESTful, it is just an architectural style. Using this style will not cause any qualitative changes to security

    reply
    0
  • PHP中文网

    PHP中文网2017-05-15 16:52:15

    http://stackoverflow.com/questions/15938730/require-authentication-for-directory-except-one-page-with-passport-js-node-j

    你需要auth_basic

    reply
    0
  • PHPz

    PHPz2017-05-15 16:52:15

    It has no impact on security

    For example, take the administrator page admin.html. Even if ordinary users can construct a URL to enter this page, various operations and data acquisition will fail because there is no legal token.

    It can be seen that security only depends on the permission verification of the token by restful in the background

    reply
    0
  • Cancelreply