简体繁体 English

带有TS的Angular2中的安全性

[英]Security in Angular2 with TS

原文 2016-08-15 15:45:20 5 1 javascript/ security/ angular

I want to build a web application using Angular2 with TS. 我想使用带有TS的Angular2构建Web应用程序。

I read several tutorials about authentication in Angular2 and they say, that I have to implement the following things. 我阅读了一些有关Angular2中身份验证的教程，他们说，我必须实现以下内容。

index component (public) 索引成分（公共）
login component (public) 登录组件（公共）
my private component (private) 我的私有组件（私有）

All this components are routed with the Angular-Router and protected with some guards. 所有这些组件都通过Angular-Router进行路由，并受到一些防护措施的保护。

But I think that this guards are not really secure. 但是我认为这个警卫并不是很安全。 The routes are guarded but the components are there somewhere in js on the client. 路由受到保护，但组件在客户端js中的某个位置。 Some "js-hacker" could access the private component without permissions. 一些“ js-hacker”可以未经许可访问私有组件。

Am I right with this thought? 我对这个想法正确吗？

My solution would be to request the private component during the authentication request and returning it only if the user has permission. 我的解决方案是在身份验证请求期间请求私有组件，并且仅在用户具有权限的情况下才返回私有组件。

But in this case, I had to split up my application in a login part and a private part. 但是在这种情况下，我不得不将应用程序分为登录部分和私有部分。 (Seems like overhead) （好像开销）

Another solution would be to send a token with every request, so that the "js-hacker" is able to see the component, but not its data therefore it's useless for him. 另一个解决方案是在每个请求中发送一个令牌，以便“ js-hacker”能够看到该组件，但不能看到其数据，因此对他来说是无用的。 (But this token needs to be stored) （但是此令牌需要存储）

Please help me to decide which way to go in terms of security, or suggest me a better one (I would prefer a better one...). 请帮助我确定采用哪种安全性方法，或者建议我采用一种更好的方法（我希望采用一种更好的方法...）。

Thanks. 谢谢。

1 个解决方案

You'd use *ngIf to conditionally attach your secured component on a valid authentication status. 您将使用*ngIf有条件地将安全组件附加到有效的身份验证状态。 If whatever you bind the *ngIf to evaluates as false, it won't just hide it from view, it will completely remove the component and everything inside it from the DOM. 如果将*ngIf绑定到的任何*ngIf的评估结果为false，那么它不仅会将其隐藏在视图之外，还将从DOM中完全删除该组件及其内部的所有内容。

If they knew what they were doing, they could still look at the source code for the component, yes, but as you surmised, you'd want to keep sensitive data out of the source code and only grab it from somewhere secure for authenticated users. 如果他们知道自己在做什么，他们仍然可以查看该组件的源代码，是的，但是正如您推测的那样，您希望将敏感数据保留在源代码之外，并仅从经过身份验证的用户那里安全地获取它。

You should really look into Google's Firebase . 您应该真正研究Google的Firebase 。 Firebase can handle authentication for you much more securely and robustly than you could yourself and you can use Firebase Realtime Database to store sensitive data and only send it to the client when users are authenticated. Firebase可以比您自己更安全，更可靠地为您处理身份验证，并且您可以使用Firebase Realtime Database存储敏感数据，并仅在对用户进行身份验证后才将其发送到客户端。 It's incredibly simple, works very well with Angular ( AngularFire2 is the official library though it's not necessary), and it has a ton more features than just database and authentication. 它非常简单，可以与Angular 一起很好地工作（尽管不是必需的，但AngularFire2是官方库），并且它具有比数据库和身份验证更多的功能。 Trust me, you will not regret it. 相信我，您不会后悔。