简体繁体 English

Angular 2 Route Guard / Auth Guard Security

[英]Angular 2 Route Guard / Auth Guard Security

原文 2017-02-25 18:36:12 2 1 angular/ authentication/ firebase

I just finished an Angular 2 course on Angular 2 and Firebase at Angular-University. 我刚刚在Angular-University完成了Angular 2和Firebase的Angular 2课程。

The instructor, Vasco (@angular-university) brought up that the Router Guard is not secure and you could bypass it since its a front-end framework. 讲师Vasco（@ angular-university）提到Router Guard不安全，你可以绕过它，因为它是一个前端框架。

We used Firebase Auth to know if a user is authenticated and setup the security rules to prevent read/write unless a user is authenticated. 我们使用Firebase Auth来了解用户是否经过身份验证，并设置安全规则以防止读/写，除非用户通过身份验证。 So, I know the data is protected. 所以，我知道数据是受保护的。

However, is the route actually secure? 然而，路线实际上是安全的吗？ He mentioned using a sever backend to for more security but didn't go in to any details. 他提到使用服务器后端来提高安全性，但没有提到任何细节。

I've been trying to search around but I haven't been able to see where anyone else has brought this up. 我一直在尝试搜索，但我还没有看到其他人提出这个问题。

At the end of the day, is the Angular 2 router guard secure on its own or do you have to implement a server to protect routes? 在一天结束时，Angular 2路由器防护是独立安全还是您必须实施服务器来保护路由？ How would a user bypass the routes anyway? 用户如何绕过路线？

Thanks! 谢谢！

1 个解决方案

The problem you describe is not specific to Angular. 您描述的问题并非特定于Angular。 All JavaScript applications face the same security concerns. 所有JavaScript应用程序都面临同样的安全问题。

Vasco is right to highlight that route guards are only partly secure . 瓦斯科强调， 路线卫兵只是部分安全 。 They're just a piece of code executed in the client's browser. 它们只是在客户端浏览器中执行的一段代码。 If the user could temper with this code (in their browser memory, for instance) they could potentially change the way it works. 如果用户可以使用此代码进行调节（例如，在他们的浏览器内存中），他们可能会改变它的工作方式。

In practice this is not necessarily easy as the deployed code is minified, uglified, bundled... But at a lower-level your Angular app is just a bunch of static HTML/JS/CSS files sitting on a server. 在实践中，这并不一定容易，因为部署的代码被缩小，uglified，捆绑...但在较低级别，您的Angular应用程序只是一堆静态HTML / JS / CSS文件坐在服务器上。 These files are often publicly accessible: anyone knowing their URLs can download them and browse their source code. 这些文件通常可公开访问：任何知道其URL的人都可以下载并浏览其源代码。 Ask yourself which risks you'd run if someone were to read the source code of your app files . 如果有人要阅读您的应用文件的源代码，请问自己会冒哪些风险 。 You should never store sensitive information in these files. 您永远不应将敏感信息存储在这些文件中。

As a general rule, if you have secured your backend you've done the bulk of the work . 作为一般规则， 如果您已经保护了后端，那么您已经完成了大部分工作 。 Imagine a malicious user found a way to activate one of your guarded routes. 想象一下，恶意用户找到了激活您的一条受保护路线的方法。 The backend would still return no data for this route and there'd be nothing to display on the page. 后端仍然不会返回此路由的数据，并且页面上没有任何内容显示。 Conversely you should see to it that any sensitive operation consults the backend (eg don't let users transfer money just because they can see and click the "Transfer" button in their browser; the backend should verify that they're authenticated and that they have sufficient funds). 相反，您应该确保任何敏感操作都会查询后端 （例如，不要让用户只是因为他们可以在浏览器中看到并单击“传输”按钮来转移资金;后端应该验证他们是否经过身份验证并且他们已经过验证有足够的资金）。

Now if you wanted that extra layer of security, you could require that users be authenticated to access even the static assets of your app ( index.html , .js files...) but you'd need to use a server which supports that (Firebase hosting doesn't AFAIK) and in practice this is seldom necessary. 现在，如果您想要额外的安全层，您可以要求对用户进行身份验证，以便访问应用程序的静态资产（ index.html ， .js文件...），但您需要使用支持该用户的服务器（Firebase托管不是AFAIK）并且在实践中这很少是必要的。

Taking a step back, securing a single-page app is about more than securing its routes. 退一步说，保护单页应用程序不仅仅是确保其路线安全。 There's cross-site scripting, click-jacking, etc. 有跨站点脚本，点击劫持等。

Here are some resources that you could check out: 以下是您可以查看的一些资源：