Angular 2+安全; 保护服务器上的延迟加载模块
[英]Angular 2+ Security; Protecting Lazy Loaded Modules on the Server
问题描述
I have an Angular 2+ app where users are entering personal data. 
我有一个Angular 2+应用程序,用户输入个人数据。 This data gets analyzed in another part of the app that is available only to people with specific permissions. 此数据在应用程序的另一部分中进行分析,该部分仅适用于具有特定权限的人员。 The issue is that we don't want unauthorized people to know how we are analyzing this data. 问题是我们不希望未经授权的人知道我们如何分析这些数据。 So it would be bad if they were able to view the templates in the app. 因此,如果他们能够在应用程序中查看模板,那就太糟糕了。 Since it's a client-side app, it is always possible for a savvy user to tweak the app, and view the templates. 由于它是一个客户端应用程序,精明的用户总是可以调整应用程序,并查看模板。 Using route guards, lazy loading, and CanLoad will not protect us here, since all the modules are available with a simple HTTP request, and the urls to the resources can be found by a savvy enough user. 使用路由保护,延迟加载和CanLoad将不会在这里保护我们,因为所有模块都可以通过简单的HTTP请求获得,并且足够精明的用户可以找到资源的URL。
I understand a common way to deal with this is to use separate applications. 我理解处理这个的常用方法是使用单独的应用程序。 In this case, there would be three, one for login/registration, one for the users to enter data, and one for people with specific permissions to analyze the data. 在这种情况下,将有三个,一个用于登录/注册,一个用于用户输入数据,一个用于具有分析数据的特定权限的人。
That isn't ideal to me, because that requires managing three different code repositories. 这对我来说并不理想,因为这需要管理三个不同的代码库。
I'm thinking there has to be a way to protect Angular 2+ lazy loaded modules on the server side. 我认为必须有一种方法来保护服务器端的Angular 2+延迟加载模块。 I've read a couple discussions about this topic, though no one seems to have identified as clear of a reason for needing this as I have: 我已经阅读了关于这个主题的几个讨论,但似乎没有人像我一样确定需要这个的理由:
https://groups.google.com/forum/#!topic/angular/ZYHwNwPfIzY https://www.reddit.com/r/Angular2/comments/56dqsd https://groups.google.com/forum/#!topic/angular/ZYHwNwPfIzY https://www.reddit.com/r/Angular2/comments/56dqsd
The second link seems to hint that this is now possible, with named chunks, and by adding tokens/cookies to lazy-load requests in Webpack. 第二个链接似乎暗示现在可以使用命名块,并在Webpack中向延迟加载请求添加标记/ cookie。
I'm not seeing any more info on how to accomplish this. 我没有看到有关如何实现这一目标的更多信息。 Can anyone provide me an example of this being accomplished. 任何人都可以为我提供一个完成这个的例子。 And is there a name for this strategy? 这个策略有名字吗?
Note: I do realize that this still isn't 100% secure, since there's always a possibility that the modules could be scraped from an authenticated user's browser cache. 注意:我确实意识到这仍然不是100%安全,因为总是有可能从经过身份验证的用户的浏览器缓存中删除模块。 To avoid a lengthy discussion, I'll say we're not worried about that at all. 为了避免冗长的讨论,我会说我们根本不担心。
1 个解决方案
解决方案1
1 2018-11-30 01:06:37
Why don't you set up your app to dynamically pass the html back from the server IFF (if and only if) the user has the correct permissions. 为什么不将应用程序设置为从服务器IFF动态传递html(当且仅当)用户具有正确的权限。
You have to assume the client can get to the page. 您必须假设客户端可以访问该页面。 The page will just be a blank div with a [innerHtml]="responseHTMLFromYourServer". 该页面只是一个带有[innerHtml] =“responseHTMLFromYourServer”的空白div。
There are ways to load dynamic components: 有一些方法可以加载动态组件:
@Directive({
selector: '[template-host]'
})
export class HostDirective{
@Input('template-host') set templateHtml(value){
this.hostElement.innerHTML = value;
}
private hostElement:HTMLElement;
constructor(elementRef:ElementRef){
this.hostElement = elementRef.nativeElement;
}
}
// Usage
<div [template-host]="myTemplate"></div>
How to get ng-template innerHTML to component 如何将ng-template innerHTML转换为组件
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.