stackoom
  简体   繁体   中英

isn't the angularjs ui-router resolve insecure?

 原文  2015-06-30 14:18:02       javascript/ angularjs/ security/ meteor

Question

If i have the current state 

.state("display",
    {url:"/display",templateUrl:"display.ng.html",
    controller:"DisplayController",
    controllerAs:"displayController"})

and I add a resolve to the state so that only logged in people can access the route, such as: 

resolve: {
    "currentUser": ["$meteor", function($meteor){
      return $meteor.requireUser();
    }]
  }

*taken from http://angular-meteor.com/tutorial/step_08

Doesn't this create a security hole?

Can't anyone open up the console in their browser and "re-write" the route so that it doesn't require the user?

1 answers

solution1
 1 ACCPTED  2015-06-30 14:59:22

If we target the question set forward, "Yes" would be the short answer. The truth behind that answer is though, it wasn't designed to be secure as it is impossible. The second the user/client has finished downloading the page, they technically have full access to everything you gave them. No matter how many client-side precautions you take, people could just save your files, edit them as they please and reload the page using those files. They could go to which ever route they wanted, run what ever javascript they wanted, etc.

What does this mean? Never trust the user. Ever. If you don't want someone to see something, don't include it -at all- in the response. If you hide it clientside, nothing stops the user opening up the source viewer and just digging in files to find it. Even if you minify and everything, someone out there, with enough drive, can find everything.

Same applies with API calls, socket communication, etc. The Client can send whatever they want. If they know the URL, expected data and sending method, they can just create their own fake client and send whatever they hell they want. This is why clientside validation is pretty much only useful for UI reasons (flagging boxs as red, saving time by refusing forms, etc) but you MUST revalidate and recheck -everything- server side to.

tl;dr - Yes it's "insecure" but it's not angular/ui router's fault. It's just the way it is with clientside development. If you don't want a user who doesn't have access to see something, don't include it AT ALL in the data/files you send them. Detect it and strip it out serverside.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question UI-Router and Angularjs: main content isn't being displayed Angularjs using UI-Router Resolve for Authentication AngularJS / ui-router: handle 404 on resolve angularjs ui-router resolve factory undefined angularjs ui-router issue with resolve How to cache AngularJS ui-router resolve? Angularjs ui-router resolve in route AngularJS ui-router not resolve service call Testing angularJS ui-router resolve functions How to decorate current state resolve function in UI-Router? Current function isn't invoked
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM