stackoom
  简体   繁体   中英

Security in Angular2 with TS

 原文  2016-08-15 15:45:20       javascript/ security/ angular

Question

I want to build a web application using Angular2 with TS.

I read several tutorials about authentication in Angular2 and they say, that I have to implement the following things.

  1. index component (public)
  2. login component (public)
  3. my private component (private)

All this components are routed with the Angular-Router and protected with some guards.

But I think that this guards are not really secure. The routes are guarded but the components are there somewhere in js on the client. Some "js-hacker" could access the private component without permissions.

Am I right with this thought?

My solution would be to request the private component during the authentication request and returning it only if the user has permission.

But in this case, I had to split up my application in a login part and a private part. (Seems like overhead)

Another solution would be to send a token with every request, so that the "js-hacker" is able to see the component, but not its data therefore it's useless for him. (But this token needs to be stored)

Please help me to decide which way to go in terms of security, or suggest me a better one (I would prefer a better one...).

Thanks.

1 answers

solution1
 2 ACCPTED  2016-08-15 19:08:09

You'd use *ngIf to conditionally attach your secured component on a valid authentication status. If whatever you bind the *ngIf to evaluates as false, it won't just hide it from view, it will completely remove the component and everything inside it from the DOM.

If they knew what they were doing, they could still look at the source code for the component, yes, but as you surmised, you'd want to keep sensitive data out of the source code and only grab it from somewhere secure for authenticated users.

You should really look into Google's Firebase . Firebase can handle authentication for you much more securely and robustly than you could yourself and you can use Firebase Realtime Database to store sensitive data and only send it to the client when users are authenticated. It's incredibly simple, works very well with Angular ( AngularFire2 is the official library though it's not necessary), and it has a ton more features than just database and authentication. Trust me, you will not regret it.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Angular2 - Loopback -Security Implementations Development on Angular2 with TS but without NPM Angular2 boot.ts Unexpected error Angular2 how to ensure using updated ts/js files? ES6/TS/Angular2 parsing JSON to Date Angular2 / Electron application using electron API within the angular2 ts files TS2307: Cannot find module 'angular2/core' while importing Angular2 on TypeScript IE11 issue Angular CLI project in Angular2(TS), polyfills are notworking how to pass data from one function to another in component.ts , angular2 What renders first when starting the angular2 app, html or .ts file?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM