Angular - 管理文件可以下载吗? [英] Angular - Are admin files downloadable?
问题描述
我有一个使用 Angular 的网站.我使用 jwt 实现了身份验证.我知道我们可以使用 Angular Route Guard 阻止用户前往受限路线.
I have a website with Angular. I implemented the auth with jwt. I know we can prevent the user to go to the restricted routes with Angular Route Guard.
通常在 SPA 中,所有路由 (html) 都是可下载的.只是我们通过响应 403 代码来处理服务器中未经授权的路由.因此,用户可以安全地看到 html 而无法获取任何数据.但是在特定的项目中,我们甚至不希望用户能够看到管理面板的html(因为他可以了解结构)
Usually in SPAs all routes (html) are downloadable. Just we handle unauthorized routes in server by responding 403 code. So it's safe that user can see the html bu can't get any data. But in a specific project, we even don't want user to be able to see the html of admin panel (Since he can know about structures)
有什么想法吗?我应该使用 Route Guard 的通常场景,还是应该只有一个单独的面板(例如在未知目录中)?
Any idea? Should I use the usual scenario with Route Guard or I should just have a separated panel (For example within an unknown directory)?
推荐答案
您可以使用管理员令牌保护后端 API,因此任何想要获取/发布/删除任何关键数据的用户都需要一个有效的可以让他访问的令牌.
You can secure backend API's with an admin token so any user who want to get/post/delete any critical data need a valid token that can let him access.
永远不要让您的秘密密钥"或任何身份验证解码数据在前面.
Never let your 'secret key' or any authentication decoding data in the front.
在node.js中你可以添加一个管理中间件来检查用户是否是管理员(在解码前端网站发送的令牌后).
In node.js you can add an admin middlware that check if the user is an admin or not (after decoding the token sended from the front website).
查看这篇文章可能会有帮助.
check this article it might help.
这篇关于Angular - 管理文件可以下载吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
