从当登录失败的javascript读取数据和文件prevent用户 [英] Prevent user from reading javascript data and files when login fails
问题描述
我有被写在angularjs的应用程序。然而,这个问题适用于一般的JavaScript应用程序。
I have an application which is written in angularjs. However, this problem applies to javascript applications in general.
用户调用浏览器,然后presents他登录页面中的index.html。然而,在背景中,所有的JavaScript文件被已经装载。因此,用户在理论上可以阅读code(即使混淆和精缩),并获得重要的信息(关键字,剩下的通话网址等)。即使我会做的js文件延迟加载,用户仍然可以查找JS的源路径,并从服务器拉出。有没有一种方法,以prevent这样做用户?
The user calls the index.html in the browser, which then presents him the login page. However, in the background, all javascript files are being already loaded. Therefore the user could in theory read the code (even when obfuscated and minified) and gain important information (keywords, rest call urls and so on). Even if I would do lazy loading of js files, the user still can lookup the js source path and pull it from the server. Is there a way to prevent a user from doing so?
编辑:或者是有至少一种方式来prevent从看到JS源之前已经成功地验证自己的用户(读取REST API URL没有prevention)?我的应用程序包含(在应用程序本身的数据!= REST调用数据,但字符串),它不应该知道什么时候是不需要验证他的数据。
or is there at least a way to prevent the user from seeing the js source before has successfully authenticated himself (no prevention of reading the rest api url)? My application contains data (data!=rest call data but Strings in the application itself) which one should not know when he is not authenticated.
推荐答案
在我目前的apllication我使用PHP的剩余部分。所以这是pretty容易产生的index.php处理登录在古典方式如果登录我的用户会去实际的角度应用。
In my current apllication I use PHP for the REST part. So it's pretty easy to have index.php handle the login in a classical way and if the user logged in i'll head to the actual Angular App.
我所有的REST功能做了检查LOGGED_IN如果失败,回到index.php文件。也是我的谐音是用于登录,经营权与所有权做检查PHP模板,临阵退缩,如果事情是错误的或者只是不包括关键零部件的脚本或东西,允许用户看到替换它们。
All my REST functions do a logged_in check and if it fails, head back to index.php. Also my partials are PHP templates that do checks for Login, Rights and Ownership that chicken out if something is wrong or just don't include crucial script parts or replace them with something that the user is allowed to see.
相关所以一切安全在服务器端处理,一切方便于客户端。
So everything security related is handled on the server side, all the convenience on the client side.
和是的,我可以用一个事实,即黑客攻击或登录失败重新加载最小的登录页面生活。
And yep, i can live with the fact that a hacking attempt or a failed login reloads the minimal login page.
这篇关于从当登录失败的javascript读取数据和文件prevent用户的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
