Angular-管理文件可以下载吗? [英] Angular - Are admin files downloadable?
问题描述
我有一个Angular网站.我用 jwt 实现了auth.我知道我们可以防止用户使用Angular Route Guard 进入受限路线.
I have a website with Angular. I implemented the auth with jwt. I know we can prevent the user to go to the restricted routes with Angular Route Guard.
通常在SPA中,所有路由(html)均可下载.只是我们通过响应403代码来处理服务器中的未授权路由.因此,用户可以看到html bu不能获取任何数据是安全的.但是在一个特定的项目中,我们甚至不希望用户能够看到管理面板的html(因为他可以了解结构)
Usually in SPAs all routes (html) are downloadable. Just we handle unauthorized routes in server by responding 403 code. So it's safe that user can see the html bu can't get any data. But in a specific project, we even don't want user to be able to see the html of admin panel (Since he can know about structures)
有什么主意吗?我应该在Route Guard中使用通常的方案还是应该有一个单独的面板(例如在未知目录中)?
Any idea? Should I use the usual scenario with Route Guard or I should just have a separated panel (For example within an unknown directory)?
推荐答案
您可以使用管理员令牌保护后端API的安全,因此任何想要获取/发布/删除任何关键数据的用户都需要有效的可以让他访问的令牌.
You can secure backend API's with an admin token so any user who want to get/post/delete any critical data need a valid token that can let him access.
切勿让您的秘密密钥"或任何身份验证解码数据出现在前面.
Never let your 'secret key' or any authentication decoding data in the front.
在 node.js 中,您可以添加管理员中间件,以检查用户是否为管理员(在解码从前端网站发送的令牌后).
In node.js you can add an admin middlware that check if the user is an admin or not (after decoding the token sended from the front website).
检查此文章可能会有所帮助.
check this article it might help.
这篇关于Angular-管理文件可以下载吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
