I'm studying angularjs, and found an example of how to use angularjs with 3rd-party's restful store api, in the demo: http://jsfiddle.net/tey3H/
I think this is a good idea, that I can write js code in client side. But I'm worried about the security, because I see this code:
var Project = $resource('https://api.mongolab.com/api/1/databases' +
'/angularjs/collections/projects/:id',
{ apiKey: '4f847ad3e4b08a2xxxxxxxxx' }, {
update: { method: 'PUT' }
}
);
You can see there is an apiKey
in the code, and the client side code has the ability to modify the data stored in the mongolab. If other people find the key, they can easily modify the data too.
So I wonder how to handle the security?
It depends on the server.
This example uses MongoLab. AFAIK, they still don't support user based authentication, so you would have to write an app server, which would be infront of the mongo, handling permissions.
See http://support.mongolab.com/entries/20269612-rest-api-permissions-and-security-best-practice