So I'm writing a quick little app for internal use at my company with AngularJS and I'm basically basing my project off the "Project" on the AngularJS website: http://angularjs.org/#project-js
I've gotten my views/models/controllers setup and I'm able to write and read from the database. The problem is that even though the forms to write to the db are behind authentication this project is going to be used by other developers. If I know them the first thing everyone will do is jump into a javascript console and try to write to the database.
Am I missing some sort of authentication here? When using the api method of connecting to mongodb (as in the example url) is there a way to prevent anyone from writing to the database or is that just the danger of using a client side connection to your db?
You client (browser) should not post data directly to the datastore. It should go through middleware, for e.g. rails api or something that will run server side validations and then save to the datastore. If your javascript is directly posting stuff to the db then not only the credentials be exposed but also a hacker can bypass validation and persist values that should not be saved.
PS: Your rails app should be adding it's own authentication layer. That way the forms that are doing CRUD are secured.