A disclaimer: I'm not really a developer, I just enjoy writing some code every now and then :)
Recently I've learned about AngularJS and browser-side MVC frameworks in general, and decided to play with it. Most of Angular docs don't talk in details about server-side of things, leaving this as free choice for the user. After reading up on Angular's $resource service, I've learned about DBs like MongoDB and CouchDB that expose a RESTful interface on their own. Which brought an obvious question - how do you secure those kind of things?
In a "traditional" web application, there'd be a layer on the server side tasked with authenticating users and authorizing their access to the data. Once that's done, server-side code would talk to underlying data store (an RDBMS for example) using fixed set of credentials (identical, regardless of webapp user identity). I can of course replicate this model and write some CRUD code that will expose a REST interface and behave similarly. If I want to use $resource, do I need to tie webapp users to some db users? I can't use a common set of credentials, as they'd be visible in the code - looks like it's writing an intermediate layer, or tying one set of users to another.
I'm curious how this problem is usually solved - as you can see, I have some ideas. Due to my lack of experience I'm just curious about best practices here :) In a general sense, this can be a bit wider question: given that you're not supposed to trust client side running code, how do you deal with things like form validation and other "authorization"-like logic?
tl;dr: How do you secure RESTful db access? How do you secure your application logic?
Normally, the RESTful API that your front-end would communicate with would be your own implementation. It would authenticate and authorize users, and also validate data before storing it in the DB.
Some form validation can be done on the client-side, but I prefer to do data validation on the back-end as well, as opposed to just trusting the client data as it is.
The short answer is probably a cookie.
When the user authenticates, you put some of those authentication details into a cookie. It might just be a Session ID or something more meaningful. Whatever it is, make sure to encrypt it. Then when a REST request is sent, the cookie is passed along with the request.
A server side Web Filter would intercept the request, make sure the request is authenticated and authorized, then proceed if everything is okay.
If i understand the question right the answer is: First that you should do it is secure your backend rest calls. After setting up server security you should secure your ui pages, but it is not a real security against guys who knew how to use dev tools in chrome ) How can you secure your ui pages with angular - it is very easy, i used angular router to bind the controllers and ui pages, also resolver to check access. In short you can do something like this:
.service("AuthService", function() {
var data = {};
data.checkAuth = function() {return true;}
return data;
})
.when("/news", {
templateUrl: "newsView.html",
controller: "newsController",
resolve: {
checkAuth: function(AuthService){
return AuthService.checkAuth();
}
}
})
controller("newsController", function ($scope, checkAuth) {
$scope.isAuthenticated = checkAuth;
});
Hope it helps.