Iam plan to develop a website with a public area and a private area. Both areas of the site will be separate single page apps implemented with AngularJS. I use Node.js to create a REST Web Service for the front-end.
The private area can only be accessed by authentication (username/password). Also the authentication is needed to invoke REST API calls.
The files of the public area will be stored in the subfolder /public and the files for the private folder in the subfolder /private. I serve the static files for the public area with nginx. I also want to serve the static files of the private area with nginx.
How can I prevent users to access the files directly like www.example.com/private/js/app.js
Only users which are authenticated should be able to open files in the /private folder.
Unfortunately, if you use nginx to server the static private files, you are restricted to very basic authentication methods, for example:
However, if your systems stores users in a database, nginx has no idea how to authenticate users. Furthermore, if in your system the authentication has to be combined with authorization, i.e., user1 can only access /private/user1/kittenpicture.jpg and user2 /private/user2/nakedpics.jpg, nginx will not help you either, and you have no other choice but to serve your private files from nodejs (since then you can combine all sorts of authentication/authorization middlewares with middlewares for serving static files.