问题
I have a website with Angular. I implemented the auth with jwt. I know we can prevent the user to go to the restricted routes with Angular Route Guard.
Usually in SPAs all routes (html) are downloadable. Just we handle unauthorized routes in server by responding 403 code. So it's safe that user can see the html bu can't get any data. But in a specific project, we even don't want user to be able to see the html of admin panel (Since he can know about structures)
Any idea? Should I use the usual scenario with Route Guard or I should just have a separated panel (For example within an unknown directory)?
回答1:
You can secure backend API's with an admin token so any user who want to get/post/delete any critical data need a valid token that can let him access.
Never let your 'secret key' or any authentication decoding data in the front.
In node.js you can add an admin middlware that check if the user is an admin or not (after decoding the token sended from the front website).
check this article it might help.
nodejs securing api's
来源:https://stackoverflow.com/questions/56717180/angular-are-admin-files-downloadable