1

Maybe you can help me with a dillema.

I use node JS, express, passport - server side and Backbone - client side.

I am developing a book manager app.

Lets say I wanted to add a new book.

On the client side:

The Backbone router sends me to addBookView.

Here, I instantiate the following model:

define([

    'underscore', 

    'backbone'

], function(_, Backbobe){

    var BookModel = Backbone.Model.extend({

        url: function(){

            if (this.isNew()){

                return 'http://localhost:3000/books';

            } else {

                return 'http://localhost:3000/books/' + this.id;
            }
        }
    });

    return BookModel;
});

The model hits the following url: http://localhost:3000/books with a POST request.

On the server side:

I check to see if the user is autentificated.

If the user isn't logged in, the server will send a 401 response (unauthorized) and nothing will be posted to my database.

Which is pretty secure, but has a flaw... and I'm not sure if I can do anything about it:

The user, even if he isn't logged in, he will still see the view's content.

He won't be able to post anything, but he will see the actual form.

Here is what I have tried:

  1. I tried to use an express server redirect, if the user isn't logged in:

    res.redirect('/');

But, that won't work because Backbone is a single page app and I am already on the index page.

  1. I could do a check on the Backbone router - if the user isn't logged in, I would not allow him to reach the post page.

But, this could be easily be hacked, since (i'm not a hacker) but I believe that the routers javascript could be modified to bypass that check.

What can I do?

Any ideas?

Dany D
  • 1,189
  • 2
  • 18
  • 44

1 Answers1

0

Dany,

I recommend you to convert all server side dynamic code into strict REST responses and put them under /api:

localhost:3000/api/
localhost:3000/api/login
localhost:3000/api/books

Make sure you stop using res.redirect or sending html/web content from /api. You may want to place your backbone application under public folder and serve it as web root /:

localhost:3000/ <- public

So on frontend books the collection must be loaded from corresponding REST resource /api/books

localhost:3000/books  - loads content from - localhost:3000/api/books
localhost:3000/books/567  - loads content from - localhost:3000/api/books/567

Every form rendered on frontend should post data to corresponding REST API.

localhost:3000/books (new form)  - POSTs data to - localhost:3000/api/books

There may be several other patterns of resolving the issue/s, the above is what I implement in my own apps.

Nitin...
  • 1,274
  • 10
  • 18
  • Interesting, but tell me, I a user which is not logged in, hits the books view, what will he see in that case? – Dany D Jan 06 '14 at 10:10
  • Please read this if you want the user to go back to login form: http://stackoverflow.com/questions/5808655/backbone-js-handling-if-a-user-is-logged-in-or-not – Nitin... Jan 06 '14 at 10:13
  • On server side /api/books may response error 401 or empty books. Lets say your backend responds with 401 unauthorized. On client side backbone application will need to take control from that response error and chose to redirect to login, show empty list, show error, etc. – Nitin... Jan 06 '14 at 10:17