0

so i'm trying to create a public/external link that can be generated and shared to anyone for people to get to a specific state of my angularJS app.

I am using $stateProvider to manage states on the app. but i need a part of the app to be open to the public. i.e a particular state open to the public such that as soon as they hit that the url e.g mydoamin/post it gives them access to that state alone. for example 

.state("post", {
    url: "/post",
    controller: "postController",
    templateUrl: "templates/post.html",
})

My app currently user $stateChangeStart to check between state transitions but is setup to block any unauthenticated user. so if anyone that is not logged in tries to get to a state it kicks them back to the login state which is the default '/'.

.state("login", {
    url: "/",
    controller: "LoginController",
    templateUrl: "templates/login.html",
})

I know i could just give each state a value probably 'authenticated' and set it to true or false for each state and check the toState on $stateChangeStart if 'authenticated' is false and grant access based on that but i need to know if its a good idea and how to securely implement it.

How would you do this?. thanks in advance for any reply/suggestion.

Joshua Majebi
  • 1,110
  • 4
  • 16
  • 34

1 Answers1

0

For 'securing' the UI, i.e. hide some pages from unauthorized users, use ui-state router's resolve parameter. See this question for more info. Put a 'resolve' on the states that need authentication, and leave it out for the public pages.

However it is important to understand that any security measure that is implemented client-side, is never fully secure. Anyone can have access to any page, including the ones that require authentication. All it takes for them is to open dev tools and alter the JavaScript. That's why you should properly handle authorization at API level. This way, even if a malicious user can see a hidden page (i.e. he can browse to it and see the html), he won't be able to see any data that was fetched from the API.

Community
  • 1
  • 1
fikkatra
  • 5,605
  • 4
  • 40
  • 66
  • thanks for the answer .... i like your last point of securing at the API level. i realise that the front end is the 'Front End' and anything can happen. But i'm trying to figure out how to generate a link to a specific route such that anyone that has the url can just drop it in their browsers address bar and they see the html that is in that route without having to be authenticated. – Joshua Majebi Apr 13 '16 at 17:38
  • The keyword to search for is 'unguessable url' or 'unguessable link' – fikkatra Apr 13 '16 at 20:34