Databases
StackOverflow2013
Postsdbo
PO
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    primarykey
    data
    text
    <p>You are making an SPA, so I assume everything you want to secure (your <em>data</em>) is delivered through your WebAPI, and you can consider your Angular templates public.</p> <p>In that case, you can basically ignore authentication on the client side, and just authenticate calls to the WebAPI. Any server calls that are unauthenticated, unauthorised, or from an expired session return an HTTP 401, to which your Angular can respond to by redirecting to the login page. You can use an HTTP Interceptor to simplify that code (example here stolen from <a href="http://djds4rce.wordpress.com/2013/08/13/understanding-angular-http-interceptors/" rel="nofollow">here</a>).</p> <pre><code>myapp.factory('myHttpResponseInterceptor',['$q','$location',function($q,$location){ return { response: function(response){ return promise.then( function success(response) { return response; }, function error(response) { if(response.status === 401){ $location.path('/signin'); return $q.reject(response); } else{ return $q.reject(response); } }); } } }]); //Http Intercpetor to check auth failures for xhr requests myapp.config(['$httpProvider',function($httpProvider) { $httpProvider.interceptors.push('myHttpResponseInterceptor'); }]); </code></pre> <p>In addition, if you know that your server-side session timeout is set to 20 mins, then you can also use an HTTP interceptor to keep track of the time of your last HTTP request. When it gets to, say, 19 minutes ago, then you can warn the user that they will be logged off in 1 minute unless they respond, in which case you call a "keep alive" service to reset the timeout, else at 20 minutes redirect to the session expired page. So no need to poll.</p> <p>For a slightly better user experience, upon each view-load you could perform some rudimentary client-side check for the presence of a session cookie. If it doesn't exists (eg. they've landed from a deep-link) then you can immediately redirect to login without calling the server. If it does exist, proceed as normal, knowing the first call to WebAPI will validate it.</p>
    singulars
    1. This table or related slice is empty.
    1. POHow to secure an Angular SPA Website?
      singulars
      1. PTQuestion
    1. PTAnswer
    1. USMike Chamberlain
    1. USMike Chamberlain
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. POHow to secure an Angular SPA Website?
      singulars
      1. PTQuestion
    1. This table or related slice is empty.
    1. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTAcceptedByOriginator
    3. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    1. COHi Mike "..just authenticate calls to the WebAPI" -> Oh I now understand, this is an inverse of what I mentioned on theproblem description above. Now resources (including pages) are to be checked on the backend INSTEAD of (1) Ajax call first (2) Return allow=true flag (3) re-call the orignial route call. Total of 3 round trips "..an expired session return an HTTP 401" -> The interceptor just checks for invalid calls then return a 401, then if 401, returns to the login page -> If the user is routed to login, shouldn't he/she still be able to browse the page where's he's allowed?
      singulars
      1. PO
      1. USKevinIsNowOnline
    2. COTo clarify: 1. *Any* user (authorised or not) can request *any* Angular route. 2. The view will render and its controller will begin to run. At this point the user may be able to see the content of the view, but as far as security goes this is OK, as views themselves do not contain sensitive data. (It is not so good in terms of UX, but there are simple workarounds.) 3. The controller now makes a server call to fetch data. 4. The server sees that the user is not authorised to view this data so returns a 401. 5. Angular abandons the partially rendered view and shows the login view instead.
      singulars
      1. PO
      1. USMike Chamberlain
    3. COYeah, you're correct on the _any_ part. On the part where the view is already showing even when the ajax call isn't complete, top of my head, I know that there's really a solution for this, so I guess this is not a problem. on items 3 to 5, all is clear. :) Thanks for helping me out. If you can drop some basic to advanced resources regarding this, I would really appreciate it!
      singulars
      1. PO
      1. USKevinIsNowOnline
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload