3

This is more of a request for pattern and discussion rather than a simple one-off question. I have a backbone app where user can be part of different roles. The routes are defined as usual:

routes:
  "": "showHomePage"
  "import": "showImportPage"

I would like the import page to be accessible only to certain user roles. I imagine I can do something like this:

showImportPage: ->
  if not MyApp.CurrentUser.can_import
    return

Which indeed works. Of course, as you can imagine, this is easily exploited by just using Chrome console, and even if I don't show the link anywhere it's quite simple to just go in the address bar and type it.

Even though the above should be enough to stop a normal user, my question is: how could I secure that route from being accessed?

The opinion I have until now is that the only way is to refer back to the server before serving that route, either by checking a special URL or by simply re-fetching the User model before accessing... I have this hitch, though, that this will basically defeat the purpose of the whole idea behind a "single-page-app", if every url must be authenticated by the server and I need to show the usual ajax spinner before allowing the user to navigate... I know the amount of data going back and forward is minimal (only the json user info or even less), but still...

What are your opinion or solutions if you ever had to face this problem?

Tallmaris
  • 7,485
  • 3
  • 25
  • 57

1 Answers1

2

I think your question is a great one.

I made a PhoneGap app using BackboneJS and Jquery mobile so I faced the same problems you are facing now.

I think authorization can't live solely on the client side since it is inherently wrong. What lives at the client, is fully controlled by the client, and that's something no one can change.

Sending a request to the server does not break the single-app-page paradigm as long as the request gets the minimal data needed and all logic/view components are located on the client.

Keep in mind that if you have sensitive data in that page that you don't want regular users to see, it also must be sent from the server after verifying the authorization of the request, so it is not only a JSON of the user info that must be sent, it is the data itself as well.

I wish someone else would prove me wrong here, but as far as it goes for me that's the deal.

Erez Rabih
  • 14,472
  • 3
  • 37
  • 59
  • I do agree. A solution I have used now is to re-fetch the user and eventually redirect to the home page, but even this solution is flawed and can be worked around by simply sticking a breakpoint and changing the result... I am starting to think that the only solution is really to get the (minimal) data from the server at the point where the page is rendered and in that case either return a limited data-set or maybe a 403 error... – Tallmaris Nov 13 '12 at 17:00