I have an Angular 2+ application where users enter personal data. This data is analyzed in another part of the application, accessible only to people with specific permissions. The problem is that we do not want unauthorized people to know how we analyze this data. Therefore, it would be bad if they could view the templates in the application. Since this is a client application, for an experienced user, you can always configure the application and view the templates. Using route safeguards, lazy loading and CanLoad will not protect us here, since all modules are available with a simple HTTP request, and resource URLs can be found by a reasonably thought-out user.
I understand that a common way to deal with this is to use separate applications. In this case, there would be three: one for login / registration, one for users to enter data and one for people with specific permissions for data analysis.
This is not ideal for me because it requires managing three different code repositories.
I think there should be a way to protect Angular 2 + lazy server-side loadable modules. I read a couple of discussions on this topic, although no one seems to have identified as the reason for this, as I did:
https://groups.google.com/forum/#!topic/angular/ZYHwNwPfIzY https://www.reddit.com/r/Angular2/comments/56dqsd
The second link seems to hint that this is now possible, with named snippets and adding tokens / cookies to lazy loading requests in Webpack.
I do not see any more information on how to do this. Can anyone provide me an example of this. And is there a name for this strategy?
Note. I really understand that this is still not 100% safe, since there is always the possibility that modules can be cleared from the cache of an authenticated user browser. To avoid a lengthy discussion, I will say that we are not worried about this at all.
source share