All geek questions in one place

Routing security error in Angular / MEAN.io?

I just installed the MEAN stack (MongoDB, Express.js, AngularJS, Node.js) and opened a sample program (as shown in mean.io), and they have a basic application that you can log into and create an โ€œarticleโ€ blog for testing only, etc.

Anyway, I deleted the '#!' from the URL, and it displayed all user models and articles as they are in the database. It throws as if it makes routing stop through Angular and instead uses Express routes, which are JSON REST apis only. Is this a flaw in the MEAN stack package, Angular as a whole, or maybe just setting up a development environment? I canโ€™t imagine that this will be released with a huge mistake, but maybe I just missed something.

Steps to copy:

  • Follow the installation instructions for http://mean.io
  • Open your local application in a browser and create an account and log in
  • Create article
  • Browse through the newly created article element and remove #! / From the URL, then you will see the JSON object of the registered user account complete with the hashed password and salt, as well as the article object.
+6
source share
2 answers

As you say, delete #! invokes routing processing by the server. The node API then unloads the user object in response.

The problem is completely independent of Angular - the application is served only by the node on the / route. Angular then uses the hash value to display the correct page.

This is probably just a problem with the example provided by MEAN. The application itself is unsafe when they talk about best practices that relate to code structure and customization, rather than a quick demo.

You can ask them about this, as there are likely to be people who build on top of the example and donโ€™t fix security issues.

+6
source

Just setting up the application. If you change route.js from:

 app.get('/articles', articles.all);

to

 app.get('/articles', auth.requiresLogin, articles.all);

Then, if you try to click url / articles immediately, you will get a message:

"User not logged in"

Instead of JSON, all articles are listed.

+8
source

Source: https://habr.com/ru/post/954874/

More articles:


All Articles