Hi there!I’m going to play with Ember but what I’m going to find out is the way to make administrator interface and general users should be totally unaware of it or how it looks like. It should be a separate page like ‘control panel’ and additional forms/information on most other pages. Ember uses handlebars templates to build UI, but I need to hide some of them so none could find it even in page source code. Making them as secure as possible is also a must.
The only possible way I can imagine deals with backend and I need to check user credentials before any request to specific .hbs files but that sounds weird to me. What can you suggest?
You can compile Handlebars templates to JavaScript on the server and obfuscate the javascript but that might be the limit of what you can do to hide the code.
I believe you are correct that the only way to really hide code from unauthenticated eyes is to secure it on the server (and never send it to an insecure client).
You could probably partition your source into secure and insecure code, then serve the secure code from an authenticated endpoint.
If you manage to create an authenticated endpoint for loading code, then you could leverage the router’s beforeModel to actually retrieve (and execute) the code before transitioning to the route.
For example:
If your api has:
/api/code/admin.js (secured Ember controllers, templates, etc)
Then you could define a route like this:
App.AdminRoute = Ember.Route.extend({
beforeModel: function(){
// check to see if it is already loaded
if(!App.admin_code_loaded){
return $.getScript('/api/code/admin.js').then(function(){
App.admin_code_loaded = true;
})
}
}
});
The real power comes from taking advantage of the promise based nature of the router hooks. The transition to /admin (and all its nested routes) will wait for the code to be loaded before continuing.
I haven’t tried this code, but I think it (or a similar technique) should work.
Providing the admin dashboards javascript code is not a security issue, since we’re only providing frontend code, which doesn’t allow for data updates, as the API would deny them.
Also, getting to it would require unminifying the javascript and reverse engineering the entire app.
So, while, of course, admin links aren’t displayed to normal users in the interface, we’ve decided to not care about hiding that frontend code.