Best practices for loading app/js *only* after authentication?


#1

Hello everyone!

I am beginning to dive into a new project and have ran into a requirement that I need some help thinking through.

I was prepared to follow token authentication type structure for authentication but was then told we need to not show any of the javascript (or as absolute little as possible) before authentication. This has me a little puzzled given single page javascript apps.

I’m using the, very helpful, ember-app-kit which has great tools that compile everything down to a minified and obfuscated single javascript file, which I thought was good enough for security, but apparently its not.

Having the entire app loaded once, and even in a single compiled js file, what is best practice for accomplishing this?

I had one thought of my own and have found another potential.

A ) coming from rails, I thought I could just build a very thin rails app that handles authentication in a server side view that doesnt load any of the app js. Then on successful authentication, transition the user to a view that loads all of the JS for the app and go from there.

B ) I found some talk of new functionality in ember-data (forgive me if I’m wrong) that allows you to async load javascript files in the models. This seems like it could work but also seems very complex and I’m not sure if It’ll totally work cause they want to hide not only models but things like app routes (basically everything but login)

Would love to hear from people on best practices for this type of scenario.

Thanks


#2

This is not a complete solution to your problem, but you could use it as a starting point.

As described in the [Async Routing guide][1], you can return Promises in the beforeModel, model and afterModel hooks. Ember.$.getScript would be a function that returns a Promise which you could use to pause the router until the “real” application is loaded. I don’t think you will need a Ember-Data/Any other data library feature for this case.

Unfortunately, I’m not aware of that EAK would support splitting the application into different parts yet (I believe that’s not a easy thing to accomplish).

A word on security: Minifying/Obfuscating is never a good way of ensuring security. Even lazy-loading your application isn’t, if you have no extra logic prevent the application download when the user is not signed in. The only effective way to prevent leaking private data is to secure your backend. Then, in theory, you can give your application code to anyone who wants to see it.

I’m sorry I can give you no finished solution, but checking for permission in the ApplicationRoute and then loading the rest of the application could work I think. [1]: http://emberjs.com/guides/routing/asynchronous-routing/%20"Async%20Routing%20guide