Ember.js security and SaaS apps


Ok, I am sure this might have been answered before but I failed to find in-depth answers when searching.

I am looking to build a SaaS that has multiple accounts with many users under each account, very similar to basecamp.

The data layer would be a php or rails based RESTful API. The front end of course would be ember.js.

My ADHD brain is having a problem wrapping my mind around how to secure such app and protect user’s data. I suspect Token-authentication would work for the actual user/login authentication. But the part I have problem figuring out is how do I keep someone from modifying ember code to gain access to the protected area of the app.

Would something like token-authentication for the users be enough protect (along with things like randomizing user and account ids) or do you need something else that I am missing? Should ember.js even be a consideration for this type of app or am I trying to fit a round peg through a square hole?



In theory, your API should be controlling what users see and access. If you want different groups of users to have access to different app features then you can deliver different code to users depending on their access level. You can have a base app and inject code into the app depending on what users have access to.

No matter what frontend code they’re running, they’ll still be constrained by what’s served to them by the server.