SPA based on privileges? ... or 2PA?


#1

Hello,

this may be a stupid question from a Ember-newbie.

Exploring Ember it was a clear decision to use ember-cli and not to mix ember and rails (e.g. gem ember-cli-rails and so on). I see this as the way. But, from the view of security, a SPA based on JS not really shines?

Considerations:

a) In Rails-ERB, you make “<% if …” and all inside the if is not shipped to the client, by example if he not has the privileges.

b) Java-Script may be the or one of the most well-known codes around the world. You can see the code in the browser, debug variables, and so on.

c) in a SPA, just by browse the login-page, the user already gets the whole code, even if he not yet is logged in

d) i am thinking not only on a possible attacker from outside, but more on a stuff-member, which is angry to his company and has a good friend which is a JS-professional

e) if i place the code on the server and build a Electron-App, which is only the frame (Web-Viewer inside Electron), every user can get the source by call the url behind electron and receipt the code on his browser, can see JS, debug and so on.

f) ists clear that in cases of security the more sensitives are the datas (which i can restrict on the server, e.g. by rails) and not the programming-code, but nevertheless ists better if he sees only what he should

Ideas / Questions maybe i know somethings not,

1. is there any way to build a 2-Page-Application?

1.1. Before Login: Only the Code for the Login-Page is uploaded

1.2 After Successfully Login: Only the Code is uploaded for which the User has Access to it

1.2.1 Example - based on a folder, e.g. app/templates/admin => all inside the folder is only shipped to the user if he is a admin

1.2.2 Like 1.2.1, but not based on Folders, but based on ifs inside templates, methods, components and so on.

1.3 If 1.2 would be possible, i could make things like: The most code is only uploaded if ember lives inside my Electron-App where its not so easy to see the code, debug and so on.

I don’t know if theese are stupid questions, if there are already soulutions which i don’t know or if this are real questions, mabye to the core-Team? … Or is there a way to … after long years of very reasonable separating rails and ember … combine them?

Very helpfull for me was this post: Authentication and Authorization experiences, designs and demos … or a thing like there described permit_authorize, but uploads only permitted code?

Best Regards and many thanks,

Christian


#2

… and if this would be possible:

you could optimize upload-time and build logics like:

a Website: if the user visits, only the code for the front-page is uploaded very fast.

if he clicks “more” > the module “more” is ADDED to the uploaded code.

if the user clicks between uploaded modules, no more uploading of code is required and the site is as fast as a ember-app is.


#3

So you’re right that javascript is inherently “insecure” since it gets loaded into your browser. And yes, theoretically someone could glean a lot of knowledge about your app even from just the login page. For most people this doesn’t seem to be that big a deal. The app is just the “displayer” for the data. The data is typically what you really need to protect.

If someone gained access to all your front-end code it would be fairly difficult to reconstruct anything super helpful and the framework typically enforces good security practices. The backend should always maintain authorization logic anyway, so all anyone can “steal” is your front-end code. I personally would never try to think of front-end code as particularly proprietary unless there is a REALLY good reason (can’t think of any realistic scenarios off the top of my head).

I definitely wouldn’t try to build two ember apps. If you really wanted to prevent an unauthorized user from accessing your front-end code my suggestion would be to keep landing page (if you have one) and login page in Rails and then the app can be loaded once the user has been authorized.

As for your follow on: AFAIK nothing quite like you described exists but you could look into Fastboot which prerenders the page on the server side before sending to client (on initial boot only).


#4

The recommendation for Electron is actually to package the app code inside the electron app (for security reasons). So if you’re going to build an electron app you’ll probably want to just be ok with the client having all the front-end code anyway.


#5

Thanks dknutsen for your opinion!

The recommendation for Electron is actually to package the app code inside the electron app (for security reasons). So if you’re going to build an electron app you’ll probably want to just be ok with the client having all the front-end code anyway.

good recommendation, but this way wanted to avoid because of a greater afford in deployments.


#6

It’s fine to have a landing page that is traditional server-rendered and then only serve the Ember app to logged in users.

But overall, I think these concerns are misplaced. Shipping an Ember app to users is no different than shipping a native mobile app, or a desktop app. We have been building secure client-server software for decades, we know how to do it.

For people coming from a server-rendered web app background, it’s a new way of thinking that may be unfamiliar. But I think the strong separation between client and server makes it easier, not harder, to avoid security mistakes.