this may be a stupid question from a Ember-newbie.
Exploring Ember it was a clear decision to use ember-cli and not to mix ember and rails (e.g. gem ember-cli-rails and so on). I see this as the way. But, from the view of security, a SPA based on JS not really shines?
a) In Rails-ERB, you make “<% if …” and all inside the if is not shipped to the client, by example if he not has the privileges.
b) Java-Script may be the or one of the most well-known codes around the world. You can see the code in the browser, debug variables, and so on.
c) in a SPA, just by browse the login-page, the user already gets the whole code, even if he not yet is logged in
d) i am thinking not only on a possible attacker from outside, but more on a stuff-member, which is angry to his company and has a good friend which is a JS-professional
e) if i place the code on the server and build a Electron-App, which is only the frame (Web-Viewer inside Electron), every user can get the source by call the url behind electron and receipt the code on his browser, can see JS, debug and so on.
f) ists clear that in cases of security the more sensitives are the datas (which i can restrict on the server, e.g. by rails) and not the programming-code, but nevertheless ists better if he sees only what he should
Ideas / Questions maybe i know somethings not,
1. is there any way to build a 2-Page-Application?
1.1. Before Login: Only the Code for the Login-Page is uploaded
1.2 After Successfully Login: Only the Code is uploaded for which the User has Access to it
1.2.1 Example - based on a folder, e.g. app/templates/admin => all inside the folder is only shipped to the user if he is a admin
1.2.2 Like 1.2.1, but not based on Folders, but based on ifs inside templates, methods, components and so on.
1.3 If 1.2 would be possible, i could make things like: The most code is only uploaded if ember lives inside my Electron-App where its not so easy to see the code, debug and so on.
I don’t know if theese are stupid questions, if there are already soulutions which i don’t know or if this are real questions, mabye to the core-Team? … Or is there a way to … after long years of very reasonable separating rails and ember … combine them?
Very helpfull for me was this post: Authentication and Authorization experiences, designs and demos - #13 by marcoow … or a thing like there described permit_authorize, but uploads only permitted code?
Best Regards and many thanks,