Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

dojo web application authentication

I am attempting to develop a pure javascript web application using Dojo. The problem I face is one of restricting access to portions of the application. Authenticated users should be able to access everything, whereas non authenticated users should only be able to access a login screen.

The issue is that nothing (that I am aware of) will stop a user from opening up a browser javascript terminal and entering something like: app.displayRestrictedContent(); and thus gaining access to a screen intended for authenticated users.

I have implemented an ajax based login; all ajax calls are secured with a session. So while the non-authenticated user can load a restricted screen, they wont be able to fetch data for it. But still, It seems wrong for this screen to be arbitrarily accessible.

Am I trying to do the impossible? It seems silly to write code such as if (user.auth) app.displayRestrictedContent(); when it's so easily circumvented. And this leads me to believe I am missing something rather obvious to everybody else. I can't find much information at all on pure javascript based apps and authentication models.

like image 544
andreb Avatar asked Oct 09 '22 16:10

andreb


1 Answers

But still, It seems wrong for this screen to be arbitrarily accessible.

Because it's client-side code. Anything you write in js, or get compiled to js, expect it to be readable by the users.

Am I trying to do the impossible?

you can dynamically load js modules after the user authenticates. So at first, just load 1 login module. When the user logins, if successful, the server return a list of js modules to load, if not, return empty list. It also helps improve load time when the users come to your website.

like image 131
Anh Pham Avatar answered Oct 18 '22 08:10

Anh Pham