Free Online Courses for Software Developers - MrBool
× Please, log in to give us a feedback. Click here to login
×

You must be logged to download. Click here to login

×

MrBool is totally free and you can help us to help the Developers Community around the world

Yes, I'd like to help the MrBool and the Developers Community before download

No, I'd like to download without make the donation

×

MrBool is totally free and you can help us to help the Developers Community around the world

Yes, I'd like to help the MrBool and the Developers Community before download

No, I'd like to download without make the donation

Ensuring Security in AngularJS Applications

In this tutorial we shall effectively discuss the many different ways by which security can be implemented in applications that have been developed with the use of AngularJS.

One of the most vital aspects during the development of any application is the implementation of security features that prevent its misuse. It also makes up one of the core components of the application around which several other functionalities are built. Thus, security plays a pivotal part in any application and needs its due respect. With AngularJS, a majority of the security work needs to be implemented on the server. As such, AngularJS does nothing for an SQL injection, lack of controls to access and several other issues that can happen with any web application.

When it comes to the development of applications using Angular, we can make use of Backand to take care of the security of an application. It also takes care of every aspect, right from the registration of the user to security templates that suit the app. Also, additionally we shall take a look at anonymous access that allows for easier adoption by users around the world and with ease. To say, Backand does a very fine job of protecting your application data in an effective manner and thus is a very important service to use.

Besides this, we shall also take a look at how access control can be another fine method to ensure some security for your applications.

What is Angular or AngularJS?

AngularJS is an open source framework for the development of Web applications. It is largely maintained by a community of developers from Google and other notable institutions. The main purpose of Angular is to help developers with the making of single page web applications. It also largely simplifies both the development and testing of applications by making available a framework for client-side MVC and MVVM. Besides, it also finds widespread usage in the development of rich Internet applications.

What are the components to be controlled?

AngularJS is a pure client side framework or technology, so its deals with all clients side components and activities. These client side activities include scripting across clients, dealing with secure (HTTPS) and non-secure websites, handling cookies etc. So it is quite evident that AngularJS is not going to take care of your network or server security. As a part of AngularJS app development, we need to understand the component which needs to be secured.

In the following picture we can check three types of components browser, network and server. The Angular app is a client component, so the server has to be secured separately to make the entire application secured.

Figure 1: AngularJS app components for security

AngularJS - Security best practices

In AngularJS, all expressions are sandboxed to keep application responsibilities separate .Let us have a look at some best practices used in an AngularJS app.

  • Server and client side templates should be separate. The mixing can cause security threats.
  • Prevent dynamic template generation by using user input.
  • Do not allow to run user input through $scope.$eval.
  • Always use CSP (content security policy) ,but also add other mechanisms.

What is Backand?

Backand, also shown as Back&, basically happens to be a backend service for AngularJS. It is very rich in features and also rids developers of server side hassles that one may face pretty often. Some of the tasks that Backand is usually known to be associated with are –

  • Heavy lifting in database management
  • Numerous security aspects
  • Management of users, particularly login aspects
  • The integration part, where third-party apps, such as PayPal, Stripe, etc., can be added
  • Hosting and scalability.

Now, we shall take a look into how security can actually be implemented using Backand.

Registration of the user

The process for implementing security begins with the registration of the user. By default, Backand is set to utilize two-factor authentication. This means that you will first need to invite users to the application and further direct them to the registration page that you configure. As such, Backand undertakes the communication part, which means it handles the verification and registration part from the customizable signing page that you prepare. This process is known as ‘private’ mode and is set as a default for all applications. It requires users to be invited in order for them to join the application.

Now, once the app is completely stable and the security configured totally, the application can be opened to the general public. This will permit user to sign up directly without requiring any invitation. After someone registers, they are sent a verification email by Backand to ensure that the sign up is genuine. If the user confirms with this email, they are redirected to a verified email link, which further states that registration has been successful. After this, the user is allowed to use the app in a default role and within the permissions limit created by you.

Security that is role-based

Backand makes use of a role-based approach to access your application data in a secure manner. In order to do so, it assigns each of the users of your application a certain role. Now, every role has varying levels of permissions right throughout the application. These begin with table restrictions on modification of records to complete access to the application’s configurations. Every role can be configured right from the macro level and also the table level, thus allowing for complete flexibility in securing the application.

Users that are created from the admin dashboard get the ‘admin’ role. One of the first steps that one should take should be that of adding an additional security role for new users, whether they receive private invitations or sign up in public mode. The main idea behind this is to assign a default role for all new user sign ups. Later, you can make permission changes as per your requirements from the administrative dashboard.

Templates for security

If you are trying to setup a security level for every singles object or user class in the database of your application, it is surely going to be a very tiring process, along with the possibility of being error prone. However, one need not go through this. With Backand, there is the availability of Security Templates. The templates set a default set of security permissions for tall the roles that may exist in your application. These can be applied to various actions such as Read, Delete, Create and Update options. Templates also offer plenty of flexibility and they can be assigned at object and query levels.

Often, the blanket approach offered by templates isn’t what you might be looking for your application. In such cases, Backand allows the overriding of security templates at the per-role level. This enables more control over the application’s data, allowing one to grant or revoke access to specific components as necessary. Thus, by making use of templates you will be able to completely secure your application and further making sure that only users with the right permissions can perform actions on your data.

Anonymous Access

In many instances, especially when you are using the application as an API, it may be necessary to grant anonymous access to a certain user. To allow access for such instances, Backand allows anonymous access feature. The idea behind this is the use of token-based authentication that ensures that the anonymous use case is valid and that the user is allowed to interact with the application. Also, you can even restrict anonymous access to the application based on the underlying user roles, meaning anonymous users only get to access elements that you want them to.

Access control

Access control, which can also be called as authorization, is pretty much absent in AngularJS. Since, Angular largely happens to be used to code client-side applications, it isn’t surprising that much of the source code is available to the client. As such, this indicates that a user can easily access the code and tamper it to further gain access to views and elements. However, there certainly is one way out here, which is visibility control.

Element visibility restriction

AngularJS has several directives that allows for the hiding and showing of elements based on expressions or scope properties. Some of these are ngHide, ngShow, ngIf, and ngSwitch. The first two actually makes use of a style attribute to hide the element while the latter two will remove the element from the DOM.

Now, the first method is particularly good when the first expression pretty much changes frequently and the element also do not contain a lot of scope references and template logic. The reason behind this is that a template logic having a hidden element reevaluates at every on every digest cycle. This actually slows down the application.

For the second method, the DOM element is completely removed and along with any scope bindings and events handlers. It is to be noted that changing the DOM creates a lot of work for the browser, however is worth it. Also, since user access is something that does not change often, ngIf and ngSwitch can often be the best choice to go with.

Listing 1: Implementation of ngSwitch and ngIf

 <div ng-if="current_user">Welcome, {{ current_user.name }}</div>
 <div ng-if="isAuthorized(user_roles.admin)">You're the administrator.</div>
 <div ng-switch on="current_user.role">
   <div ng-switch-when="user_roles.admin">You're the administrator here.</div>
   <div ng-switch-when="user_roles.editor">You're editor here.</div>
   <div ng-switch-default>You're something else, but not admin or editor.</div>
 </div>
 

You have noticed here how the switch assumes that a user can have only one role, but then you can be more flexible and work your way around.

Now let us setup the other things to make the app work. In the following code we are setting different (.js) files in index.html file.

Listing 2: Setting .JS files in index.html file

<script src="js/controllers.js"></script>
<script src="js/services.js"></script>
<script src="js/constants.js"></script>
<script src="lib/angular-mocks/angular-mocks.js"></script>

In the second stage we will setup some constants for our app.

Listing 3: Setting up roles in constant.js file

angular.module('starter') 
.constant('AUTH_EVENTS', {
  notAuthenticated: 'auth-not-authenticated',
  notAuthorized: 'auth-not-authorized'
})
 
.constant('USER_ROLES', {
  admin: 'for_admin_role',
  public: 'for_public_role'
});

The following code is for the dashboard part. It will be the user interface.

Listing 4: Showing dashboard file

<view view-title="Dashboard" name="dashboard-view">
  <nav-buttons side="right">
    <button class="button icon-left ion-log-out button-stable" ng-click="logout()">Logout</button>
  </nav-buttons> 
  <content class="padding">
    <div class="row"><div class="col text-center">
      <h3 class="title">Welcome {{mrbool}}!</h3>
      This is the Dashboard.
      <br><br><br>
      <button class="button button-full button-positive" ng-click="doValidRequest()">
       Valid Request
      </button>
      <button class="button button-full button-energized" ng-click="doUnauthorizedRequest()">
        Request unauthorized resource
      </button>
      <button class="button button-full button-assertive" ng-click="doInvalidRequest()">
        Request with valid token
      </button>
      <br><br>
      {{response}}
    </div></div>
  </content>
</view>

Following is the output of the app:

Figure 2: Output of the app

Conclusion

Securing of any application is very important for it to be successful. With Backand’s two-factor authentication feature for the registration process, you are assured that the users for your application shall be genuine and experienced, which means better protection for your data. Besides, with the likes of user roles and security templates, you can further manage permissions easily. Lastly, there is also scope for easy access for anonymous users and third-party integration, with security and protection for your data.

The access control method described above is also a great means to ensure security of your Angular applications. The method allows you have control over the elements of your code that are visible to users, thus not allowing them to tamper with it.

There are also certain other methods that you can take a look at, in order to ensure security of you Angular applications, such as restricting route access, session expiration and more.



Website: www.techalpine.com Have 16 years of experience as a technical architect and software consultant in enterprise application and product development. Have interest in new technology and innovation area along with technical...

What did you think of this post?
Services
[Close]
To have full access to this post (or download the associated files) you must have MrBool Credits.

  See the prices for this post in Mr.Bool Credits System below:

Individually – in this case the price for this post is US$ 0,00 (Buy it now)
in this case you will buy only this video by paying the full price with no discount.

Package of 10 credits - in this case the price for this post is US$ 0,00
This subscription is ideal if you want to download few videos. In this plan you will receive a discount of 50% in each video. Subscribe for this package!

Package of 50 credits – in this case the price for this post is US$ 0,00
This subscription is ideal if you want to download several videos. In this plan you will receive a discount of 83% in each video. Subscribe for this package!


> More info about MrBool Credits
[Close]
You must be logged to download.

Click here to login