Routing security flaw in Angular/MEAN.io? Routing security flaw in Angular/MEAN.io? express express

Routing security flaw in Angular/MEAN.io?


javascript node.js angularjs express mean.io

Its just an app configuration. If you change the routes.js from: 

app.get('/articles', articles.all);

to 

app.get('/articles', auth.requiresLogin, articles.all);

Then if you try and hit the url /articles directly you get the message:

"User is not authorized"

Instead of JSON listing all the articles.

javascript node.js angularjs express mean.io

As you say, removing the #! causes the routing to be handled by the server. The node API then dumps the user object in the response.

The problem is completely independent from Angular - the app is only served by Node at the / route. Angular then uses the hash value to show the correct page.

This is probably just a problem with the example provided by MEAN. The app itself is insecure, when they talk about best practices that refers to the code structure and setup rather than the quick demo.

You could ask them about it, since there will probably be people who build on top of the example and don't fix the security issues.

Recent Posts
How can I color dots in a xy scatterplot according to column value?
How to update a claim in ASP.NET Identity?
What does {0} mean when initializing an object?
Accessing members of items in a JSONArray with Java
How to log SQL statements in Spring Boot?
Powershell Get-WebSite name parameter is ignored
How to detect scroll to bottom of html element
Java synchronized method
How to test controllers with CodeIgniter?
Detect Visual Composer
Matplotlib: Specify format of floats for tick labels
Rails join a list of strings with commas and "and" before the last