I have a site that runs with a NodeJS backend and a ReactJS frontend. All of the frontend logic takes place in the user's browser, and the frontend hits backend routes to get business logic. Currently, we authenticate users with passportjs. But, when the user logs in, he or she can still use something like Postman to hit all of the backend routes, many of which should be private. Is there a good way to make sure that only an admin or our platform can hit our backend routes? I think this would require some kind of admin privilege that is always given to the frontend logic, but I was wondering if there is a best practice.
-
If the client requires access to the backend, the only thing you can do to prevent access to the backend is through normal authentication. Once a user logs in, there's nothing stopping that user from using their authorization credentials to send their own requests through fiddler or similar software with the same credentials.– Kevin BCommented Dec 1, 2014 at 21:30
-
The only thing you can do here is security by obscurity, i.e. make it so cumbersome to do manually that a large portion of users give up. There's no magic power that only browsers have.– BrigandCommented Dec 2, 2014 at 5:13
Add a comment
|
1 Answer
Unfortunately, after passport (or other auth) on the client there's very little you can do to facade your services without establishing additional identities.
This is more in the app arch/design realm, so hopefully you're not too far along to refactor. If not, then I would suggest abstracting your services so you can secure them more granularly. E.g. layer your services so you can establish identity before making calls to certain private/secured business logic. A framework like this might do the trick: http://loopback.io/
Not the answer you're looking for? Browse other questions tagged or ask your own question.
