nodejs is responsible for the back-end logic, and the http server uses nginx
Built using angularjs
'
+---------+ +-----------+ +--------+ +------+
| | | | | | | |
| +-------> +------> +----> |
| | | | | | | |
| | | | | | | |
| browser | | nginx | | nodeJs | | DB |
| | | | | | | |
| <-------+ <------+ <----+ |
| | | | | | | |
| | | | | | | |
+---------+ +--+-----^--+ +--------+ +------+
| |
| |
+--v-----+--+
| |
| |
| HTML |
| |
| CSS |
| |
| JS |
| |
+-----------+
'
The RESTFUL interface must be used for permissions, using tokens. The backend determines the user's permissions based on the token, and then returns the data.
~~Is it necessary to add permission authentication for files like HTML? For example, some pages are not meant to be seen directly, but now it is obvious that HTML does not pass nodejs verification permissions. ~~
If the scope is expanded to some other static files, such as some doc files, then how should this permission determination be done?
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
Write the routing file variable in the place where the server sends the first HTML to the browser after logging in. When logging in, list all the files that the user can access, and set the inaccessible ones to 404, and then ng sets the routing When reading these files, if the user directly accesses the route that cannot be reached, a 404 page will be displayed.
You can also write the user identification code in this file, and it is not impossible to modify the global ajax through ng.
I think you are overthinking. There is no difference in security between single-page applications and ordinary web pages. They both use ajax to interact with the server
As for RESTful, it is just an architectural style. Using this style will not cause any qualitative changes to security
http://stackoverflow.com/questions/15938730/require-authentication-for-directory-except-one-page-with-passport-js-node-j
你需要auth_basic
It has no impact on security
For example, take the administrator page admin.html. Even if ordinary users can construct a URL to enter this page, various operations and data acquisition will fail because there is no legal token.
It can be seen that security only depends on the permission verification of the token by restful in the background