2

I have a Backbone application which handles public and private stuff.

Public => Login, Registration, News, etc.

Private => Chatting, other user specific information.

To secure the entire application I have a session-based authentication mechanism in node.js. This mechanism secures the backend-api. Now the question is how I can secure the front-end.

  1. How do I secure routes in Backbone
  2. How could I secure modules (requireJs) in Backbone

One idea I had was to split up the front-end into public and private and the server decides if it grants access to the private-assets.

What other front-end-secure concepts are out there?

To make it more specific: I want to check client-side if the user is authenticated and I want to restrict loading require-js modules to unauthenticated people (to save bandtwitch)

Improve this question
1
  • I also would like to know if there is a javascript, jquery, backbone function which checks the session state or if I have to implement an own top-layer event handler which keeps everything in watch Commented Jul 21, 2012 at 15:08

1 Answer 1

Reset to default
1

your server should provide an API to check if the current user (possibly via their cookies) it authenticated.

In backbone, on your routes/navigations you can check to see if your user is authenticated and then execute code or not (probably calling a requireJS module after the auth check).

To my knowledge there is no backbone thing that has the concept of user state. You could implement a setTimeout loop to request the auth state from your server, and then implement Backbone.Events on top of that to emit an event when the user is no authed, which your backbone app could listen to and then trigger the rendering of a login view, or route the user to a login page.

I mainly user couchdb for my backend, and it has a $.couch.session function that will let me know of the state of the current user's auth. you will most likely need to implement your own session function that hooks into your backend framework.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

To summarize: secured API (sessions or/and Auth2O), requireJs module which keeps a websocket/long-polling connection to the server vor authentication/authorisation check and a static asset server which also requires authentication (ok, this wouldn't work if all modules are already loaded...)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.