Authentication Security for Web Single Page Applications (SPA) like Angular

costas-ioannou · January 23, 2019, 10:47am

Hello

I’m new and experimenting with Backendless… so this question probably has been answered but I have not found anything in the forum so far.

So… I’m bulding a demo application using Angular framework and Backendless. Angular creates SPAs which means all ‘code’ is more or less available to the user. No backend on my side. Only the Angular project on user’s browser and Backendless servers.

Is it safe to use Backendless REST API? I’m asking because the REST API key will have to be exposed in my app’s scripts.

Of course we assume that the security mechanisms of users/roles/ACLs will be setup correctly not to allow unauthorized access to tables/objects/files etc.

Thank you
Costas Ioannou

mark-piller · August 14, 2018, 3:34pm

Costas,

Thank you for exploring Backendless. Indeed, this question had been asked before. The API keys are not meant to be secure. As you said, anyone can get access to your REST API Key (although I’d recommend using the JS SDK if you’re going to build an Angular app). The security of your data, users, files, etc is enforced not by hiding the API key (which would be hard to do), but instead by putting proper permissions for users and roles in your app. There are different layers of permissions: Global, Table level, individual object level. For example, at the global level you can restrict access to everything for the users who are not logged in by denying permissions for the NotAuthenticatedRole role.

Here’s a link to the proper section in the developer guide. I recommend reading that chapter and the three chapters that follow:
https://backendless.com/docs/js/doc.html#users_user_roles

Regards,
Mark

costas-ioannou · August 14, 2018, 3:34pm

Thank you very much
Your answer fully covers my question.