Answer the question
In order to leave comments, you need to log in
How to implement login on VUE.JS?
Help me understand this - if we have a SPA, then it turns out that we give one js file and render the page already on the client according to the scenarios we need, but the question is, it turns out that even an unauthorized user will be able to view our entire, for example, main.js and find out , for example, what urls we make requests for data. It is clear that without authorization he will not receive data from the API, but will he know the structure of our API? Or not? I would be grateful for links to articles (you can also in English) on how authorization is implemented in real (not samples for tutorials) SPA applications.
PS: django-rest-framework is used for backend
Answer the question
In order to leave comments, you need to log in
He can see all your requests in DevTools -> Network, with headers and responses. What is the question?
I would advise starting from the following concept:
1. Your front should be responsible only for visualization - all sensitive data is given back and returned there. You should really not care that your js can be parsed, without authorization there is no point. Also, if you want to cover up some super-unique code on the front - collectors with obfuscation, other garbage))
2. Authorization can be done according to the jwt token scheme with the release of a short-lived token, which is used to sign requests in the back, to it a refresh token for updating. Tokens can be stored in the localstore so that browser unloading does not lose the authorization state. There should be plenty of examples on the Internet. You choose the lifetime of tokens according to your taste.
Actually I don't like it either. I solved this issue quite simply. A separate authorization page, and already AFTER successful authorization, the SPA is loaded. Here they write like what is the problem? Well, no one canceled DDOS. Authorization can go through one server, and work with the API through another. In order to close the api from the outside world.
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question