Chapter 7- POST /logout: This message logs out the current user by removing the
authentication cookie. - GET /current-user: This message retrieves the current user information.
This interface is enough for us to demonstrate how to handle authentication and
authorization in our application.
In a commercial application, the security requirements would be more
complex, and you may also prefer to use a third-party authentication
scheme such as OAuth2 (see http://oauth.net/).Securing partial templates
There are some situations where you don't want users to be able to access the
partial templates (HTML) for AngularJS routes to which they do not have
authorization. Perhaps, the templates contain layout information that implicitly
exposes sensitive information.
In this case, a simple solution is to ensure that requests for these partial templates are
checked for authorization on the server. First, we should not preload such templates
at application startup. And then, we should configure the server to check the current
user whenever one of these partial templates is requested, once again returning an
HTTP 401 unauthorized error, if unauthorized.
If we are relying on the server to check authorization on each partial
request, we need to ensure that the browser (or any proxy) is not
caching the requests for partials. To do this, the server should provide
the following HTTP headers, when serving up these partials:
Cache-Control: no-cache, no-store, must-revalidate
Pragma : no-cache
Expires : 0AngularJS caches all the templates that it downloads in the $templateCache service.
If we want to secure our partials, we must also ensure that the partials are not cached
in a way that allows unauthorized access. We must delete these templates from
the $templateCache service before a new user logs in, to ensure that the new user
doesn't inadvertently have access to the templates.