Is there an easy way in Aurelia to set up the routes so that it only downloads the views/view models that the user has access to? Want to lock down and secure the app as much as possible: I.e. basic users should only download the home view/view model and the only time the admin view/view model would ever be downloaded is if the user logins and has admin privileges. Same with the other view models, users will need to have privileges for each view/view model in the app before it is ever downloaded from the server.
If you are using webpack, that works by utilising a route parameter: it is outlined in the following article:
Used properly, it will generate different bundles for the different parts of your app. Webpack will also include an async loader to fetch the bundle when necessary.
Thanks, think code splitting could work. On server side I can lock down each chunk/bundle based on users’ permissions
If you use webpack’s code splitting, you could define the routes based on user’s permissions and then when the user navigates, webpack downloads what’s required. You shouldn’t worry about locking chunks. Instead, focus on restricting routes.
Yes, thinking I need to do both though: lock down on the server and restrict routes via client. Because couldn’t someone download the admin chunks if they figured out the URL?
Yes, but would it help the attacker in this case? I think it is more important to secure the API that is called by the administrator pages. And of course get Web security basics right.