I just installed the MEAN stack (MongoDB, Express.js, AngularJS, Node.js) and opened up the example program (as found on mean.io) and they have a basic app that you can login to and create blog "articles" just for testing and such.
Anyway, I removed the '#!' from the URL and it outputted the entire user and article models as they are in the database. It seams as though doing that made it stop routing through Angular and instead used the Express routes which are just JSON REST apis. Is this a flaw in the MEAN stack package, Angular as a whole, or maybe just a development environment setting? I can't imagine that this would be released with a huge flaw like that but maybe I'm just missing something..
Replicateable steps:
- Follow installation instructions on
- Goto your local app in the browser and create an account and login
- Create an article
- View the article item you just created and remove the #!/ from the URL, you then see the JSON object of your logged in user account plete with hashed password and salt, as well as the article object.
I just installed the MEAN stack (MongoDB, Express.js, AngularJS, Node.js) and opened up the example program (as found on mean.io) and they have a basic app that you can login to and create blog "articles" just for testing and such.
Anyway, I removed the '#!' from the URL and it outputted the entire user and article models as they are in the database. It seams as though doing that made it stop routing through Angular and instead used the Express routes which are just JSON REST apis. Is this a flaw in the MEAN stack package, Angular as a whole, or maybe just a development environment setting? I can't imagine that this would be released with a huge flaw like that but maybe I'm just missing something..
Replicateable steps:
- Follow installation instructions on http://mean.io
- Goto your local app in the browser and create an account and login
- Create an article
- View the article item you just created and remove the #!/ from the URL, you then see the JSON object of your logged in user account plete with hashed password and salt, as well as the article object.
- 1 It's an example, not a production ready system: "It is designed to give you quick and organized way to start developing of MEAN based web apps with useful modules like mongoose and passport pre-bundled and configured." – WiredPrairie Commented Sep 29, 2013 at 12:27
- 1 I mented on their gh issuess page and its fixed now – ShrekOverflow Commented Jan 28, 2014 at 19:59
2 Answers
Reset to default 8Its just an app configuration. If you change the routes.js from:
app.get('/articles', articles.all);
to
app.get('/articles', auth.requiresLogin, articles.all);
Then if you try and hit the url /articles directly you get the message:
"User is not authorized"
Instead of JSON listing all the articles.
As you say, removing the #! causes the routing to be handled by the server. The node API then dumps the user object in the response.
The problem is pletely independent from Angular - the app is only served by Node at the / route. Angular then uses the hash value to show the correct page.
This is probably just a problem with the example provided by MEAN. The app itself is insecure, when they talk about best practices that refers to the code structure and setup rather than the quick demo.
You could ask them about it, since there will probably be people who build on top of the example and don't fix the security issues.