You can use Webpack's code splitting <https://webpack.js.org/guides/code-splitting/> capabilities to split your SPA to login, and then load the rest after the user had logged in. This is assuming that your static file server has some kind of authorization support. This approach is very good from user experience view point because the anonymous user will only a minimal page with the things relevant to her.
Of course, keep in mind that preventing an attacker access to your front-end (or even back-end) code is no mean of security at all. The attacker can always sign-up and get your code. The attacker might be an ex-employ that already knows the code base. The attacker might guess his way into the API, or use some third party to obtain the code. On Saturday, November 26, 2016 at 12:45:00 PM UTC+2, Pāvils Jurjāns wrote: > > A veteran web developer here, so need some philosophy update here, now > when I start developing in Angular 2. > > So I'm going for the architecture where all the Angular 2 app is served as > bunch of static files (bundled by webpack, but static nevertheless) and all > the client-server communication takes place via RESTful API. > > The api keeps all the functions locked if the session is not authenticated > (with an exception of authentication API, of course). > > Where I'm getting uncomfortable is that the application files can be > accessed by unauthorized user - with some dedicated digging, they can find > out a lot of info about the interface and data structures. Enough to > prepare various type of phishing or hacking attacks. > > If the application is served with oldschool approach, the html prepared on > the server side, the only thing accessible by unauthorized user is the > authentication page. > > What is the general feeling in the Angular camp about this? That there is > nothing special in the interface and data structures that is worth hiding? > And that all that has to be secure is the REST API as that is all that > matters? Or there are Angular 2 patterns that serve the "secure" static > files of an Angular 2 application only when the user is authenticated? > -- You received this message because you are subscribed to the Google Groups "Angular" group. To unsubscribe from this group and stop receiving emails from it, send an email to angular+unsubscr...@googlegroups.com. To post to this group, send email to angular@googlegroups.com. Visit this group at https://groups.google.com/group/angular. For more options, visit https://groups.google.com/d/optout.
