Hey i'm working on a frontend for my SpringBoot Application. I'm just starting to learn Angular. I'm not sure if there is a security issue if i create my admin-page in the same project.
Admin- and User-Page would share a lot of code but admin operations (or even data) shouldn't be accessable for anybody else.
What i've found so far: Should I create Two Angular projects for Admin and Users?
So creating one Angular project with two modules should be the way to go right? But how do i approach that? Or can i just build a single one module project with authentification and admin/user roles? What would be best practice?
Thank you
I've recently developed a project that has a user facing set of pages and an admin set of pages.
The way I have structured my project is roughly like the following:
|- AppModule
|-- app components
|-- app services
|-- app routing
|
|- SharedModule
|-- components
|
|- AdminModule
|-- admin components
|-- admin services
|-- admin routing
Both AppModule and AdminModule import SharedModule. AdminModule is lazy loaded from my root admin path in AppRouting like this:
{
path: 'admin',
canLoad: [AdminGuardService],
loadChildren: () => import('../modules/admin/admin.module').then(m => m.AdminModule)
}
Where AdminGuardService is a route guard that checks if the current user has admin access.
The benefit of a lazy loaded module is that it is compiled separately from AppModule, and is only loaded by the browser when my admin path is hit. I keep all of my admin-specific http calls in my admin services, so they never make it into my main app bundle.
From a security perspective, there's nothing to stop non-admin users guessing your admin urls regardless of whether it's in the same project or a different project. All of my backend authorization is done by my API. So if a non-admin user guesses an admin url, they will get a 401 and I will redirect them back to the main app.