"Secure" content is directly accessible

[amadeuspzs]

secure.html lives in the public folder.

It is therefore possible to access directly via http://localhost:3000/secure.html.

Consider moving secure.html to a private folder outside the public folder to illustrate gating?

[gstroup]

That's a good point, but the "public" directory contains all the assets for the web application. The secure page will be secure if you follow the tutorial steps.

[IB00483671]

Can you please point to the tutorial in which this is done? I believe auth.js is missing from the code, but I am not sure if this is why secure.html is directly accessible.

[gstroup]

Here's the complete dev guide for "build a basic app":
https://www.predix.io/resources/tutorials/journey.html#1605

Specifically, this tutorial in that guide shows what you need to do:
https://www.predix.io/resources/tutorials/tutorial-details.html?tutorial_id=1547&tag=1605&journey=Build%20a%20basic%20application&resources=1580,1569,1523,1544,1547,1549,1556,1553,1570

[IB00483671]

Thanks for pointing that out @gstroup.
I believe @amadeuspzs was right in his point that the secure app needs to be placed in some other folder instead of in public.
In the tutorial I was not able to find any such pointer that secure page should not be present in public folder.
My Approach for now: Moved secure angular application to restricted folder parallel to public folder and updated the paths of secure.html in all route files.
Please correct me if my understanding is wrong in this.

[gstroup]

I think this makes sense. I'll update the app, so that secure.html will be in a secure/ directory parallel to the public/ directory. Thanks!

[IB00483671]

Few more points here:

1. auth.js is missing here which I believe is present in another "Predix Dev" project "predix-transform-nodejs-starter". This is required in case user needs to have the auth Token in secure.js router file to make further http calls to API. I included it in my project from "predix-transform-nodejs-starter", initialized it in my app.js using config and it was returning me the auth token. I had a requirement to send auth token to my API calls so auth router came in for the rescue.
2. Moving secure.html to restricted folder seems to be an alternative for now, but I thought over it some more and it seems it would not make much difference even if it is kept under public. Reason: Client browser will be able to access secure.html but the api calls in secure.js router will force the authentication. So all the browser will see is a page without any data which should be fine in most cases. But for this to happen, point no 3 below needs to be completed first.
3. app.js in current master branch does not use secure.js router path. Instead secure.html is being rendered directly. I had to initialize it using "app.use('/secure', secure);" just below the place where index.js router is used and deleted the "/secure" route defined in app.js.

Lastly, apologies for stretching this issue this far, but just wanted to share my inputs while using this app structure so that others can benefit from it.

[gstroup]

Thanks for all your comments! I'm glad you're taking the time to understand the application. Here are some responses to your points.

1. We're not using auth.js anymore. We now use the Predix passport module - passport-predix-oauth, which is installed via npm. (see package.json) This follows a more "industry standard" pattern, rather than rolling our own auth.js file.
2. You're right - it doesn't really make a difference in which directory we place the secure.html file. I think moving it to a "secure" directory would just make it less confusing.
3. Right again - I noticed that we're not using secure.js at all any more. Again, we want to use the passport authentication module instead.

Watch for some updates coming soon to this application. I'm sorry, we left some confusing code in there, and we'll be cleaning it up soon. Thanks for all the feedback!