How to secure Backbone.js

Question

I have a Backbone application which handles public and private stuff.

Public => Login, Registration, News, etc.

Private => Chatting, other user specific information.

To secure the entire application I have a session-based authentication mechanism in node.js. This mechanism secures the backend-api. Now the question is how I can secure the front-end.

1. How do I secure routes in Backbone
2. How could I secure modules (requireJs) in Backbone

One idea I had was to split up the front-end into public and private and the server decides if it grants access to the private-assets.

What other front-end-secure concepts are out there?

To make it more specific: I want to check client-side if the user is authenticated and I want to restrict loading require-js modules to unauthenticated people (to save bandtwitch)

Answer 1

your server should provide an API to check if the current user (possibly via their cookies) it authenticated.

In backbone, on your routes/navigations you can check to see if your user is authenticated and then execute code or not (probably calling a requireJS module after the auth check).

To my knowledge there is no backbone thing that has the concept of user state. You could implement a setTimeout loop to request the auth state from your server, and then implement Backbone.Events on top of that to emit an event when the user is no authed, which your backbone app could listen to and then trigger the rendering of a login view, or route the user to a login page.

I mainly user couchdb for my backend, and it has a $.couch.session function that will let me know of the state of the current user's auth. you will most likely need to implement your own session function that hooks into your backend framework.