I am developing and application using Ionic (AngularJS) and I’m using NodeJS for my back-end.
So the application starts, the user then has to log in via Facebook. Once authenticated, I pass the Access Token to NodeJS where a Client instance is initiated, grabbing information about the user accordingly from the database.
Now I am wondering, I already have the authentication mechanism done. How can I prevent the user from accessing certain routes that are reserved for authenticated users only? A way that cannot be manipulated from the client’s side (a.k.a. a way that “abuses” the power of NodeJS as a back-end service).
I though about having to identify with an access token for each socket/REST request, then check authentication from the back-end and send back data only of authenticated.
Is there any better method to do that?
EDIT: I just realized I can simply not send any dynamic data from NodeJS to a non-authenticated user. But what about static content that is built into the Ionic application?