Routing security flaw in Angular/MEAN.io?

Problem

I just installed the MEAN stack (MongoDB, Express.js, AngularJS, Node.js) and opened up the example program (as found on mean.io) and they have a basic app that you can login to and create blog "articles" just for testing and such.

Anyway, I removed the '#!' from the URL and it outputted the entire user and article models as they are in the database. It seams as though doing that made it stop routing through Angular and instead used the Express routes which are just JSON REST apis. Is this a flaw in the MEAN stack package, Angular as a whole, or maybe just a development environment setting? I can't imagine that this would be released with a huge flaw like that but maybe I'm just missing something..

Replicateable steps:

  • Follow installation instructions on http://mean.io
  • Goto your local app in the browser and create an account and login
  • Create an article
  • View the article item you just created and remove the #!/ from the URL, you then see the JSON object of your logged in user account complete with hashed password and salt, as well as the article object.
Problem courtesy of: ABlankenship

Solution

As you say, removing the #! causes the routing to be handled by the server. The node API then dumps the user object in the response.

The problem is completely independent from Angular - the app is only served by Node at the / route. Angular then uses the hash value to show the correct page.

This is probably just a problem with the example provided by MEAN. The app itself is insecure, when they talk about best practices that refers to the code structure and setup rather than the quick demo.

You could ask them about it, since there will probably be people who build on top of the example and don't fix the security issues.

Solution courtesy of: Matt Zeunert

Discussion

Its just an app configuration. If you change the routes.js from:

app.get('/articles', articles.all);

to

app.get('/articles', auth.requiresLogin, articles.all);

Then if you try and hit the url /articles directly you get the message:

"User is not authorized"

Instead of JSON listing all the articles.

Discussion courtesy of: inic

This recipe can be found in it's original form on Stack Over Flow.