api design – Auto-refreshing web resources — JavaScript SPA best practices

I have a resource that is fetched and displayed to users via the browser fetch API in an SPA. The details of given items in the resource list and the order/membership of the list changes often.

I will give users the ability to manually refresh, but I am curious if anyone has experience designing a quality auto-refresh behavior and if they can share with me a list of gotchas / best practices.

For example, the user probably doesn’t need to be getting updates on the resource if the tab is not currently in focus or if they are AFK.

architecture – Proper way of structuring nested routes in SPA with reusable components?

I am building a shop module in a front-end application (angular) which is going to have multiple product categories, sub-categories, and products. Following requirements should be met:

  • HTML and CSS of each components never changes. It consist of a simple card component which has an image and a title/description (this is applicable for all categories, sub-categories, and products list)
  • Number of categories, sub-categories, and products is know for the moment, but can expand in future.

There are two ways in my mind to achieve the goal:

Have dynamic routes with only 4 components

export const routes: Routes = (
    { path: '', component: SomeProductCategoryComponent },
    { path: ':category', component: SomeProductSubCategoryComponent  },
    { path: ':category/:subCategory', component: SomeProductListComponent },
    { path: ':category/:subCategory/:id', component: SomeProductDetailComponent },

Have static routes (per category, sub-category, and product), and corresponding components

export const routes: Routes = (
    { path: '', component: SomeProductCategoryComponent },
    { path: 'some-category1', component: SomeProductSubCategoryComponent1  },
    { path: 'some-category2', component: SomeProductSubCategoryComponent2  },
    { path: 'some-category1/some-sub-category1', component: SomeProductListComponent1 },
    { path: 'some-category2/some-sub-category2', component: SomeProductListComponent2 },
    { path: 'some-category1/some-sub-category1/:id', component: SomeProductDetailComponent1 }
    { path: 'some-category2/some-sub-category2/:id', component: SomeProductDetailComponent2 }

Could you please advice if any of the ways are good enough, or if not, what others directions I should look into?

authorization: use of the OAuth SPA application to provide third parties with access tokens

Let's say you had a centralized OAuth 2 authentication server, a single page application (SPA) in an electronic application, and a third-party server. The user starts this SPA, goes through the PKCE flow to get an access and update token, and is now authenticated. The SPA can now access and modify information on the authentication server.

Then, let's say that this SPA wanted to access a third-party API, which performs some function; in my case it provides authenticated downloads to a client. That third-party API can already authenticate a user through the normal OAuth flow, causing a user to access the page, redirect the user to the authentication server, and then send the user back with an access code, which the API third-party exchanges for symbolic access. But instead, what happens if I want this SPA to access the third-party service? The SPA is not "connected" to the authentication server as it is only an OAuth client, and the user cannot simply go to the URL of the authentication server to follow the flow of the standard authorization code. What would be the process to generate an access token for this third-party API to allow access to the authentication server on behalf of the user, retrieving or modifying information about the user?

Thanks in advance!

Using Azure AD MSAL as the only authentication solution for SPA

I have an Angular SPA and developed my own basic forms based authentication using a .net core web API Y SQL server to store salted and hash credentials / user accounts. Obviously this is not an ideal way to handle authentication and it was only temporary. Since then I have received a request to integrate Azure AD, SSO for organizations that already use the software. Since I wanted to move in this direction anyway, I think this is the perfect opportunity to rethink my authentication solution.

I made this plan:

enter the image description here

As detailed, I want all user access to be handled through Microsoft accounts and delete my custom solution. Now, I still need a way to make sure that only the accounts allowed by me have access to the software; I plan to do this in the orange layer above. Once a user logs into an account through the login.microsoftonline.com portal, they would then validate that the email address is already associated with an account in my SQL database. Otherwise it would not allow them to access the software / safe path. The entries in the SQL database account will be added by me manually.

I thought this was a great solution because it eliminates the need to store sensitive password / user information in my database. I would only be storing some IDs (email address etc.) in the Microsoft accounts that I allow.

So some questions:

  1. Is this a suitable SSO solution?
  2. Are there any apparent flaws in handling things this way?
  3. Should I use the email address in my SQL as user id? or something
    another id given by Azure AD?

react – Generate CSRF token in SPA

I am extremely confused about the issue of generating a long session CSRF token in a single page application using React.

It seems that the convention is to have the server generate the CSRF token when logging in and embedding the token in the login form.

However, in single page applications, it is not that simple.

What is the best method for applications that use React and Angular, to retrieve the CSRF token from the backend? Is it safe to retrieve the token from just calling an API endpoint?

How to handle AdSense ads in a single page SPA application?

I have a SPA (single page application) where I will show AdSense ads.

The main reason I designed as a SPA is because I don't want users to refresh the page to see different content. All routing is done on the client side with Javascript. I'm using React, Firebase Y React-Router.

But in AdSense documents, we have this:


Auto Update Ads

The editors are It is not allowed to update a page or an element of a page without the user requesting an update. This includes placing ads on pages or in locations that redirect or update automatically. Additionally, publishers cannot display ads for a preset time (i.e., pre-roll) before users can view content such as videos, games or downloads.

The fact is that users will NEVER request an update in my application.

What is the correct way to show multiple ads in a single application?


  • Render a new application only when users change pages.


  • Users "browse" to: /blog/some-blog-post-slug-A // SEE ADS
  • Users "browse" to: /blog/some-blog-post-slug-B // SEE NEW ADS

Although the page is not technically refreshing, it is like an update of the page, because the URL will change, but all this is done locally. I will represent the blogPost component again, based on the new URL path.

I CAN DO THIS? Do you want new ads based on a client-side route change?

And what happens if my application is a game, and users will spend about 30 minutes on a single screen, playing the game. Am I only allowed to show 1 single ad for the entire 30-minute session? Or can I re-represent it at a specific interval?

SPA massage Plr Artical for blog post for $ 5

SPA massage Plr Artical for blog post

Advantages of using PLR items:

PLR content is used to make deals that your customers can go through.

Turn the PLR ​​articles and then use them on your site or blog.

As back-connect

Alter, exchange, download / repack.

As a GIFT / Reward.

Featured articles:

• Provision: [Title], [Word count], [Summary], [Keywords], [Article body].

• Have Word Check run between 350 and 2000 words.

• Optimization of first category websites improved articles.

FREE GIFTS and rewards, for example, FREE preparation at:

• PLR registration agreement.

• How to make a profit with PLR items.

• Change of PLR brand.

Why should you buy this?

✓ 100% compliance guaranteed.

✓ Have FULL resale rights.

✓ Exceptionally fast transport.

✓ Gigantic assortment with the least expensive market costs.


jquery: can I use Codeigniter as a backend for a SPA instead of a node?

I was given a technical task after an interview for a web developer position that is supposed to have a quiet API as a back-end and a Single Page Application (SPA) that communicates with the API as a front-end.

I have created the API using CodeIgniter Framework, but I have no experience with SPA. The interviewer knew it and still gave me this task. I don't have time to study but I want to finish the homework.

So, my question is if I use jquery for the front-end (single page) and CodeIgniter as back-end, will it still be a SPA technically?

Authentication: Is it worth the compensation for placing an authentication token in a cookie just http for a SPA?

I have been creating a web application (rails api + react SPA) to learn / have fun and I have been investigating authentication. The most commonly recommended approach to authenticate the SPA I have read is to place the authentication token (such as a JWT) in a secure HTTP-only cookie to protect it from XSS. This seems to have a couple of consequences:

But what is the real inconvenience of storing the authentication token in browser storage (i.e. session storage)? XSS becomes a bit more convenient for the attacker? Even with an HTTP-only cookie, the attacker can use the authentication token when making requests directly from the site, because if there is an XSS vulnerability, then they do not need to be able to read the token to use it.

It seems that the popular recommendation only makes things more complicated to protect against CSRF just to make things a little more difficult for the attacker in the case of XSS. Due to the amount of resources these recommendations make, I feel that I am missing something and would appreciate any comments or clarification!

Here are a couple of sources that I have been reading that have been quite strong against browser storage for authentication tokens:

Elm spa structure – Code review stack exchange

This code is a functional example of an Elm application (0.19.1) that is distributed in two files. The idea is to have a file for each page of the application and have Main.elm import files and connect pages (exactly the same idea as the elm spa example)

This is a basic example, which I intend to build for my own use case. When creating this, I had a hard time interpreting and writing correct type annotations.

I would like to receive comments on places where I have not followed the standard Elm idioms or have misnamed the variables or have used CamelCase incorrectly. Really any comment that improves my code would be appreciated.

I am new to Elm and I want to start correctly before moving on and creating a code mess.

Compiled output (HTML document) here


module Main exposing (..)

import Browser
import Home
import Html exposing (..)

main =
        { init = init
        , subscriptions = subscriptions
        , update = update
        , view = view

type Model
    = HomeModel Home.Model
    | Login

type Msg
    = HomeMsg Home.Msg

init : () -> ( Model, Cmd msg )
init _ =
        mapModel : a -> (a -> Model) -> Model
        mapModel model toModel =
            toModel model
    ( mapModel (Home.defaultModel Nothing) HomeModel, Cmd.none )

update: Msg -> Model -> (Model, Cmd msg)
update msg model =

        mapModel : (m, Cmd msg) -> (m -> Model) -> (Model, Cmd msg)
        mapModel (m, c) toModel =
            (toModel m, c)
    case (msg, model) of
        (HomeMsg homeMsg, HomeModel homeModel)->
            mapModel (Home.update homeMsg homeModel) HomeModel
        (_, _) ->
            (model, Cmd.none)

view: Model -> (Html Msg)
view model =
    case model of
        HomeModel homeModel ->
            Html.map HomeMsg (Home.view homeModel)
        _ ->
            div ()(text "Op's you found a hole")

subscriptions : Model -> Sub msg
subscriptions model =


module Home exposing (..)
import Element as El exposing (..)
import Element.Input as In
import Html exposing (Html)

type alias Model =
    { input : String

defaultModel: Maybe String -> Model
defaultModel maybeInput =
    case maybeInput of
        Just input ->
            Model input
        Nothing ->
            Model ""

type Msg
    = UpdateString String

view : Model -> Html Msg
view model =
    El.layout ()
        (el ()
            (row ()
                ( el () (El.text "Welcome") -- header
                , In.text ()
                    { onChange = x -> UpdateString x
                    , text = model.input
                    , placeholder = Nothing
                    , label = In.labelBelow () (text "Hello world")

update : Msg -> Model -> ( Model, Cmd msg )
update msg model =
    case msg of
        UpdateString input ->
            ( { model | input = input }, Cmd.none)