For this you will only need 1 controller, and 1 optional view.
The controller is to provide routing details to the DB and feed back to the view. The optional view then embeds the host page internally, or the controller can just issue the page.
The purpose of this is to lock down your SPA pages from prying eyes if they don’t have rights to the page.
So you will have a routing table that maintains the security, and describes what happens to the route.
Example route mydomain.dom/SPAName/#Home
So in the ASP.NET routing we are getting “SPAName” which we can look up and see that it belongs to view “SPAName/home.html”. While we are looking this up, we can also the rights table, and see there is a right called “SPAName:true” with a tag called “Required”. So if the user who is logged in had the business rule of “SPAName”, then they have rights to get the page rendered to their browser.
If you opt to not have a view, then just have the controller read and issue the HTML. By doing this you can manage your process to locking down the HTML, like storing it off the host server, or just outside of the public host space. You can even encrypt and decrypt the page prior to the view.
The goal here is to prevent those people who have no right to your page from getting access to your page.