I have one problem and want to ask for a "angularjs way" to solve it properly.
I have a several services that will be used into me application. Before using it I must use login service and "log in"
the user. So I also have a service that returns status of user - AUTHENTICATED or NOTAUTHENTICATED. I using ngRoute. Me first idea was to put the check for user status into service and call if in every controller. If the user is not authenticated I will display login popup. Other option is to use global event but I don't like it. So what is the best way?
Best regards.
IMHO the best way would be to put login functionality in a service that way it can be easily injected where necessary. You can check if user is authenticated when he is interacting with a backend service.
i.e. angularjs do http/resource call to backend for a listOfUsers then backend either returns valid json or it returns response with login specific failure, then you can that kind of response process in angularjs and display a loginbox
Related
I have a request page which every users have access to it but everyone can access to their own requests and can change it with some functions that work with AngularJS.
The thing is that if the user logs out in another page, while the user haven't refreshed this page angular functions are continuing to work.
I know I can Check the loged in user in the controller, but is there any way that angular prevent it?
(I Use ASP.Net Authentication and MVC)
You have to use some sort of communication channel such as signal r or sockets to achieve that. One solution could be to intercept http request and check if the user is login. If isn't navigate to login page.
I have web application that uses Yii2 as API and Angular for frontend stuff. I am wondering, what would be best way to pass user permissions from Yii2 to Angular so i can show / hide data per user permissions.
My first idea was to make a api call for that data before angular starts and than use that data inside angular.
I see this as a problem if user permissions change while user is working. Users data would refresh only when he refreshes whole page which is not so often in Angular.
My second idea was to push permission data to user with every API request, but i dont know how to do it.
Any ideas?
I am new to web authentication and need some clarification.
I have seen people implementing token based authentication alongside angularjs $rootscope to save logged-in user information.
Why need to attach a token to Headers at every request if the angularjs application will only check its own variable to identify that the user logged in?
Likewise, if one has a token in every Headers, why simply check the Headers on client side to know if the user has logged in? If so, I do not see why one uses $rootscope to save logged-in user's info.
Thank you in advance.
I think you unintentionally nailed it when you said "the angularjs application will only check its own variable to identify that the user logged in".
The frontend will usually just trust that whatever kind of token it has is valid, since there is no way to do an independent verification of it (remember, there is no such thing as frontend security). The backend however can't do that, it needs to actually verify on each request that the user is who he/she claims to be, otherwise your application is not secure. Hence you send the token on each requests so that the backend can check it.
If you simply trusted the frontend to say who is logged in or not then nothing would stop an attacker from simply bypassing that check using javascript and take control of any account they wanted. Validation always needs to be done backend.
As for saving it in rootScope, that is mostly just a convenience thing people do for things they always want available so they don't need to get the data in all controllers. I tend to use an abstract state in ui-router or a shared factory for that instead, but it amounts to mostly the same thing.
My app uses JS Facebook API to use Facebook as a login/pass. Here what happens when you try to login.
User click on the Facebook Login Button
Facebook Authenticates
If Success. I grab the Facebook ID and Name of the user
Calls on my REST API on my APP to check and see if the that FBID is registered in my system.
If Registered, I write the session to verify that the user is authenticated.
This is great since I don't have to store usernames and password. But I am worried that someone will just use a REST API debugger like POSTMAN in chrome and just send a Facebook ID and the name of the user and they will be authenticated.
My question is what is the best way to secure my end that will prevent apps like POSTMAN to just input the fields needed to authenticate? Am I missing something? Can anyone recommend a strategy for this?
Or is using CSRF token the only way to combat this? I am using FuelPHP as a backend and doing a single page app using AngularJS with NgRoutes. But every time I enabled the CSRF on fuel, the token passed does not match what it was in the back-end.
I am under the impression that this is due to that the javascript token function is in the main page, where the ng-view. I know this might have something to do with the ngRoutes.
http://fuelphp.com/docs/classes/security.html
Use Fuel's Auth package. It has Opauth integration which does all the above, and for an entire list of social media platforms, not only facebook.
Always try not to reinvent the wheel, assume someone else has had the same challenge, solved at, and shared the solution with the community.
I have implemented the FOSUserbundle on my application, I have manage to get chained userproviders to work as well as overriding some of the default controllers.
I have one issue though, I need to find a way to intercept the login process.
My userobject is linked to a client entity, Now I need to deny access to the Userobject even though it's valid because the client entity is disabled.
What I have attempted.
1)I tried extending the SecurityController to no avail, it seems to redirect before executing my code.
2) I tried to set _target_path on my login form to a controller that does the check of the client entity status, This seems to work but after I logout the user using,
$this->get('request')->getSession()->invalidate() ;
The user is redirected back to the login page but I cannot get a flash message to appear on twig template stating that the client is not active.
Any help or ideas will be much appreciated.
You might want to attach a handler to the login and logout process: http://www.reecefowell.com/2011/10/26/redirecting-on-loginlogout-in-symfony2-using-loginhandlers/