Cookies vs Tokens. Getting auth right with Angular.JS
Introduction There are basically two different ways of implementing server side authentication for apps with a frontend and an API: The most adopted one, is Cookie-Based Authentication (you can find an example here) that uses server side cookies to authenticate the user on every request.A newer approach, Token-Based Authentication, relies on a signed token that is sent to the server on each request. Token based vs. Cookie based The following diagram explains how both of these methods work. What are the benefits of using a token-based approach? Cross-domain / CORS: cookies + CORS don't play well across different domains. What's JSON Web Token? Asuming you have a node.js app, below you can find the components of this architecture. Server Side Let's start by installing express-jwt and jsonwebtoken: $ npm install express-jwt jsonwebtoken Configure the express middleware to protect every call to /api. The angular app will perform a POST through AJAX with the user's credentials: Angular Side What's next?
WebSocket Security
security websockets Table of Contents The WebSocket protocol is a young technology, and brings with it some risks. Decades of experience have taught the web community some best practices around HTTP security, but the security best practices in the WebSocket world aren’t firmly established, and continue to evolve. Nevertheless, some themes have emerged and they are described in this article. You should strongly prefer the secure protocol over the insecure transport. Heroku’s SSL endpoints support WSS, and we strongly recommend that you use it. Avoid tunneling It’s relatively easy to tunnel arbitrary TCP services through a WebSocket. We recommend avoiding tunneling if at all possible. Validate client input WebSocket connections are easily established outside of a browser, so you should assume that you need to deal with arbitrary data. Validate server data You should apply equal suspicion to data returned from the server, as well. Authentication/authorization
malikov/Authenticate.me-Node-Server
10 Things You Should Know about Tokens
Couple weeks ago we published a short article about cookies vs tokens in the context of single page applications, in particular applied to AngularJs apps. It seems the community is interested in this topic, so we published a second article on token based authentication in realtime frameworks like socket.io. There is a great interest in this subject so we decided to continue with an article that explores in more detail some of the most common questions around token-based authentication. So here we go... 1. In the context of tokens being used on single page applications, some people have brought up the issue about refreshing the browser, and what happens with the token. If you are wondering "but if I store the token in the cookie I'm back to square one". 2. Tokens have an expiration (in JSON Web Tokens is represented by exp property), otherwise someone could authenticate forever to the API once they logged in at least once. 3. 4. 5. Request: POST /download-file/123Authorization: Bearer...
auth0/node-jsonwebtoken
malikov/Authenticate.me-client-cordova-ionic
ryanfitz/hapi-auth-jwt
Using An Oauth 2.0 Service With IonicFramework
Many APIs such as Google, Twitter, and Facebook require Oauth in order to use. This can get tricky when it comes to mobile because authorization must happen externally in a web browser. To our advantage, we can handle Oauth 2.0 using the InAppBrowser plugin for Apache Cordova. Basic instructions on using the InAppBrowser with IonicFramework can be found in one of my earlier blog posts. Start by picking an API you’d like to use. For this example let’s use Google. Now for the fun part. Google’s Oauth 2.0 consists of acquiring a request token and an access token. The above code will open an InAppBrowser with a callback triggered for the load of each page. With the request token in hand, it must be exchanged for an access token in order to use the Google APIs. A thing to note about the Google APIs though. If you’re not using jQuery, you’ll have to format the POST manually by doing param1=value¶m2=value. So let’s look at a more working example. Some things to note about the example.
Easily index your Single Page Application thanks to PhantomJS ¤ Vickev
Google provides a way to index your Single Page Application (SPA), built with Angular.js, Backbone.js, or other Javascript framework (ember.js, knockout.js, and others). In this article, we will first see together how it proceeds, the amount of work that the webmaster has to do, and then we will come up with an automatic solution. All along this article, I will introduce tools and examples of this website, vickev.com (which is built with Angular.js and Node.js), to prove the relevance of the method. The magic of Google crawl Google perfectly indexes websites, but without executing any javascript code. However, in the case of SPA, the foundation is based on Javascript. So, Google came up with a solution for developers. If it is not clear (I'm not sure it is, actually), please consult the official guide, which is pretty clear in my opinion. Try it yourself! We can play a little bit with vickev.com. We are going to try to display a previous article about Grunt. lynx '
