auth0-blog / angular-token-auth Goto Github PK

Sorry for the newbie question, but how come the client side app is able to get the profile from token? Isn't the token encrypted other than with base64? What if a malicious user substitute the user profile part of the token by the information of another user, then the API would receive the token and use the payload data to populate the req.user with the information of another user. I'm sure I am missing something here. Could you please explain this in detail to me?

P.S. I'm referring to the code in auth.client.js:

var encodedProfile = data.token.split('.')[1];
var profile = JSON.parse(url_base64_decode(encodedProfile));

Running the current code as is, after logging in and clicking the secret, I get an unauthorized error. Unless I'm missing something I should be able to get through to the actual api call and have a json result returned.

Using window.sessionStorage means the token will not survive a browser refresh.

What would be the advisable approach here

1. Request a new token on application startup, just in case there is already a session on the server for that user?

2. Store the token in a cookie?

3. non session browser storage could be sketchy since it lives beyond life of the browser, it could be stolen.

Some one can intercept user's http request and get the token.So that the hacker can simulate a request to login.Right?

I made a copy of your script adapted to my needs,
but it breaks in a line like
https://github.com/auth0/angular-token-auth/blob/master/auth.client.js#L34

with error Unexpected token at JSON.parse.

This happens when the payload used to create token has an utf8 char in it
in my case it was the character 'ć' .

Please check.

I'm not a user, but I did notice and copy your url_base64_decoder for a project of my own. I've noticed the following issue with it which you may want to fix:

https://github.com/auth0-blog/angular-token-auth/blob/master/auth.client.js#L5:

var output = str.replace('-', '+').replace('_', '/');

should in fact be doing a replace All:

const reg1 = new RegExp("_", "g");
const reg2 = new RegExp("-", "g");
let output = str.replace(reg2, '+').replace(reg1, '/');

Clarification: There is nothing limiting a string to a single "_" or "-" character.

Here's the offending snippet:

    response: function (response) {
      if (response.status === 401) {
        // handle the case where the user is not authenticated
        // THIS WILL NEVER GET EXECUTED.
      }
      return response || $q.when(response);
    }

If the server sends a 401, the response function will not fire, it is the responseError function that will fire.

How to import to MEAN: https://github.com/linnovate/mean