Giter Club home page Giter Club logo

angular-token-auth's Introduction

## angular-token-auth

Example of Token-based authentication in AngularJS with Express.

Build and Run

First, install dependencies using npm:

npm install

Run the example:

node auth.server.js

and go to localhost:8080.

More advanced scenarios?

For a complete example handling social providers, enterprise authentication with LDAP/Active Directory, and user/password, check out Auth0 Angular integration.

Issue Reporting

If you have found a bug or if you have a feature request, please report them at this repository issues section. Please do not report security vulnerabilities on the public GitHub issue tracker. The Responsible Disclosure Program details the procedure for disclosing security issues.

Author

Auth0

License

This project is licensed under the MIT license. See the LICENSE file for more info.

angular-token-auth's People

Contributors

bensinther avatar ntotten avatar pose avatar woloski avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

angular-token-auth's Issues

Unauthorized?

Running the current code as is, after logging in and clicking the secret, I get an unauthorized error. Unless I'm missing something I should be able to get through to the actual api call and have a json result returned.

Incorrect $http interceptor implementation

Here's the offending snippet:

    response: function (response) {
      if (response.status === 401) {
        // handle the case where the user is not authenticated
        // THIS WILL NEVER GET EXECUTED.
      }
      return response || $q.when(response);
    }

If the server sends a 401, the response function will not fire, it is the responseError function that will fire.

Security issues

Some one can intercept user's http request and get the token.So that the hacker can simulate a request to login.Right?

Decoder should replace all

I'm not a user, but I did notice and copy your url_base64_decoder for a project of my own. I've noticed the following issue with it which you may want to fix:

https://github.com/auth0-blog/angular-token-auth/blob/master/auth.client.js#L5:

var output = str.replace('-', '+').replace('_', '/');

should in fact be doing a replace All:

const reg1 = new RegExp("_", "g");
const reg2 = new RegExp("-", "g");
let output = str.replace(reg2, '+').replace(reg1, '/');

Clarification: There is nothing limiting a string to a single "_" or "-" character.

Support browser refresh

Using window.sessionStorage means the token will not survive a browser refresh.

What would be the advisable approach here

  1. Request a new token on application startup, just in case there is already a session on the server for that user?

  2. Store the token in a cookie?

  3. non session browser storage could be sketchy since it lives beyond life of the browser, it could be stolen.

How come the client side app is able to get the profile from token

Sorry for the newbie question, but how come the client side app is able to get the profile from token? Isn't the token encrypted other than with base64? What if a malicious user substitute the user profile part of the token by the information of another user, then the API would receive the token and use the payload data to populate the req.user with the information of another user. I'm sure I am missing something here. Could you please explain this in detail to me?

P.S. I'm referring to the code in auth.client.js:

var encodedProfile = data.token.split('.')[1];
var profile = JSON.parse(url_base64_decode(encodedProfile));

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.