auth0-blog / angular-token-auth Goto Github PK
View Code? Open in Web Editor NEWToken-based authentication in AngularJS
License: MIT License
Token-based authentication in AngularJS
License: MIT License
Some one can intercept user's http request and get the token.So that the hacker can simulate a request to login.Right?
I'm not a user, but I did notice and copy your url_base64_decoder
for a project of my own. I've noticed the following issue with it which you may want to fix:
https://github.com/auth0-blog/angular-token-auth/blob/master/auth.client.js#L5:
var output = str.replace('-', '+').replace('_', '/');
should in fact be doing a replace All:
const reg1 = new RegExp("_", "g");
const reg2 = new RegExp("-", "g");
let output = str.replace(reg2, '+').replace(reg1, '/');
Clarification: There is nothing limiting a string to a single "_" or "-" character.
Here's the offending snippet:
response: function (response) {
if (response.status === 401) {
// handle the case where the user is not authenticated
// THIS WILL NEVER GET EXECUTED.
}
return response || $q.when(response);
}
If the server sends a 401, the response
function will not fire, it is the responseError
function that will fire.
Sorry for the newbie question, but how come the client side app is able to get the profile from token? Isn't the token encrypted other than with base64? What if a malicious user substitute the user profile part of the token by the information of another user, then the API would receive the token and use the payload data to populate the req.user with the information of another user. I'm sure I am missing something here. Could you please explain this in detail to me?
P.S. I'm referring to the code in auth.client.js:
var encodedProfile = data.token.split('.')[1];
var profile = JSON.parse(url_base64_decode(encodedProfile));
Running the current code as is, after logging in and clicking the secret, I get an unauthorized error. Unless I'm missing something I should be able to get through to the actual api call and have a json result returned.
How to import to MEAN: https://github.com/linnovate/mean
I made a copy of your script adapted to my needs,
but it breaks in a line like
https://github.com/auth0/angular-token-auth/blob/master/auth.client.js#L34
with error Unexpected token at JSON.parse.
This happens when the payload used to create token has an utf8 char in it
in my case it was the character 'ฤ' .
Please check.
Using window.sessionStorage means the token will not survive a browser refresh.
What would be the advisable approach here
Request a new token on application startup, just in case there is already a session on the server for that user?
Store the token in a cookie?
non session browser storage could be sketchy since it lives beyond life of the browser, it could be stolen.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.