How to secure my AngularJS and Web Api application

Question

I am using AngularJS with ASP.NET Web Api server side. Seems to me like authentication has now become a breeze? Or is this too good to be true?

So I'm thinking of using the Web Api's "Individual User Accounts" authentication. And I am thinking that is all I need. As long as every request is authenticated and noone can get any data they shouldn't I shouldn't need to do much more right?

Or am I missing some key security fundamentals?

Answer 1

When it comes to securing the API you have two main approaches

1. Cookie based approach. This is the traditional way, where you use the standard form to authenticate the user and then set the form authentication cookie. All unauthorized request take the user to login page. If your API is always supported by UI front end to do login this method with work.
2. Second is using the authorization token in the header of the request. Once the user is authenticated he get a auth token, which he has to attach to every subsequent request in the Authorize HTTP header. Learn more about it here Individual Accounts in ASP.NET Web API . The advantage here is that you can expose your API without requiring a login page.

But remember when using the second approach, the auth token has to be stored on the client side as all subsequent request require this token. Look at this blog post Cookies vs Tokens. Getting auth right with Angular.JS to understand how to work with token.

Hope it helps.

Answer 2

Here's a great article about using Angular JS with WebAPI 2.0 token based authentication.

http://bitoftech.net/2014/06/01/token-based-authentication-asp-net-web-api-2-owin-asp-net-identity/