AngularJS Authentication and XSRF token based

Question

I am new to Angular and I am developing an application to learn more.

I want to build Authentication. Can some one comment if the this is a good approach?

I am thinking in use a similar approach as used with XSRF with RestfullWS.

1) After authentication create a token in a Cookie based userid + sessionId + salt and encript this string with SHA256

2) What info do we need to pass to the client application?

3) Pass the token created on 1) to server each time we navigate to a page that need authentication

4) On client side check if user is authenticated.

My problem is how can we check on the client side safely if the user is authenticated? Is not true that if we save that information in the javascript, that that info is compromised? How to develop a safe "isAuthenticated" javascrip function? Should the function get the response from the server that knows how to validate the token?

Is this a good approach, or there is better ways to do it?

Thank you very much.

Answer 1

You must always assume that the client is, or can be, compromised. So you cannot know for sure on the client side that the user is 100% authenticated, absolutely, for sure, without a doubt.

But that almost never is as important as we make it out to be. On the client side we are generally displaying the user interface, not actually processing a credit card transaction. We do not have user A send user B an e-mail message 100% in the client - we send it to the server, and it handles the rest.

Therefore, what you really want is:

1. How do I know on the client that I should ACT like I'm logged in? That is, when do I stop showing the login form and start showing the inbox?

2. How do I know on the server that this client is really who s/he says s/he is?

The first is easy. Drawing an empty inbox is useless. Use the presence of the cookie to enable this behavior, and so what if it gets "hacked"? A user is able to to see an empty inbox? This has no value. They could just as easily download your raw templates anyway - those are going to be public, so they're not exactly a secret. So here you are just looking for consistent behavior that "makes sense".

The one thing you do normally worry about in the client is things like cookie theft and man-in-the-middle attacks. There are various techniques for combating this and you should explore them. They're too long to cover here, and aren't specific to AngularJS.

For the second problem, now you must validate the user's session. To prevent cookie theft in addition to what you are already hashing it's common to include things like a nonce from a 2-step auth cycle (common in OAuth) and other things like perhaps the user's IP address. This is a pain in mobile apps where it might change, but still fairly common. In practice, it's hard to do this en-masse and most hackers want to do big compromises, not just hack one user... but you should still do your due diligence here.

Your scheme "probably" does these things but since you are only summarizing it there is still a lot to cover. One comment I would add is that for purely API-driven applications, it's becoming more common to use just raw headers, not cookies. They're a little harder to steal - not impossible, but anything you can do to reduce your attack surface is a Good Thing(tm).

In the end I think you will find that very little of this applies to AngularJS. Select an appropriate authentication scheme for your entire application, and there will almost certainly be a way to integrate it into Angular.