CODEWITHSUNDEEP
angularjsnode.jsangularjs-directivemeanjs
Finglish
Finglish

Reputation: 9956

How to secure feature for authenticated users only in Meanjs when using angularjs

I am working on my first app, and have started with the front-end and angularjs. In general I have found it very intuitive, but the relationship between backend and frontend is where things start to blur for me.

I have now gotten to the point where I want to provide slightly different functionality on some pages depending on whether the user is authenticated or not (in this case the ability to edit some form fields in a form).

From the public angularjs side it seems easy enough to write a basic if statement to provide different functionality to authenticated users (see basic attempt below) but as this is a client side function, how do I prevent a user spoofing authentication to edit things I don't want them to (save to database).

angular.module('core').controller('myCtrl', ['$scope', 'Authentication', 'Menus',
    function($scope, Authentication, Menus) {
        $scope.authentication = Authentication;

        if(typeof $scope.authentication.user == "object"){
           // behaviour for authenticated
        }else{
          // for unauthenticated
        }
    }

I am new to mean, meanjs and node.js in general, being primarily a php guy, so please be gentle if my question is way off base.

Upvotes: 2

Views: 384

Answers (1)

BenH
BenH

Reputation: 436

I suggest using passport a npm module for user authentication. Here's some code to get you started. Also take a look at this scotch.io tutorial

// load all the things we need
var LocalStrategy   = require('passport-local').Strategy;

// load up the user model
var User            = require('../app/models/user');

// expose this function to our app using module.exports
module.exports = function(passport) {

passport.serializeUser(function(user, done) {
done(null, user.id);
});

// used to deserialize the user
passport.deserializeUser(function(id, done) {
User.findById(id, function(err, user) {
  done(err, user);
  });
});


passport.use('local-signup', new LocalStrategy({
usernameField : 'email',
passwordField : 'password',
passReqToCallback : true // allows us to pass back the entire request         to the callback
 },
   function(req, email, password, done) {

// asynchronous
// User.findOne wont fire unless data is sent back
process.nextTick(function() {

  // find a user whose email is the same as the forms email
  // we are checking to see if the user trying to login already exists
  User.findOne({ 'local.email' :  email }, function(err, user) {
    // if there are any errors, return the error
    if (err)
      return done(err);

    // check to see if theres already a user with that email
    if (user) {
      return done(null, false, req.flash('signupMessage', 'That email  is already taken.'));
    } else {

      // if there is no user with that email
      // create the user
      var newUser            = new User();

      // set the user's local credentials
      newUser.local.email    = email;
      newUser.local.password = newUser.generateHash(password);

      // save the user
      newUser.save(function(err) {
        if (err)
          throw err;
        return done(null, newUser);
      });
    }

  });

});

 }));

  passport.use('local-login', new LocalStrategy({
// by default, local strategy uses username and password, we will override with email
usernameField : 'email',
passwordField : 'password',
passReqToCallback : true // allows us to pass back the entire request to the callback
  },
   function(req, email, password, done) { // callback with email and password from our form

// find a user whose email is the same as the forms email
// we are checking to see if the user trying to login already exists
User.findOne({ 'local.email' :  email }, function(err, user) {
  // if there are any errors, return the error before anything else
  if (err)
    return done(err);

  // if the user is found but the password is wrong
  if (!user || !user.validPassword(password))
    return done(null, false, req.flash('loginMessage', 'Oops! Wrong username or password.')); // create the loginMessage and save it to session as flashdata

  // all is well, return successful user
  return done(null, user);
});

 }));

};

Upvotes: 1

Related Questions