dewastator
Reputation: 213
Token authentication in SPA app
I started new project. It is small application (playground) to learn couple new concepts. I will create backend API using Ruby on Rails and Single Page Application using React. I stuck in Authentication. I would like to create custom Token-based Authorization/Authorization. I came to following auth flow:
- User fill password/login and send to backed using Ajax and through secured HTTPS connection.
- Backed checks if user exist in DB. If user exist backend create Token and save to Redis with user id.
- Backend response with token to client app.
- On client side I will save above token to local storage.
- Before every request I will get token from locale storage and pass to request header.
- On backend I will take token from header and check if exist in Redis db.
Is this flow correct? Should I decrypt token on client side or It is not necessary? This project is only playground but I would like to do It properly. Please give me some comments if above flow isn't good enough.
Upvotes: 1
Views: 849
Answers (1)
Thierry Templier
Reputation: 202156
I think that you have the right approach. This link could give you more details about token-based authentication:
- Implementing authentication with tokens for RESTful applications - https://templth.wordpress.com/2015/01/05/implementing-authentication-with-tokens-for-restful-applications/
Hope it helps you, Thierry
Upvotes: 1
Related Questions
- How to authenticate SPA users using oAuth2?
- Securing REST API Calls in SPAs using MSAL.js with Azure Active Directory - How to Pass Authentication Token to Bearer Strategy
- securing usage of REST API when using SPA without authentication
- SPA + API + OIDC: How to authenticate an API caller when it's only providing an ACCESS token?
- Protecting REST API behind SPA against data thiefs
- How to secure api endpoints with token authentication
- access token usage in authentication
- REST API Token-based Authentication
- REST API authentication tokens
- Security token in Salesforce.com