All geek questions in one place

Angular Auth vs Laravel backend

I am building an application using Laravel and creating a small internal API to connect to the Angular interface.

Auth works for me, but I wanted to make sure that this is an acceptable way to log into the user’s system and make sure everything is safe.

Session Controller:

public function index() { return Response::json(Auth::check()); } public function create() { if (Auth::check()) { return Redirect::to('/admin'); } return Redirect::to('/'); } public function login() { if (Auth::attempt(array('email' => Input::json('email'), 'password' => Input::json('password')))) { return Response::json(Auth::user()); // return Redirect::to('/admin'); } else { return Response::json(array('flash' => 'Invalid username or password'), 500); } } public function logout() { Auth::logout(); return Response::json(array('flash' => 'Logged Out!')); }

Laravel Route:

 Route::get('auth/status', ' SessionsController@index ');

Angular Factory:

 app.factory('Auth', [ "$http", function($http){ var Auth = {}; Auth.getAuthStatus = function() { $http({ method: "GET", url: "/auth/status", headers: {"Content-Type": "application/json"} }).success(function(data) { if(!data) { console.log('Unable to verify auth session'); } else if (data) { console.log('successfully getting auth status'); console.log(data); // return $scope.categories; Auth.status = data; return Auth.status; } }); } return Auth; } ]);

I would then essentially wrap the entire application in something like "appController" and declare the "Auth" factory as a dependency. Then I can call Auth.getAuthStatus () and hide / show things based on the state of the user, as this will be essentially a SPA.

I understand that I also need to hide the URI / auth / status URI from being viewed / hit by anyone, and wondered how to do this. It would be very helpful to get a general question, but any understanding. Thanks.

+5
source share
1 answer

Great question. I already answered this question to say the same thing.

Authentication is slightly different in SPA because you completely separate the Laravel and Angular applications. Laravel takes care of validation, logic, data, etc.

I highly recommend you read the article below.

You can use Laravel's route filters to protect your routes from unauthorized users. However, since your Laravel application is now only the endpoint, the frontend infrastructure will do the heavy work of authentication and authorization.

Once you have installed route filters, this does not prevent authorized users from trying to perform actions that they are not allowed to do.

What I mean above is for example:

You have an API endpoint: / api / v1 / users / 159 / edit

The endpoint is one of RESTful 7 and can be used to edit the user. Any software engineer or developer knows that this is a RESTful endpoint and, if permitted by your application, can send a request with data to this endpoint.

You only want user 159 to be able to perform this action or by administrators.

The solution to this is the roles / groups / permissions that you want to name. Set the user permissions for your application in the Angular application, and possibly save this data in the token release.

Read this great article (in AngularJS) on how to properly authenticate / allow the use of JavaScript frameworks.

Article: https://medium.com/opinionated-angularjs/techniques-for-authentication-in-angularjs-applications-7bbf0346acec

+9
source

Source: https://habr.com/ru/post/1204286/

More articles:


All Articles