Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Auth require valid token by default #1246

Closed
Tibing opened this issue Feb 18, 2019 · 4 comments · Fixed by #2259
Closed

Auth require valid token by default #1246

Tibing opened this issue Feb 18, 2019 · 4 comments · Fixed by #2259
Assignees
@nnixaa
Labels
enhancement module:auth P3: minor
Milestone
5.0.0

Comments

@Tibing
Copy link
Member

Tibing commented Feb 18, 2019

Each auth module(login, redirect, etc.) has requireValidToken setting which is false by default. If that setting set to true module will fail in cases of positive response (Http status 200) with an invalid token. Otherwise, it will signal that operation completed successfully, however it was actually failed.

I propose to set requireValidToken to true by default. Because it sounds more like natural behavior for modules.
@nnixaa nnixaa added this to the 4.0.0 milestone Feb 18, 2019
@electronomad
Copy link

electronomad commented Mar 12, 2019
edited
Loading

I'm using NbAuthJWTToken as wrapper class to authenticate users to /pages/** and i noticed that if i change the value of the json web token from local storage the user still authenticated even with invalid token !! below my module configuration :

NbAuthModule.forRoot({
strategies : [
NbPasswordAuthStrategy.setup({
name : 'email' ,
baseEndpoint : 'http://localhost:8088/api' ,
login : {
endpoint : '/authenticate' ,
method : 'post',
requireValidToken : true ,
redirect : {
success : '/pages' ,
requireValidToken : true ,
failure : null ,
error : true ,
}
} ,
token : {
class : NbAuthJWTToken ,
key : 'id_token' ,
}
}) ,
],
@nnixaa
So how can I verify the token validity after every route call ?
Regards

@nnixaa
Copy link
Collaborator

nnixaa commented Mar 12, 2019

@digitalberry-ahmed could you post an example of how you make this change to the token?

@electronomad
Copy link

electronomad commented Mar 12, 2019
edited
Loading

Thank you for your responsiveness @nnixaa
After the authentication , if I delete the last 4 characters of the token value no validation on token validity is made and the /pages/* remains accessible
invalid-token
valid-jwt

@nnixaa
Copy link
Collaborator

nnixaa commented Mar 12, 2019

Well this is expected behavior since Nebular cannot be aware of the external changes you made outside of the Angular.
In this very case, you need to refresh the page to notify Nebular about the changes made.
On the other hand, if you want to manually control a token from your code - you can inject NbTokenStorage and call clear method. More details on the API https://akveo.github.io/nebular/docs/auth/nbtokenlocalstorage#nbtokenlocalstorage

@nnixaa nnixaa modified the milestones: 4.0.0, 5.0.0 May 27, 2019
@nnixaa nnixaa removed the Backlog label Jun 4, 2019
@yggg yggg mentioned this issue Mar 6, 2020
Merged
2 tasks
@yggg yggg closed this as completed in #2259 Mar 6, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nnixaa nnixaa

Labels
enhancement module:auth P3: minor
Projects
None yet
Milestone
5.0.0
Development

Successfully merging a pull request may close this issue.

refactor(auth): require valid token by default
3 participants
@nnixaa @Tibing @electronomad