MEAN.js 0.4.0 with token authentication?

[ricardodovalle]

I would like to use MEAN.js with token authentication, but I am a Node.js beginner and I am porting a Rails app to learn.

I created a small project and add some features, the 'api/signin' route is returning the token (loginToken) encoded with json web token (jwt), but I need help.

How to connect and keep Angular session a live using token?
How to add express-jwt and to protect all /api route keeping the project organized?
What is the correct way to store the secret? (users.authentication.server.controller.js and strategies/local-token.js)?
What is the correct way to user signout?

Working on: https://github.com/ricardodovalle/meanjs-token-auth

Thank you very much.

[sylvainlap]

Use jwt-simple to create your JSON Web Token.
Once your client get a token, you can save it client-side, thanks to the LocalStorage. And then, at each requests to the API, the client must send the token.
On the backend side, the token has to be check at each request to the API, thanks to an Express middleware.

You can read more about the workflow here : http://www.sitepoint.com/using-json-web-tokens-node-js/

Good luck ;)
Sylvain

[ricardodovalle]

Hi @sylvainlap,
I used jsonwebtoken instead jwt-simple, because it looks like more updated.
The project is creating the token and sending inside a json field (https://github.com/ricardodovalle/meanjs-token-auth)

I don't know how to do: "...the token has to be check at each request to the API, thanks to an Express middleware."

Thanks

[sylvainlap]

Are you using Passport.js ? If yes, you should use this Strategy : https://github.com/jaredhanson/passport-http-bearer

"passport.authenticate" will be the Express Middleware that will check for the token.

[ricardodovalle]

Thanks @sylvainlap 👏
I will work and try to use.

[acoulon99]

Working on updating our repo for a meanjs token auth example. Hopefully it'll be useful to the community :)
https://github.com/castlewhitehall/meanjs-with-token-auth

[roboflank]

I found this great Token-based AngularJS Authentication https://github.com/sahat/satellizer and works with any app perfectly.I prefer integrating this with the boilerplate but the issue is i can't seem to get the auth files in Meanjs.Any way to get around this?

[acoulon99]

I would be interested in that as well

[sylvainlap]

This lib looks great, but redondant with Passport.
If you want Token Auth, as I already said, use the passport-http-bearer strategy.

If you really want to use Satellizer, you have to integrate it client side (Angular), and then see here:
https://github.com/sahat/satellizer/tree/master/examples/server/node to integrate server side (build the /auth/* routes).

[britztopher]

If you want to attach the token to each request using Angular, you can use a request interceptor then attach it to the Authorization key in the request headers. That way any request you make will have a token attached to it. This is how loopback does it, and it works great.

[ilanbiala]

This is something that isn't necessary in MEAN.js, so I'm going to close this issue unless anyone has a compelling argument.

[lirantal]

@ilanbiala I actually find this PR very interesting. Tokens are very popular around mobile apps and provide the benefits of a stateless app. We can take a look at it once 0.4 is out, but of course it's not a requirement for 0.4 itself.

[ilanbiala]

It makes lots of sense for mobile apps, but it does add some extra complexity to the Angular code I think. Since we have no mobile app setup in MEAN.js, aren't we just adding complexity for most users?

[britztopher]

@ilanbiala i use mean.js for a mobile app with ionic and cardova and using a token based auth would be much easier to work with. I think just because there is no mobile app setup doesnt mean people arent using mean.js for mobile. Especially, with mobile first using html5 like bootstrap or whatever.

[ilanbiala]

@britztopher how much did you change to get a mobile app with MEAN.js working?

[britztopher]

Well i have a desktop and mobile app that use the same backend. For example, the mean.js application angular side runs on desktop and on mobile web. I then have another application that runs with the ionic framework, (just angular directives built for mobile application), this uses cordova to build and package up my mobile application into a android and ios runnable application. So if you are asking if I am using the angular front-end that comes with mean.js as a mobile app then no I do not use it as a mobile application per se.

[ilanbiala]

So what I'm saying is that having MEAN.js support a mobile app packaging setup like Cordova means adding more code that for most users will just bloat the library. I think the best thing is if users like you write blog posts and create videos about modifying MEAN.js for these scenarios. MEAN.js was designed to be flexible, so we can incorporate these changes, but are 95% of users going to make use of the code that we add in?

[wesleyfsmith]

@ilanbiala I agree with what you are saying. I'm actually building an iconic app that will talk with meanjs, but I don't think this should go in the main framework.

It sounds to me more like it should be added as a module, similar to mean-seo. I thought features that are common requests, but not so common that they should be part of core meanjs should be added as additional modules (such as file upload, paginations, ect.) I also think generally going the module route as we add more and more features in is smarter from an ecosystem building perspective.

[jloveland]

I am also interested in this feature. I would like to leverage the backend services API and allow authentication from a mobile app.

There seem to be a lot of benefits using token auth such as not needing to keep authentication state, serving front end via CDN, no CSRF, and persistent token store.

Is there interest in adding this to the generator project?

here's a nice blog that discusses token auth:
http://code.tutsplus.com/tutorials/token-based-authentication-with-angularjs-nodejs--cms-22543

[britztopher]

Also, can this just replace the session based authentication/authorization model? I dont know if passport has a way to pass back a token rather than store a session object, but this might be a good feature to replace the currently existing pattern.

[SOSANA]

Count me as apart of 95% that want this option. There are benefits mentioned above. In fact was hoping to do a PR request on generator for iconic integration in future along with material design :)

[ilanbiala]

@SOSANA adding in lots of design frameworks as options requires maintaining them, and right now that's somewhat difficult because each one requires different templates, logic, and changes to keep up with the versions.

[lirantal]

@ilanbiala I can think of scenarios where users will choose MEAN.JS for it's server-side only due to it's simple, and good structure and will implement their own UI (whether it's another service like a mobile app or whatever). In this use-case it makes sense for MEAN.JS to support tokens.

I see there's enough interest and a lot of activity on this item so let's keep it open and get back to it after we're through with 0.4 :)

[SOSANA]

@ilanbiala @lirantal Thanks for having an open mind and considering our arguments for these new features. I was wondering if you're still using trello for or road map? If so can we open it to the public to speed up the 4.0 transition.

[mleanos]

I realize that #1040 exists.. I've expressed my thoughts on this in the discussion in that PR, but I wanted to bring the discussion back over here since a lot has been discussed here.

A lot of good work went into @kokokenada's PR, and it has some good implementations that we can use. However, I think the general consensus is that we need a more focused approach with smaller commits/PR's.

I had already started on a new branch for Token Auth before #1040 was submitted. I thought it would be a shame to not take advantage of the work that was put into this by @kokokenada & myself.

@lirantal You mentioned that we might want to work on this together in a shared branch. I already proposed this in the above mentioned PR.

I think we should start working together through my branch. It has smaller commits that have a bit more focus. It should be rather easy to collaborate on it. I originally posted a link to a branch where I started this implementation, but I ended up creating a fresh branch; I learned quite a bit with my first run and feel like it would be better to start fresh.

https://github.com/mleanos/mean/commits/token-auth-simplified

The commit messages explain what I have done so far. Basically, the back-end is done. I haven't touched the front-end at all.

Anyone have thoughts on my proposed approach?

[kokokenada]

Great approach and much appreciated. I will try working with your branch as soon as I am able .

[mleanos]

@kokokenada Great, thank you! I was thinking that you might want to take a shot at the front-end implementation.

Earlier in this discussion, there was some talk of integrating Satellizer on the front-end for the Token management. It looks like a great library, and I think a bit of the struggles that come with this type of implementation are taken care of for you. Do you want to take a look at it?

https://github.com/sahat/satellizer

I don't think we need to add anything to the back-end for this. Since we already have the OAuth routes setup & working. However, I may be wrong on that.

[kokokenada]

Satelizer looks great. How do the leaders/gatekeepers feel about it as a dependency for MEANJS? (Who are the leaders/gatekeepers?) It isn't clear to me how Satelizer relates to the large amounts of strategy providers already in MEANJS. I'd have a lot learning to do if I were to take it on as I don't have experience in the area. I'm heads down on some other commitments for a couple of weeks at least. (One of which is building out a MEANJS development team in Toronto if that strikes any chords with anyone.) I'm happy to help, but I may not be the best lead for this important work. Definitely comfy in a supporting role.

[mleanos]

Anybody want to start working on this together?

I have a preliminary attempt at this on the server-side here, https://github.com/mleanos/mean/commits/token-auth-simplified

@lirantal Any thoughts on organizing the effort here?

[lirantal]

anyone who has time could just get onboard, I don't think any formal organization is required.
unfortunately I don't have much time to invest in this at the moment, but goodluck! :)

[mleanos]

Added #1121 to get feedback & track

Anyone that wants to help out, feel free to submit changes to my fork's branch.

[trainerbill]

I think we can close this out. Feature is done and awaiting feedback/merge:

#1163

Please comment to get it pushed through

[codydaig]

@trainerbill If your commit message in line with the Contributing.md document, this issue will auto close when #1163 is merged.

[trendzetter]

I am installing this now. I browsed the code and saw that there is a default secret. Not a huge issue for now probably but maybe something to avoid? I don't know what is the best solution. It's easy to update but at some point lazy people will probably install it like that in production.

[simison]

@trendzetter

mean/config/config.js

Lines 90 to 110 in 43c7041

	/**
	* Validate Session Secret parameter is not set to default in production
	*/
	var validateSessionSecret = function (config, testing) {
	if (process.env.NODE_ENV !== 'production') {
	return true;
	}
	if (config.sessionSecret === 'MEAN') {
	if (!testing) {
	console.log(chalk.red('+ WARNING: It is strongly recommended that you change sessionSecret config while running in production!'));
	console.log(chalk.red(' Please add `sessionSecret: process.env.SESSION_SECRET || \'super amazing secret\'` to '));
	console.log(chalk.red(' `config/env/production.js` or `config/env/local.js`'));
	console.log();
	}
	return false;
	} else {
	return true;
	}
	};

;-)

[trendzetter]

so it refuses to run in production unless you add your own secret. Nice!

[trendzetter]

I am mistaken. It's merely warning but not refusing to run.
So far no further issues found.

[lirantal]

@trainerbill I'll close it when we get the JWT PR closed too :)

[leafdropco]

I think it would be extremely useful to integrate mobile features. Maybe create a separate build specifically for mobile? I'm new to the mean stack and have been building my first big application. After reading the thread, I'm a little bummed that MEAN.js isn't as mobile friendly as I anticipated.

[roboflank]

Can you elaborate more on mobile features?

On Wed, Jun 8, 2016, 06:30 Michael Graham notifications@github.com wrote:

I think it would be extremely useful to integrate mobile features. Maybe
create a separate build specifically for mobile? I'm new to the mean stack
and have been building my first big application. After reading the thread,
I'm a little bummed that MEAN.js isn't as mobile friendly as I anticipated.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
#389 (comment), or mute
the thread
https://github.com/notifications/unsubscribe/AGOuF38fgxxhh6uZZDbgctkbuuwwZ3eQks5qJjc5gaJpZM4DbF7C
.

[leafdropco]

I was referring to some of the previous suggestions like JWT.
Maybe even adding Material Design instead of bootstrap, I think that would entice people to use meanjs over ionic or mean.io. Especially if you could integrate cordova.

[vko-online]

So, for now, we don't have TokenAuth, ES2015, MaterialDesign, Swagger

Also would be nice to have promise based Mongoose api in yo generator

exports.update = (req, res) => {
  var order = req.order;
  order = Object.assign(order, req.body); // <== lodash is redundant
  order.save()
    .then(() => res.jsonp(order))
    .catch(err => res.status(400).send({ message: errorHandler.getErrorMessage(err) }));
};

looks much nicer than

exports.update = function (req, res) {
  var order = req.order;
  order = _.extend(order, req.body);
  order.save(function (err, order){
    if(err){
      return res.status(400).send({ message: errorHandler.getErrorMessage(err) });
    } else {
      res.jsonp(order);
    }
  });
};