In order to secure the application, authentication and authorization have to work in tandem to provide effective security. Especially in dynamic applications, without authentication there will be no way to determine whether the specific client has authorized access. For example, to access an e-mail ID information, a user needs to verify his credentials every time he/she logs in. This is required to protect his/her data and information. If there is no authentication used, any user can access this information. Mostly, static applications are created without authentication and we do not come to know who is accessing these applications.
Authentication is a process to secure the application on private and public networks from unrestricted users. It allows specific pools of users to the application to keep a log of users who are accessing the application. The authentication is mostly done via user credentials. Authentication validates who you are and authorization verifies what you are authorized to see or to do within the application.
The following are the steps that show what authentication can do:
- A server-side authentication is used by the server in order to know who is accessing the application from the server.
- On the client side, authentication is used by the client to know that the server is actually the system that it claims to be.
- In order to get access to the application, the user or computer needs to substantiate its identity to the server and client.
- Mostly, the user uses a username and password to authenticate to the server or client, but users can also authenticate through cards, voice recognition, fingerprints, and retina scans.
- In client-side authentication, usually, the server provides the certificate to the client. The certificate states that the server belongs to the application and the client expects it.
- Authentication will not govern what the user can do or see. Authentication only identifies and verifies who the user or system is in order to allow the user into the application.
Authentication and authorization are important for all secure applications. There is an exception whenever the application is a single-page application (SPA). In an SPA type of application, we will not expose all the data and functions to all users. We will show the data and application functionality depending on the user's authorization. The users need to authenticate themselves in order to perform actions in the application and see certain parts of it. By logging in or out of the SPA application, the SPA application communicates with the server through Ajax. The server identifies the user or computer to determine the authentication endpoint. From the SPA, we will send the credentials to the endpoint for verification. The endpoint will return with the access token or object containing the name and role of the logged in user after validation in order to display the information specific to that role and name of the client. In order to use the token or object multiple times, it is better to store it on the client.
The following figure shows the implementation of authentication using AngularJS:
The most common authentication used in an SPA is to use a username and password. We need to send the username and password to the server from the client in order to authenticate the user on the server. The following view is used to send the user credentials for authentication:
<form name ="userLoginPage" ng-controller="ctrlLogin" ng- submit="login(userCredentials)" > <label for="userName"> User Name: </label> <input type="text" id="userName" ng- model="userCredentials.username"> <label for="Password"> Password: </label> <input type="text" id="Password" ng- model="userCredentials.password"> <button type="submit">Submit</button> </form>
In the preceding code, we used an AngularJS form and the ng-submit directive to execute a scope function on submit. We are using userCredentials as a parameter in order to avoid coupling between the function and its adjoining scope.
The corresponding controller is shown as follows:
var app = angular.model('myApp',[]);
app.controller('CtrlLogin', function ($scope, $rootScope,
AUTH_EVENTS, AuthService) {
$scope.userCredentials = {
username: '',
password: ''
};
$scope.login = function (userCredentials) {
AuthService.login(userCredentials).then(function (user) {
$rootScope.$broadcast(AUTH_EVENTS.loginSuccess);
$scope.setCurrentUser(user);
}, function () {
$rootScope.$broadcast(AUTH_EVENTS.loginFailed);
});
};
});It is noticeable in the preceding code that there is no logic. This is done intentionally to decouple the form from the actual authentication logic. It is best practice to keep the logic separate from the controllers by using AngularJS services. AngularJS controllers should only mange the $scope object and not do any heavy lifting. User authentication will distress the state of the whole application and because of this, we used $broadcast in the previous code to communicate the changes in the user session.
It is a good approach to define available event codes in the constant, as shown in following code:
app.constant('AUTH_EVENTS', {
loginSuccess: 'auth-login-success',
loginFailed: 'auth-login-failed',
logoutSuccess: 'auth-logout-success',
sessionTimeout: 'auth-session-timeout',
notAuthenticated: 'auth-not-authenticated',
notAuthorized: 'auth-not-authorized'
});The good thing about AngularJS constants is that they can be injected like a service. It is easy to rename them later without changing other files. We also used AngularJS constants for a user's role, as shown in the following code:
app.constant('USER_ROLES', {
all: '*',
admin: 'admin',
editor: 'editor',
guest: 'guest'
});Some users would like to save their credentials on their computers instead of entering their username and password every time they access the application. The preceding code will not work for this purpose because it is hard to handle an AngularJS form to manage the credentials. There are two problems; first, credentials are never stored when we submit the AngularJS form because form submission is not detected. Second, in AngularJS, credentials will not be picked up from auto filled controls. These problems can be avoided using the iframe and timeout function.
The following code shows the login with iframe:
<iframe src="loginSink.html" name="mysink"
style="display:none"></iframe>
<form name="userLoginPage"
action="loginSink.html" target="mysink" method="post"
ng-controller="CtrlLogin"
ng-submit="login(userCredentials)"
novalidate form-autofill-fix>
<label for="username">Username:</label>
<input type="text" id="username"
ng-model=" userCredentials.username">
<label for="password">Password:</label>
<input type="password" id="password"
ng-model=" userCredentials.password">
<button type="submit">Login</button>
</form>In the preceding code, we added an <iframe> tag and added the action, target, and method attribute HTML <form> elements. In this way, the form will be posted to loginskin.html in the iframe tag instead of calling the form with ng-submit. Using this technique, a browser's normal form processing logic will boost up without traversing to loginskin.html. This will recognize this as a regular form and save the credentials on the keychain. Now, users will be able to store their credentials on their computers.