my ignorance is shining brightly on this one. I have a Web App that uses the MEAN stack (Mongo, Express, Angularjs, Nodejs) and some of the functionality is lackluster on mobile devices. So I'm developing a mobile version of the app on the Appgyver Supersonic platform. The Appgyver framework is based on an Angularjs front-end.
So I was hoping to just use the same Express/Nodejs server that I have running for the Web App and make queries/requests from the mobile app. Authentication is my current challenge. I assumed that I could send the username and password via a POST request and sign in and create a new session. I can sign in but I can't get access to the session cookie connect.sid so my next request has no session data with it.
TLDR; I have an Angular app that is on a different server than my Express/Nodejs back-end. I wish to authenticate the Angular app but can't figure out how to access the connect.sid cookie.
Since this never got any traction and I found what I think is a 'workable' solution I figure I'll answer my own question. If you see that I'm doing something really stupid here, please let me know.
When I login my client to the server, I respond with a session token. I store that same token on the User profile in Mongoose. I store the token on the mobile device using localStorage.
Whenever I send a request to the server I send the token with it, and have the Server check to see if the token matches the User token - if it does, I grab the User Profile data and assign it to req.user; which then seems to make the back-end operate properly.
Any major security concerns?