I was reading a lot about JWT, however i'm not sure about the code i wrote.
I have "Before" filter at the begining which lokks like this:
before("/protected/*", (request, response) -> {
try {
parseJWT(request.headers("X-API-TOKEN"));
} catch (Exception e) {
halt(401, "You are not welcome here");
//don't trust the JWT!
}
});
And i have post method to autheticate the user and set the X-API-TOKEN in the respoonse(it is vary simple just for test, normaly i will have user data in database):
post("/login", (req, res) -> {
Gson gson = new Gson();
User user = gson.fromJson(req.body(), User.class);
if ((!user.getUsername().equals("foo") ||
!user.getPassword().equals("bar"))) {
halt(401, "You are not welcome here");
}
String jwt =
createJWT(UUID.randomUUID().toString(), user.getUsername(), user.getUsername(),
15000); // just 15 secounds for test
res.header("X-API-TOKEN", jwt);
return res;
});
createJWT and parseJWT methods have been taken from this tutorial: How to Create and Verify JWTs in Java
Login page:
form ng-submit="submit()">
input ng-model="user.username" type="text" name="user" placeholder="Username" />
input ng-model="user.password" type="password" name="pass" placeholder="Password" />
input type="submit" value="Login" />
/form>
and my controler for authetication:
myModule.controller('UserCtrl', function (`$`scope, `$`http, `$`window) {
`$`scope.submit = function () {
`$`http
.post('/login', `$`scope.user)
.success(function (data, status, headers, config) {
`$`window.sessionStorage.token = headers('X-API-TOKEN');
`$`scope.message = 'Welcome protected';
})
.error(function (data, status, headers, config) {
// Erase the token if the user fails to log in
delete `$`window.sessionStorage.token;
// Handle login errors here
`$`scope.message = 'Error: Invalid user or password';
`$`window.location.href = '#/auth';
});
};
});
Now every time i acces protected site i need to add header X-API-TOKEN to each http call, i guess i did something worng, because i have read that it should be added in every request, so in angular call i have added:
var config = {headers: {
'X-API-TOKEN': `$`window.sessionStorage.token
}
};
`$`http.get("/protected/elo", config)
.success(function(response) {`$`scope.message = response;})
.error(function (data, status, headers, config) {
// Erase the token if the user fails to log in
delete `$`window.sessionStorage.token;
// Handle login errors here
`$`scope.message = 'Error: Invalid user or password';
`$`window.location.href = '#/auth';
});;
I have two questions:
1. how to add X-API-TOKEN automatically in all requests?
2. If i turn ssl is may code safe enought?
You can use $http.defaults.headers.common to add header to every request. See angular documentation. That should be configured after successfull login.
You can also store token in cookie to implement "remember me" functionality.
If you turn on SSL then this should be safe enough for most uses. You can still add more security checks on server, like checking IP address (remember that some users have dynamic IP number)
I also recommend egghead.io course on using JWT with Angular