Show HN: Secure token authentication for Angular.js and Rails

24 points by lynndylanhurley ↗ HN
Angular module: https://github.com/lynndylanhurley/ng-token-auth

Rails gem: https://github.com/lynndylanhurley/devise_token_auth

I've been working hard to make this the most simple, flexible, and secure token auth system in existence. I believe that I'm close to succeeding. I'd love to hear your thoughts on what I can do to improve what I have so far.

8 comments

[ 0.23 ms ] story [ 28.4 ms ] thread
Some questions that I have:

Is the documentation clear?

Is there anything that I can do to further simplify anything?

Are the security measures too aggressive? Not aggressive enough?

Well done! I was working on a similar thing but will check this out instead.

I saw that you are planning on providing examples. It would be very nice with an example of a rails app with the angular app integrated.

Thanks! I will be launching an example application within the next day or so. I'll post a link in the readme once it's live.
This gem & module look really well thought out and well designed. Security is impressive and well designed given the tradeoffs that are associated with it (ease of use versus time to implement). I look forward to integrating this into my app.
Oh man, I wish this was around about a year ago. I actually coded most of this for a client and it was extremely painful to get correct. We are using the Doorkeeper OAuth2 gem which uses slightly different tokens and has some different features, though.

Couple of things/feature you might want to consider:

* You might want to track the expiration time of the tokens if the API provides it. If the token isn't expired, potentially skip the verification step.

* Potentially you might want to add another HTTP interceptor that catches 401 (Unauthorized) responses. If a response returns a 401, you can prompt the user to re-authenticate and hold all HTTP requests until the user does. Then when there is a new token available, you can replay requests. This, coupled with saving the expiration time, can make page load times faster and still be robust.

* I'd make the HTTP interceptor that adds the Authorization header only add the header if the request URL is going to an API endpoint. The library user should be able to specify a function or regex that takes a URL string and returns true if the URL is an API url (and thus needs an Authorization header). Otherwise you'd include the token on unrelated requests to 3rd parties.

Nice job though, I'll definitely check this out next time I need to do token auth on Angular.

This is all great advice. I've added these items to the issue tracker, and I am going to implement them right away.
Finally someone is doing a token based auth system for rails APIs