2

I am working on my first app, and have started with the front-end and angularjs. In general I have found it very intuitive, but the relationship between backend and frontend is where things start to blur for me.

I have now gotten to the point where I want to provide slightly different functionality on some pages depending on whether the user is authenticated or not (in this case the ability to edit some form fields in a form).

From the public angularjs side it seems easy enough to write a basic if statement to provide different functionality to authenticated users (see basic attempt below) but as this is a client side function, how do I prevent a user spoofing authentication to edit things I don't want them to (save to database).

angular.module('core').controller('myCtrl', ['$scope', 'Authentication', 'Menus',
    function($scope, Authentication, Menus) {
        $scope.authentication = Authentication;

        if(typeof $scope.authentication.user == "object"){
           // behaviour for authenticated
        }else{
          // for unauthenticated
        }
    }

I am new to mean, meanjs and node.js in general, being primarily a php guy, so please be gentle if my question is way off base.

Improve this question
1
  • 1
    Authentication should be implemented on the server. Every action is checked on the server and if unauthorized status 401 is returned. So it doesn't matter what user tweaks on the client, you don't care because every request is verified on the server. Commented Nov 17, 2014 at 8:08

1 Answer 1

Reset to default
1

I suggest using passport a npm module for user authentication. Here's some code to get you started. Also take a look at this scotch.io tutorial

// load all the things we need
var LocalStrategy   = require('passport-local').Strategy;

// load up the user model
var User            = require('../app/models/user');

// expose this function to our app using module.exports
module.exports = function(passport) {

passport.serializeUser(function(user, done) {
done(null, user.id);
});

// used to deserialize the user
passport.deserializeUser(function(id, done) {
User.findById(id, function(err, user) {
  done(err, user);
  });
});


passport.use('local-signup', new LocalStrategy({
usernameField : 'email',
passwordField : 'password',
passReqToCallback : true // allows us to pass back the entire request         to the callback
 },
   function(req, email, password, done) {

// asynchronous
// User.findOne wont fire unless data is sent back
process.nextTick(function() {

  // find a user whose email is the same as the forms email
  // we are checking to see if the user trying to login already exists
  User.findOne({ 'local.email' :  email }, function(err, user) {
    // if there are any errors, return the error
    if (err)
      return done(err);

    // check to see if theres already a user with that email
    if (user) {
      return done(null, false, req.flash('signupMessage', 'That email  is already taken.'));
    } else {

      // if there is no user with that email
      // create the user
      var newUser            = new User();

      // set the user's local credentials
      newUser.local.email    = email;
      newUser.local.password = newUser.generateHash(password);

      // save the user
      newUser.save(function(err) {
        if (err)
          throw err;
        return done(null, newUser);
      });
    }

  });

});

 }));

  passport.use('local-login', new LocalStrategy({
// by default, local strategy uses username and password, we will override with email
usernameField : 'email',
passwordField : 'password',
passReqToCallback : true // allows us to pass back the entire request to the callback
  },
   function(req, email, password, done) { // callback with email and password from our form

// find a user whose email is the same as the forms email
// we are checking to see if the user trying to login already exists
User.findOne({ 'local.email' :  email }, function(err, user) {
  // if there are any errors, return the error before anything else
  if (err)
    return done(err);

  // if the user is found but the password is wrong
  if (!user || !user.validPassword(password))
    return done(null, false, req.flash('loginMessage', 'Oops! Wrong username or password.')); // create the loginMessage and save it to session as flashdata

  // all is well, return successful user
  return done(null, user);
});

 }));

};
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.