I have an Angular2 application and NodeJS server. I got stuck on implementing logout.
If I simply use req.session.destroy(), it does not have any effect on the Angular2 side. Angular2 still thinks that user is logged in. (because when I call a method which returns data about logged in user, it still returns it - even though it needs req.session.user to return this data).
I saw some solutions for this problem, but all I saw was using localStorage (saving user in localStorage and then deleting it after clicking logout).
Is there any other more efficient way to tell Angular2 from NodeJS that the user has logged out and that the session has ended?
If you use web token for user validation for instance then it should be possible to reset the token to null once the user has logged out.
You could have a look at User Authentication using JWT for ideas on implementation
Related
Hey everyone Im trying to figuring out how I can disable and logout out a user correctly.
After researching I found out that in that way we disable the user .
const user = await admin.auth().updateUser(userUid, {
disabled: true,
});
But the question I have is, what is if the user is still logged in in the app? I tried out and nothing happened, the user can still use the app after disabling him. So what can we do about that? I was thinking about logging the user out with firebase function. My app is written in flutter backend is firebase.
Being signed-in to Firebase is based on an ID token. By default such a token is valid for an hour from the moment it was minted, and the token itself cannot be invalidated during that time.
The user will remain authenticated (for up to an hour) until their ID token needs to be refreshed. At that point they'll be logged out and won't be able to log in again.
If you want to block their access before that ID token refresh, you will need to do that through some other mechanism, for example by keeping a list of disabled UIDs and checking against that.
I recommend checking out the Firebase documentation on managing user sessions, specifically the section on detecting ID token revocation.
This topic has been covered before, so I recommend checking out:
Firebase Authentication State Change does not fire when user is disabled or deleted
Why firebase user still signed in after I deleted it from firebase dashboard
Deleted user has access to Firebase Firestore
And other questions on [firebase-authentication] disabled or deleted user still being signed in
Currently I'm working with -
Django REST Framework
Angular 5
RxJS +
OAuth2
The list of paths of all components except the LoginComponent I have AuthGuard where I check whether the data on the token and the user in the localstorage of the browser.
If data is available I will return True. But as soon as the token expires, I can't do anything with the user.
If I get a 401 code in the service, I can't even redirect the user to the login page since I can't use the router in service.
Basically I am wondering how, when and where to update the token in my web app?
Kindly give some knowledge on how to work with tokens. Also it would be helpful if any code example is provided.
You question is too broad, and opinion-based. But if you want a thrid party point of view, here are my two cents :
Storing the Token
Depending on your application, you have several ways of storing a Token.
LocalStorage
The first solution, the one you used, is storing it in the local storage. This way, the Token will remain on the device as long as you (or the user) doesn't delete it.
Session storage
The session storage will behave same as local storage, except that the token will be deleted once the user closes his session.
Service storage
Last option : storing it in a service : your token will remain as long as your user stays in the scope of Angular (meaning, doesn't reload or change tab).
How to chose ?
Depends on your application. If you make an application involving high risks after login, then you should consider using the session storage, so that the user gets "removed" as soon as he leaves the page. For a casual application, stay on the local storage. And if you REALLY want to lock your application up, use the service storage.
When to store the Token
Seems obvious, but you should store it when the user logs in.
Update the Token
You should not have to do that. The Token matches an user, or an user session. The only update you should do is a deletion, not a rewrite.
Where to update the Token
In a service dedicated to Token management. This is the best practice.
More information
You said you had an Auth Guard. This is a good practice. but yes, you can redirect the user from your service. Why wouldn't you ? That's the usual way of asking an user to connect ! Use the router in your service, really, there's no issue with that.
From my point of view, and what you described, except for the routing in a guard, you're doing it pretty well. The only advice I would give you is to handle an expiration date on your token, if your application is high risk profiled (and you have to use the session storage).
My Ionic 3 mobile app i'm currently building allows login with firebase using both Email/Password and Facebook providers.
Everything's working great - but when the user logs in, in order to have a 'remember me' function that prevents them having to log in every time the app is closed (closing the app fully, or the system kills it), i need to be able to get some sort of token, store it, then use it later to take them straight past the authentication screen.
I've managed this already, but currently i'm storing their email and password, and i know this is a horrible thing to do. (I'm using Ionic Storage).
Is there a way to get a token that represents a user, and can be used to re-authenticate them?
I know about custom token logins, but they can only be created in NodeJS using the admin SDK - is there any solution i can run directly on the phone?
Thanks.
I am trying to make an angular app. I am using rails with devise_token_auth in backend. I am trying to setup the angular app with ng-token-auth.
I have read up everything I can find online for past whole week but still couldn't figure out how to get the user currently signed in.
I understand that auth:login-success event returns a user object.
I understand there is validateUser method which validates if auth token is present and is valid, and it is run on page load.
How do I retrieve the user whose token is present in storage or cookie on page load or at any other time, kind of similar to current_user in rails.
There dosen't seem to be any such thing in built in ng-token-auth.
How do I accomplish this.
Is there any flaw in my approach or assumption ?
I am learning angular by building an app and am REALLY stuck at this point.
Have you tried storing the user object in ngStorage and then doing calls with the auth token for that user?
I have been doing some research on this topic but can never find anything super relevant. I am looking to create a single page application using Polymer. I am building this around a REST API that requires authentication to view is resources.
I have all the details with API worked out but I can't seem to figure out how to handle a login page. Basically what is the best way to keep a user from seeing content without being logged into the application?
Obviously the REST API won't allow data to return to the client but how do I go about preventing a user from going into DevTools and changing some boolean values and being able to navigate through all of the pages, and receiving the 401 errors from all of the Ajax requests trying to fire?
I appreciate any help that I can get! Thanks!
You can't prevent users from changing stuff in DevTools. Just ensure on the server that the user doesn't get data or isn't able to pass data without being authenticated.
Issue a token when the user passes username and password and on the server allow only what the user assigned to this token is allowed to do.
See for example https://stormpath.com/blog/build-secure-user-interfaces-using-jwts/