admin管理员组文章数量:1391982
With BoilerplateJS setup, what is the remended way to handle authorization and authentication?
Obviously on the server-side you'd check cookies etc to know who's logged in. But, on the client, how would you know if a user is logged in and what their username etc are?
With BoilerplateJS setup, what is the remended way to handle authorization and authentication?
Obviously on the server-side you'd check cookies etc to know who's logged in. But, on the client, how would you know if a user is logged in and what their username etc are?
Share Improve this question edited Sep 24, 2012 at 5:52 Hasith 1,76720 silver badges26 bronze badges asked Sep 22, 2012 at 16:13 georgiosdgeorgiosd 3,0594 gold badges41 silver badges51 bronze badges 2- If you are using cookies on the server side, why don't you use them on the client side? – Manuel Leuenberger Commented Sep 22, 2012 at 19:33
- If I understand ASP .NET Forms Authentication correctly, the cookie is encrypted - having code on the client that decrypts the cookie would make the application vulnerable. – georgiosd Commented Sep 23, 2012 at 9:43
1 Answer
Reset to default 6I will share how this was done in one of the projects that used BoilerplateJS. On this project we used OAuth 2.0 for authentication.
We had a separate login page which was NOT using BoilerplateJS OR plex JS. The reason to keep it separate is that authentication may depend on URL redirection, which is not handled best with JS.
Once user is correctly authenticated, we receive the auth_token of the server session and store it as a JS variable. We used 'settings' of global Boiler.Context to store this token. Since settings are inherited to child contexts, we were able to access it from any where.
For authorization purposes, then we then downloaded a simple ACL for the logged user that contains the authorized access keys. These keys were just for client validations to show/hide controls. Real authorization was performed on backend services.
We wanted the BoilerplateJS ponents to be fully self contained including authentication of it. Therefore if a particular ponent's viewmodel receive an unauthorized 401 HTTP response from server (either not logged-in OR or session expiry) we rendered ponent differently there, without redirecting user to the login page.
Since we did not redirect, user was able to make use of other information on the page even the BoilerplateJS ponent was not actively displaying it's content. We had a rendered some error information on the ponent with a link to re-login.
Handling of this was done via a generic error handler we created. From ponent.js, we pass a error callback function to our viewmodel (you may have this on context itself too). This callback function is used by the viewmodel to notify any error occurred within it. In the case of 401 HTTP code, this handler is invoked asking ponent.js to render UI with error information and a link to re-login.
User clicks on the re-login URL to get back to the login page. This URL contains a back reference to the originated URL, such that user is able to get to the page where he was after authentication.
本文标签: javascriptBoilerplateJS recommended way to handle authorization and authenticationStack Overflow
版权声明:本文标题:javascript - BoilerplateJS: recommended way to handle authorization and authentication - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1744742641a2622699.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论