

Show HN: Secure token authentication for Angular.js and Rails - lynndylanhurley

Angular module:
https:&#x2F;&#x2F;github.com&#x2F;lynndylanhurley&#x2F;ng-token-auth<p>Rails gem:
https:&#x2F;&#x2F;github.com&#x2F;lynndylanhurley&#x2F;devise_token_auth<p>I&#x27;ve been working hard to make this the most simple, flexible, and secure token auth system in existence. I believe that I&#x27;m close to succeeding. I&#x27;d love to hear your thoughts on what I can do to improve what I have so far.
======
afiedler
Oh man, I wish this was around about a year ago. I actually coded most of this
for a client and it was extremely painful to get correct. We are using the
Doorkeeper OAuth2 gem which uses slightly different tokens and has some
different features, though.

Couple of things/feature you might want to consider:

* You might want to track the expiration time of the tokens if the API provides it. If the token isn't expired, potentially skip the verification step.

* Potentially you might want to add another HTTP interceptor that catches 401 (Unauthorized) responses. If a response returns a 401, you can prompt the user to re-authenticate and hold all HTTP requests until the user does. Then when there is a new token available, you can replay requests. This, coupled with saving the expiration time, can make page load times faster and still be robust.

* I'd make the HTTP interceptor that adds the Authorization header only add the header if the request URL is going to an API endpoint. The library user should be able to specify a function or regex that takes a URL string and returns true if the URL is an API url (and thus needs an Authorization header). Otherwise you'd include the token on unrelated requests to 3rd parties.

Nice job though, I'll definitely check this out next time I need to do token
auth on Angular.

~~~
lynndylanhurley
This is all great advice. I've added these items to the issue tracker, and I
am going to implement them right away.

------
lynndylanhurley
Some questions that I have:

Is the documentation clear?

Is there anything that I can do to further simplify anything?

Are the security measures too aggressive? Not aggressive enough?

~~~
evbots
This gem & module look really well thought out and well designed. Security is
impressive and well designed given the tradeoffs that are associated with it
(ease of use versus time to implement). I look forward to integrating this
into my app.

~~~
lynndylanhurley
Ahh thanks!!! _blush_

------
evbots
Finally someone is doing a token based auth system for rails APIs

