Restful Authentication

System with AngularJS &

NodeJS

Hüseyin BABAL

Full Stack DeveloperPHP, JAVA, NodeJS developer.

Building highly scalable, realtime systems.

Web Development mentor.

Entrepreneur.

NodeJS trainer.

GDG conference speaker

@huseyinb

abal

@huseyinba

bal

http://huseyinbab

al.net

http://app.yoursite.comhttp://app.yoursite.com

POST /signin

username=.....&password=......

HTTP 200

Set-Cookie: session=.......

POST /user/me

Cookie: session=.......

HTTP 200

{name: john, surname: doe, …..}

Boss: I want native mobile and desktop version

of our current web application

Developer: We need to develop new services

for specific clients.

Boss: What about cost? You need to find

another solution better

Developer: ???

Andr

oid

Window

s 8

iOS

Desktop

App

My App I need to develop client

independent system...

http://api.yoursite.comhttp://app.yoursite.com

POST /signin

username=.....&password=......

HTTP 200

token: JWT (Bearer Token)

POST /user/me

Authorization: Bearer JWT(Bearer

Token)HTTP 200

{name: john, surname: doe, …..}

Wait! What is

Bearer Token?

JWT

Powerful token format used in HTTP headers in

order to make some endpoint secure.

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJz

dWIiOjEyMzQ1Njc4OTAsIm5hbWUiOiJKb2huI

ERvZSIsImFkbWluIjp0cnVlfQ.eoaDVGTClRdfx

UZXiPs3f8FmJDkDE_VCQFXqKxpLsts

JWT

header payload signatur

eb64({

typ: ‘JWT’,

alg: ‘HS256’

})

HMACSHA256(b64(

header) + “.” +

b64(payload),

secret_key)

b64({

name:

“John”,

id:

“123456”,

role:

“admin”

})

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOjEyMzQ1Njc4OTAsIm5h

bWUiOiJKb2huIERvZSIsImFkbWluIjp0cnVlfQ.eoaDVGTClRdfxUZXiPs3f8Fm

JDkDE_VCQFXqKxpLsts

Libraries

Language Library Url

PHP https://github.com/firebase/php-jwt

.NET https://github.com/AzureAD/azure-

activedirectory-identitymodel-extensions-

for-dotnet

Ruby https://github.com/progrium/ruby-jwt

NodeJS https://github.com/auth0/node-

jsonwebtoken

Java https://github.com/auth0/java-jwt

Python https://github.com/progrium/pyjwt/

Architectur

eTime

http://api.yoursite.

com

Mongo

DB

http://app.yoursite.com

POST /signin

username=.....&password=......

HTTP 200

token: JWT (Bearer Token)

POST /user/me

Authorization: Bearer JWT(Bearer

Token)HTTP 200

{name: john, surname: doe, …..}

Check Username and Password, create

token if valid, add to DB

Check token from db whenever a

request comehttp://t1.yoursite.

com

http://tn.yoursite.c

om

……..

(Load

balancer)

Advantages

Client independent

CDN

Zero Coupling

No cookie(session), no csrf

Persistent token store

Available for other languages (JWT token)

Demo

Thank youThank you!