javascript - Angular 2 authenticate state -
i've implemented login page using angular 2. after login, jsonwebtoken, userid, userrole, username server. i'm storing info in localstorage can access time , maintain login state if user refreshes page.
authservice.ts
import {injectable} "@angular/core"; @injectable() export class authservice { redirecturl: string; logout() { localstorage.clear(); } isloggedin() { return localstorage.getitem('token') !== null; } isadmin() { return localstorage.getitem('role') === 'admin'; } isuser() { return localstorage.getitem('role') === 'user'; } } to check login status, i'm checking if token exists in localstorage. localstorage editable adding token in localstorage bypass login page. similarly, if client edit user role in localstorage, client can access admin or user pages.
how solve these problems?
this more general problem, want know how websites maintain login status?
p.s. nodejs server side login code generate jsonwebtoken
const jwt = require('jsonwebtoken'); const user = require('../models/user'); /** * post /login * sign in using username , password */ exports.postlogin = (req, res, next) => { user.findone({username: req.body.username}) .then(user=> { if (!user) { res.status(401); throw new error('invalid username'); } return user.comparepassword(req.body.password) .then(ismatch=> { if (ismatch != true) { res.status(401); throw new error('invalid password'); } let token = jwt.sign({user: user}, process.env.jwt_secret, { expiresin: process.env.jwt_timeout }); return res.status(200).json({ success: true, token: token, userid: user._id, role:user.role, name:user.name }); }); }) .catch(err=>next(err)); }; -thanks
1) tokens supposed unique , hard type (as of big length). also, should refreshed frequency. better read oauth docs on this
2) roles should not stored on client side. checking on server. also, when using oauth consider using scopes.
Comments
Post a Comment