Authentication for users on a Single Page App?

javascript authentication backbone.js javascriptmvc single-page-application
John Haldson picture John Haldson · Sep 19, 2012 · Viewed 12.3k times · Source

I have developed a single page app prototype that is using Backbone on the front end and going to consume from a thin RESTful API on the server for it's data.

Coming from heavy server side application development (php and python), I have really enjoyed the new different design approach with a thick client side MVC but am confused on how best to restrict the app to authenticated users who log in.

I prefer to have the app itself behind a login and would also like to implement other types of logins eventually (openid, fb connect, etc) in addition to the site's native login. I am unclear how this is done and have been searching - however unsuccessful in finding information that made it clear to me.

In the big picture, what is the current best practice for registering users and requiring them to login to use your single page app?

Once a user is logged in, how are the api requests authenticated? Can I store a session but how do I detect for this session in the API calls or is there a token I have to pass in every single API call? Any answers to this would be much appreciated!

Answer

Betty picture Betty · Nov 6, 2013

The most RESTful way I have seen is based on the OAuth client credentials flow, basically a /token endpoint that you post username/password to which returns an access token for this session. Every ajax request after that appends an Authorization bearer header with the token. You can store the token in a global variable to just keep it around until the page is refreshed/closed, use local storage to keep users logged in between sessions, or javascript cookies. If you don't like the idea of tokens then you can just use the old cookie approach which is automatically send with any ajax request anyway.

As for facebook/google etc I normally follow the stackoverflow approach where I associate external userlogins to an account. Then use a fairly normal server based oauth dance (although you can replace all requests to the server with ajax requests with slight modifications, I just find it doesn't really make much difference as you need redirects between you and the server anyway). I normally issue an encrypted cookie for a facebook login, which I then convert into a token using a similar method as above (just send the cookie with the request instead of username/password).

Related questions

Use basic authentication with jQuery and Ajax

I am trying to create a basic authentication through the browser, but I can't really get there. If this script won't be here the browser authentication will take over, but I want to tell the browser that the user is …

Read More
How do I remove documents using Node.js Mongoose?

FBFriendModel.find({ id: 333 }, function (err, docs) { docs.remove(); //Remove all the documents that match! }); The above doesn't seem to work. The records are still there. Can someone fix?

Read More
AngularJS: Basic example to use authentication in Single Page Application

I am new to AngularJS and gone through their tutorial and got a feel for it. I have a backend for my project ready where each of the REST endpoints needs to be authenticated. What I want to do a.) …

Read More