67

First off, I'm no pro.

In my quest to become a better developer I am trying to understand what is needed and how to accomplish creating a sign-up/login for an Ionic-Framework app.

Most of the single-page-applications (SPAs) handle authentication on a node server that is also serving up the HTML for the client. In my case the phone itself will be serving up the HTML so I am guessing I may be going up against some CORs issues.

I understand that the Ionic-Framework uses states and based angular-client-side-auth repo I should be authenticating whenever I am changing states in my app.

I have an initial app setup but now I am kind of confused where to go from here.

The tools I have at my disposal:

  • Node.JS Server -Thanks DigitalOcean (Should I be using this as a proxy to my DB?)
  • CouchDB server (Full stack here we come)

Questions of mine:

  1. What is the standard approach for authenticating when using hybrid apps?
  2. Should I be using Node.JS as a proxy to the database?
  3. Should I skip node.js and authenticate directly with the CouchDB server? (I've heard of this)
  4. Am I going about this all the wrong way?
  5. What are my potential road-blocks?
  6. How does CORS work with hybrid applications?
  7. Anything I'm missing?

Thanks for helping me become a better developer.

TyMayn
  • 1,936
  • 2
  • 18
  • 23

2 Answers2

46

nathvarun gave a very complete answer, but I'd like to share the steps I do for authentication in my app.

  1. Send email + password via ajax to the server
  2. Generate a token in the server and send it back to the app
  3. Store email + token in localStorage
  4. For every single request I make to the server I send email + token via POST
  5. In the server I verify authenticity of that user with that token, if true the method is executed, if false I send back to the app an error (401)
  6. If app receives success, then it's ok, if receives error I redirect to login screen.

Nice thing is that when the app is open, you can get the email + token from localStorage, send to the server, if that token is ok for that user, redirect to main screen, otherwise redirect to login. Then whenever user clears the cache of the app, he is redirected to login screen.

Lucas Garcia
  • 917
  • 7
  • 15
  • 1
    Thanks @Lucas. Just what I was looking for. – Beto Aveiga Nov 11 '15 at 18:29
  • @LucasGarcia, I found your answer interesting, I have some questions to ask. How you create a token? Do you saved the created token to the database? Do you encrypt or hash the email before storing in localStorage? – c.k Jul 01 '16 at 04:08
  • 1
    @c.k My backend is in Rails, I generate a hex code in the model and stored it to the database, but I change on every request the user makes. And the email is not encrypted in localStorage, but this is probably security weakness – Lucas Garcia Jul 01 '16 at 15:11
1

I actually needed something like that for a few apps I'm working on. I spent quite some time investigating this and was able to achieve that.

I'm pretty happy with the result, in addition to email/password authentication I've added some social authentication which works in the same way.

  1. open url on client side with the provider's (facebook/twitter/instagram) url for login
  2. the user logs in and is redirected to the server's callback url (my server is written in nodejs)
  3. once I've got the access token from the provider. I save this token and then create a token for the client to reuse every time the user wants to access a protected ressource.

Download the apk and test it.

If this is what you're looking for you can checkout both the client side code at : https://github.com/malikov/Authenticate.me-client-cordova-ionic

And the server side code at : https://github.com/malikov/Authenticate.me-Node-Server

malikov
  • 41
  • 3
  • 1
    Are you still doing it like this? What do you mean in step 3, when you say you save the token and then create a token for the client to reuse? – Mukus Aug 06 '15 at 04:49