2

I have a Single Page Application in AngularJS with API in Ruby on Rails (Grape framework). My authentication system looks like this:

  1. User create an account. Sends information to server.
  2. Server save user in database and generate token with Devise. Token and user information is send to Angular.
  3. Angular save token and user info in storage (angular-storage) and token is added to every request (Authorization header).
  4. When user click log out button, storage is cleared and token is deleted in database.

My question is: it this secure, or do I need to use something like JWT? Can I send a role name (for example 'moderator') to Angular without any encoding this? (of course server will always check, if this user with this token can do something) I also will implement doorkeeper to my app in near future.

anothermh
  • 9,815
  • 3
  • 33
  • 52
dakolech
  • 522
  • 4
  • 17
  • You can't ask "is it secure" in a vacuum? Secure against what? Also, what is the nature of the token? Does it contain some assertions about user privileges? Is there some data that the user should not see? The question as it is stated right now is too broad and imprecise to warrant an answer, in my opinion – New Dev May 12 '15 at 17:02
  • Token don't contain any data, user can see it. Token is the "key" to server, without proper token user won't do any changes in database. My question is rather, how people can hack my app. Javascript is visible to anyone, so i can't hide this token, right? So, can i do something to protect more this token? – dakolech May 12 '15 at 17:34

0 Answers0