Find solution
How to proceed after successful authentication?

How should I handle authentication in a Rails 4 and AngularJS app?

  • From the level of answers provided by the interwebs, it's apparent that this is still a very gray area. Some posts describe adapting Devise, but it seems to be a convoluted and varying process complicated by the fact that Devise removed token-based authentication due to security concerns (I'd prefer not to not use Devise anyway). And this itself is another red flag for developers who aren't web security experts (as very few are). If the top authentication gem's community has these concerns, why should I trust a random blog post's adaptation? It doesn't seem that a standardized and reliable way to handle authentication in SPAs has yet emerged from the community. Most Angular tutorials and demos omit any discussion of authentication. I also researched the same topic for Ember and found the same lack of information. It's like everybody's ignoring the elephant in the room. OAuth is sometimes mentioned, but that's more appropriate for consumer/social apps interacting with third-party services. The typical enterprise/business/SaaS app isn't going to implement a separate authentication server (and that's another evolving area, besides).

  • Answer:

    Authlogic works with rails 4 now. It's a nice lightweight alternative to devise. If you authenticate the user on the server I don't see any reason why this would be less secure than using it in a non single page application. I use this strategy in one of my angular apps. One thing you'll likely need to solve is the concept of a current user on the front end. I use an authService that looks something like the following: https://gist.github.com/jvans1/10119641 The cookie I'm setting there has nothing to do with how the server authenticates the user, it's just a convenient way to store the current user in the browser. Since it's possible for your front end to be "logged in" while the server has the user logged out, whenever a request is made to the server without a logged in user, respond with a 401. I use an httpInterceptor like this to handle those responses. I didn't write this code but can't remember where I got it to. https://gist.github.com/jvans1/10119587 That should take care of the front end part of a currentUser and authlogic will do the harder authentication work on the backend

James Vanneman at Quora Visit the source

Was this solution helpful to you?

Other answers

I don't have a lot of expertise in this but I just finished off an angular/rails project in which I wrote the authentication from scratch. Like you, I was somewhat fustrated from my efforts at searching the Internet for the best way to do it. First I wrote a session/cookies based authentication from scratch. I believe I may have leaned on a rails cast episode as well as s few blog posts for that. Then I made a custom endpoint in the rails routes so angular could query the user info if the user is signed in. Signing in through angular was just like any other rest action but you need to have the option to pass cookies in angular; $httpProvider.defaults.withCredentials = true; Then you can sign in/sign up, etc.. And angular passes on the session cookie. I wired angular to read my current_user endpoint and use that information to decide what the user could see and do using directives. This was a very simple approach and I'm sure there's a better way to do it with a authentication factory but I was just experimenting with angular at this point. The problem with a cookie approach is if you go across domains (cors), it becomes a 3rd party cookie. Some people block these. Firefox is talking about blocking by default. But if your serving on the same domain, from your rails server, it's fine. However, I decided to write a public API and serve across domains so it turned out that cookies weren't a good solution in the end. I ripped out my authentication and started from scratch.  This time I decided the best approach was token based, passing a token in the headers. It wasn't too hard. This will get you started: https://www.codeschool.com/blog/2014/02/03/token-based-authentication-rails/ Just beware, there's a typo in that blog post that could trip you up. I mention it in the comments. Again, asking angular to send an authentication token in the header is a one line config. I don't have the code in front of me now but hit me up in the comments if your interested and I can look it up or link the GitHub repo. Also, if you don't want to make your rails authentication from scratch,  I believe someone now has an add on gem for devise which brings back the token authentication. Just google devise token gem. I kept has_secure_password in rails and made it so when a user signs in, a new token is generated. This token can be passed to angular in json with a successful login. Then I had angular put that http store so it could retrieve it whenever it made an authenticated request.  To make things more secure you could set the store to be removed after a certain amount of time as well as have rails expire the token after a while.  To logout, just create rest action that has rails set the token to nil. Anyway, that's the general idea. There were lots of dots to connect and I had a lot fun exploring angular. So, I don't know if this answer has told you anything that you couldn't have figured somewhat easily yourself but in any case, let me know if you'd like further details.

Benji Dalton

Related Q & A:

Just Added Q & A:

Find solution

For every problem there is a solution! Proved by Solucija.

  • Got an issue and looking for advice?

  • Ask Solucija to search every corner of the Web for help.

  • Get workable solutions and helpful tips in a moment.

Just ask Solucija about an issue you face and immediately get a list of ready solutions, answers and tips from other Internet users. We always provide the most suitable and complete answer to your question at the top, along with a few good alternatives below.