Skip to content

Authentication

Jump to bottom Edit New page
jsguy edited this page Apr 7, 2015 · 3 revisions

Authentication

Authentication is the process of making sure a user is who they say they are - usually this is done by using a username and password, but it can also be done via an access token, 3rd-party services such as OAuth, or something like OpenID, or indeed Google, Facebook, GitHUb, etc...

In miso, the authentication feature has:

  • The ability to see if the user has logged in (via a secret value on the server-side session)
  • The ability to redirect to a login page if they haven't logged in

You can configure the authentication in /cfg/server.json, and set the authentication attribute on the action that requires it.

For example, in /cfg/server.json, you can set:

"authentication": {
	"enabled": true,
	"all": false,
	"secret": "im-so-miso",
	"strategy": "default",
	"loginUrlPattern": "/login?url=[ORIGINALURL]"
}

Where:

  • enabled will enable our authentication behaviour
  • all will set the default behaviour of authentication for all actions, default is "false", ie: no authentication required
  • secret is the secret value that is set on the session
  • loginUrlPattern is a URL pattern where we will substitute "[ORIGINALURL]" for the originally requested URL.
  • middleware is the authentication middleware to use, default is "../system/auth_middle"

Now, if you want a particular action to be authenticated, you can override the default (all) value in each of your actions, for example to need authentication on the index action of your todos app, set:

module.exports.index = {
	...,
	authenticate: true
};

This will override the default value of the "all" attribute form the server config authentication and make authentication required on this action. If your app is mainly a secure app, you'll want to set "all" attribute to true and override the "login" and, (if you have one), the "forgot password" pages, and so as to not require authentication, ie:

module.exports.index = {
	...,
	authenticate: false
};

Sample implementation

In Miso, we have a sample implementation of authentication that uses the flatfiledb api. There are 4 main components in the sample authentication process:

  • The authenticate api /system/api/authenticate - handles saving and loading of users, plus checking if the password matches.

  • The login mechanism /mvc/login.js - simply allows you to enter a username and password and uses the authentication api to log you in

  • User management /mvc/users.js - Uses the authentication api to add a user with an encrypted password

  • Authentication middleware /system/auth_middle.js - applies authentication on the server for actions - this is a core feature of how miso does the authentication - it simply checks if the secret is set on the session, and redirects to the configured "loginUrlPattern" URL if it doesn't match the secret.

Ideally you will not need to change the authentication middleware, as the implementation simply requires you to set the "authenticationSecret" on the request object session - you can see how this works in /system/api/authenticate/authenticate.api.js.

How the sample implementation works

  • When authentication is required for access to an action, and you haven't authenticated, you are redirected to the /login action
  • At /login you can authenticate with a username and password (which can be created at /users)
  • When authenticated, a secret key is set on the session, this is used to check if a user is logged in every time they access an action that requires authentication.

Note: the authentication secret is only ever kept on the server, so the client code simply has a boolean to say if it is logged in - this means it will try to access authenticated urls if misoGlobal.isLoggedIn is set to "true". Of course the server will deny access to any data api end points, so your data is safe.

Sessions

When the user is authenticated, they are provided with a session - this can be used to store temporary data and is accessible via /system/api/session/api.server.js. You can use it like so in your mvc files:

var session = require('../system/api/session/api.server.js')(m);

session.get({key: 'userName'}).then(function(data){
	console.log(data.result);
});

These are the methods available on the session api:

Method Purpose
get({key: key}) Retrieves a value from the session for the given key
set({key: key, value: value}) Sets a value in the session for the given key

Note: Each user of your app has a session that is stored on the server, so each time you access it, it will make a XHR request. Use it sparingly!

Add a custom footer
Add a custom sidebar

Clone this wiki locally