0

i created an app with a simple authentication

login(credentials) {
    this.callLogin(credentials)
        .pipe(
            concat(
                this.principal().pipe(
                    map((user) => {
                        this.user = user;
                    })
                )
            )
        ).subscribe(() => {
            this.onLoginStateChanged.next(LoginState.LOGGED_IN);
            this.router.navigateByUrl("/");
        })
}

this is my auth.service.ts that is called by login function.

How can I save the information contained in "user" so that I can reuse them in my app?

I need to use ngrx/store o something else?

Liam
  • 27,717
  • 28
  • 128
  • 190
mantegnous
  • 53
  • 1
  • 9
  • You realise this would be incredibly trivial to work around right? You should be using something more like a [secure cookie authentication method](https://stackoverflow.com/questions/17769011/how-does-cookie-based-authentication-work) anywhere you "store" this is going to accessible by the browser and therefore easy to spoof – Liam Jun 27 '19 at 15:21
  • I think ngrx is a good way to go – Tony Ngo Jun 27 '19 at 15:23
  • what do you mean? – mantegnous Jun 27 '19 at 15:24
  • Anywhere you store this, I can open my console in my browser and change. So you "authentication" can be bypassed simply by writing some js in the browser. You should do some more research on actual authentication methods and how to secure these. This is not secure – Liam Jun 27 '19 at 15:26
  • my user object don't contains sensible data, only name surname, ect, the backend do the logic and verify the authentication passed by form in frontend – mantegnous Jun 27 '19 at 15:31
  • you can save to sessionStorage or redux – Hien Nguyen Jun 27 '19 at 15:32
  • redux in angular is @ngrx/store? – mantegnous Jun 27 '19 at 15:33

1 Answers1

0

You can use jwt (json web token) to store login validation in cookies or some other file.
Generally the process is like:

  1. Generate a jwt for client on signup/login. Store it in client's machine.

  2. With each request send the jwt to server for authentication and send response only when valid.

You can use persistent or expiration-based jwt, depends on your requirements.

Edit: You can store any data you would like to remain intact at client's end using JWT. Say for example you wanted to store user's common info like name, surname and dont want it to be able to get modified by user. JWT verification will prove the data to be original and unidentifiable.

Harsh Mandalgi
  • 204
  • 2
  • 5
  • I don't save login data (user password) to access in app, but the response that contains my info and stats – mantegnous Jun 27 '19 at 15:39
  • I have answered you query in the answer itself. Please look there – Harsh Mandalgi Jun 27 '19 at 16:01
  • When i do the login, and i'm logged, the backend return me a json file with my information, i need to save them in a store, maybe using ngrx, in this json are contained information like last login, role (if i'am admin, user ecc) that i need to reuse in my app for show or hide sections, so, i don't need to save login, the login work and the session is 30 minutes – mantegnous Jun 28 '19 at 07:27
  • Okay then you need to protect that json beacause role would be a sensitive data. You could choose to encrypt only that data and store other data as plaintext. I have not used ngrx till now so cant help you with that. – Harsh Mandalgi Jun 28 '19 at 07:35
  • You cant bypass it, because you can change frontend but not backend. So, in frontend you can view hide pages but you can't do anything because backend will return error not authorized – mantegnous Jun 28 '19 at 07:41