5
I asked this question earlier, but I believe I did not express myself correctly. So I am reformulating to try to be clearer.
I have several Rest API, where I use basic http, to avoid direct access.
Front-end in Angularjs, decoupled from all Rest API. Where this front accesses all Apis, sending in headers the authentication (basic http). It’s working all right.
I am developing another Rest API, which will be responsible for authenticating company users and generating tokens. I am using (io.jsonwebtoken), I can generate tokens, with the necessary permissions of each user.
On the front end, I am using (angular-jwt), I did tests by logging in, storing the token in Local Storage, recovering this token and taking the information of the user who logged in, on logout I can remove the token and it worked correctly.
The strategy I thought I’d adopt is as follows::
When the user successfully logs in, I will generate the token, store in Local Storage and using the angular-jwt (jwtHelper.decodeToken) will store this user’s information ($rootScope.usuarioAutenticado) for example.
Whenever a route change happens, I use ($rootScope. $on('$routeChangeStart'), and check if there is a token and if this token has not expired (jwtHelper.isTokenExpired).
Best practice for this situation?
I thought this way because I won’t need to send the token in the requests (headers) of the other Rest Apis.
I voted to close. The question seems to want an opinion on the subject. I believe that what is being asked in the question could lead to numerous answers. Understand this: The question is not bad, but it needs to be adapted.
– Wallace Maxters
Give me a suggestion at least, because it was the best way I thought to expose this doubt
– Gicobbe
I disagree with the two opinions above, the question is clear. He wants to know what is the best practice in this particular situation.
– Van Oliveira
By the text, seems to ask for opinion yes, maybe editing the final part, better defining the doubt (without asking for opinion as best way, etc), the question becomes nice for the site.
– user28595
I removed the final part, where it seems I’m asking for an opinion. I believe that if I remove the part that explains the strategy I am considering adopting, the question will not be clear. but if anyone has any more opinions I edit again, no problem. I want the question to be clear, where I want to know the best practice to be adopted in this situation.
– Gicobbe
Got better that way @diegofm ?
– Gicobbe
@Vanoliveira is clear that he wants an opinion. "Is it the best practice for this situation?" is something very subjective. " Good practices" and "best practice" always end up falling into this situation.
– Wallace Maxters
Related: What is it and what is it for JWT
– Wallace Maxters
Thanks @Wallacemaxters When I was researching I saw this post. But even though you still left me in doubt, the approach I’m using is correct? Because the environment I have are several Rest API (Microservices) with unique responsibilities, and I have to control the authorization of each user of the sectors to each service. There are sectors that I have up to 4 access levels, others I have only 2.
– Gicobbe
It was even from this @Wallacemaxters post that I got the idea of generating tokens that will expire after certain hours. As I will not send the token in the requests p/ the other API Rest, when I access a secure route, I check if there is a token in the Storage location and if it has not expired. But what I don’t know is whether this approach is the right one.
– Gicobbe