dongyou9373 2014-09-22 21:27

已采纳

使用Go和AngularJS进行用户身份验证

I want to set up an authentication system with tokens on my Go application, which use an AngularJS front-end.

What I'm looking for is advices about all steps to create a safe system. Here's my steps :

We will considerate a user entry is already written in our database.

1 - The user wants to sign in

The user goes to the index of the web app which prompts him to sign in.

With my app.yaml file, I declare my HTML file with dependencies for the AngularJS front-end:

application: authtest
version: 1
runtime: go
api_version: go1

handlers:
- url: /
  static_files: frontend/index.html
  upload: frontend/(.*\.html)

- url: /js
  static_dir: frontend/js

- url: /.*
  script: _go_app

Visual :

Code:

<form ng-submit="signIn()" ng-controller="signInCtrl">
    <input type="email" ng-model="credentials.email" placeholder="Email" name="email">
    <input type="password" ng-model="credentials.password" placeholder="Password" name="password">
    <input type="submit" value="Sign in">
</form>

The user enters his credentials, and click on Sign in button.

2 - Request the server

The AngularJS module code:

<script>
    angular.module('authtest', ['ngCookies'])
    .controller('signInCtrl', ['$scope', '$http', '$window', '$cookieStore', '$route', function($scope, $http, $window, $cookieStore, $route){
        var credentials = {}
        $scope.signIn = function() {
            $http.post('/signin', credentials)
            .success(function (data, status) {
                if(status == 200) {
                    if(data.Access_token){
                        //set cookies with tokens
                        $cookieStore.put('access_token', data.Access_token);
                        $cookieStore.put('refresh_token', data.Refresh_token);
                        $route.reload();
                    }
                    else {
                        $window.alert('Wrong credentials, try again.');
                    }
                }
            })
            .error(function (data, status) {
                $window.alert('error: ' + data + '(errorStatus: ' + status + ')');
            });
        };
    }]);
</script>

The Angular module posts the form to /signin path, so the Go application needs to handle it:

package main
import (
    "net/http"
    "encoding/json"
    "fmt"
)
type SignInCredentials struct {
    Email string
    Password string
}
type Token struct {
    Access_token string
    Refresh_token string
    Id_token string
}
func init() {        //I use init() instead of main() because I'm using App Engine.
    http.HandleFunc("/signin", SignInHandler)
}
func SignInHandler (w http.ResponseWriter, r *http.Request) {
    decoder := json.NewDecoder(r.Body)
    var c SignInCredentials
    err := decoder.Decode(&c)
    if err != nil {
        panic()
    }
    var hashPassword = hash(c.Password) //Is it at a good level to hash it ?
    if isInDatabase(c.Email, hashPassword) == false {
        fmt.Fprintf(w, "") // Really useful ?
        return
    }

    var tokens Token
    /**
    * The user seems to be well stored in the database, but how
    * to manage my tokens ?
    */
    response, _ := json.Marshal(tokens)
    fmt.Fprintf(w, string(response))
}

Obviously, hashPassword(p string) hashes the user password and isInDatabase(e string, p string) is a boolean which checks if the provided credentials are stored in our database.

As I said inside the code, I'm wondering if it's the good moment to hash the password of the user, or maybe hash it in client-side ?
Print a zero-car string if the user is not in database is really useful or could I just return the function ?
The main question here is how to manage my tokens ? I often see tokens are mainly composed of access_token, refresh_token and id_token. I also know access_token is limited in time to use (the current session, ot 3600seconds for example) and we use refresh_token to have a fresh new access_token. But how to generate it and store it ?

3 - Handle response with AngularJS

As already written in AngularJS module code, when the user is well authenticated, we set cookies with provided tokens. Is it a good way ? I'm also wondering how to prevent XSRF (CSRF) attacks in my system ?

Thank you for your future answers and advices.

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

1条回答默认最新

doushan5222 2014-09-22 21:59

关注

Ok I've been using this approach (by Frederik Nakstad) and it seems to be ok so far.

The authentication is pretty straight forward. The user submits credentials over encrypted connection through a form like this:

<form name="loginform" class="uk-form" ng-submit="login()">
        <fieldset data-uk-margin>
            <legend><h2>Login</h2></legend>
            <div class="uk-form-row">
                <input class="uk-form-large" type="text" ng-model="cred.user" placeholder="Username" required>
            </div>
            <div class="uk-form-row">
                <input class="uk-form-large" type="password" ng-model="cred.password" placeholder="Password" required>
            </div>
            <div class="uk-form-row">
                <button ng-disabled="loginform.$invalid" class="uk-button uk-button-large" type="submit">Login</button>
            </div>
        </fieldset>
    </form>

Then the controller handles the response in the following way:

App.controller('LoginCtrl', function ($rootScope, $scope, $location, $window, authService) {
    $scope.cred = {}
    $scope.login = function () {
        if ($scope.loginform.$valid) {
            authService.auth(this.cred, function (stat) {
                if (stat === 200) {
                    $rootScope.loginStatus = authService.isLoggedIn();
                    $location.path('/test');
                } else {
                   ....
                   $location.path('/login');
                }
            });
            $scope.cred = {}
            $scope.loginform.$setPristine();
        }
    };
    $window.document.title = 'Admin Login';
});

The controller expects a 200 http status code (which the back-end should not respond with unless the authentication is successful), if the server responds with anything other than 200, the route is changed to login page again.

The tricky part is maintaining checks of the authentication status.

The way I implemented my authentication system is by adding custom attributes (like the guide but without a role system) to my route object in the following way:

App.js

...

$routeProvider.when('/login', {
            templateUrl: '/content/...',
            controller: 'Ctrl1',
            requireLogin: false
        }).when('/logout', {
            resolve: {
                logout: function ($location, $rootScope, authService) {
                    authService.logout(function (s) {
                        if (s === 200) {
                            $rootScope.loginStatus = authService.isLoggedIn();
                            $location.path('/test');
                        } else {
                            ....
                        }

                    });
                }
            },
            requireLogin: true
        }).when('/metaconfig', {
            templateUrl: '/content/...',
            controller: 'Ctrl2',
            requireLogin: true

...

Then Whenever a route gets requested I have this function that evaluates whether the route requires specific privileges/authentication to be in that route or not (ofc this does not mean that your route is secured, it simply means that your average joe wont be able to view routes unless js files get modified on the fly)

App.js

angular.module('App', ['ngCookies', 'ngRoute'])
.config(function{...}).run(function ($rootScope, ..., $location, authService) {


    $rootScope.loginStatus = false;
    authService.authCheck();

    $rootScope.$on('$routeChangeStart', function (event, next, current) {
         if (next.requireLogin) {
             if (!authService.isLoggedIn()) {
                $location.path('/login');
                event.preventDefault();
              }
           }
       });

The function passed with $routeChangeStart calls another function inside a service I have called authService and it looks like this

authService.js

'use strict';


App.service('authService', function ($rootScope, $log, $http, $q) {

    var userIsAuthenticated = false;

    this.auth = function (up, cb) {
        $http({method: 'POST', url: '/api/login', data: up}).
            success(function (data, status, headers, config) {
                if (status === 200) {
                    userIsAuthenticated = true;
                }
                cb(status)
            }).
            error(function (data, status, headers, config) {
                userIsAuthenticated = false;
                cb(status)
            });
    };
    this.authCheck = function () {
        $http({method: 'PUT', url: '/api/login' }).
            success(function (data, status, headers, config) {
                if (status === 200) {
                    userIsAuthenticated = true;
                } else {
                    userIsAuthenticated = false;
                }
                $rootScope.loginStatus = userIsAuthenticated;
            }).
            error(function (data, status, headers, config) {
                userIsAuthenticated = false;
                $rootScope.loginStatus = userIsAuthenticated;
            });
    };
    this.isLoggedIn = function () {
        return userIsAuthenticated;
    };
    this.logout = function (cb) {
        $http({ method: 'DELETE', url: '/api/logout' }).
            success(function (data, status, headers, config) {
                userIsAuthenticated = false;
                cb(status)
            }).
            error(function (data, status, headers, config) {
                userIsAuthenticated = false;
                cb(status)
            });
    };
});

Now every time a route that requires specific role or authentication will need to evaluate and get a 200 status code from the server otherwise the authentication status is set to false until the user authenticates again. Finally, relying on your front-end on even 1% of the auth process would make the whole auth system redundant.

Edit

CSRF risk and session management

In the case of CSRF, I am using a framework called Beego, this framework offers CSRF avoidance mechanism out of the box where you just need to specify expatriation date and encryption of the token.

When it comes to the login sessions, the server should manage encrypted sessions that are stored as cookies on the client side, of course I do not recommend you implement this as it is very risky and can be implemented in a wrong way. Again, Beego offers a nice feature that allows you to manage and encrypt sessions in your own way

I hope this helps answer your question, good luck.

本回答被题主选为最佳回答 , 对您是否有帮助呢?

报告相同问题？

关注问题

使用Go和AngularJS进行用户身份验证
2014-09-22 21:27

回答 1 已采纳 Ok I've been using this approach (by Frederik Nakstad) and it seems to be ok so far. The authenti
使用Go进行Google Cloud Bigtable身份验证
2015-12-14 09:07

回答 2 已采纳 I've solved the problem. It's nothing wrong with the code, but config json itself. So anyone who o
Golang和AngularJS模板冲突
2013-12-08 22:01

回答 7 已采纳 The idea behind AngularJS is to have all the rendering process run on the client side. If you fol
user-auth-angular-node-sql-server:使用Node.js，Angular.js和Microsoft SQL Server的用户身份验证
2021-05-06 01:48

使用Node.js，Angular.js和SQL Server的用户身份验证该项目演示了JavaScript（Node.Js）和Microsoft SQL Server 2016的集成，用于用户身份验证。后端使用JavaScript开发，可在Node.js上运行并使用Microsoft SQL ...
使用Go测试时出现身份验证错误
2019-05-25 00:59

回答 1 已采纳 This is normal SSH behavior when it does not know the host keys. The go tooling does not surface t
如何通过Firestore Go SDK验证用户身份？
2019-08-24 07:19

回答 2 已采纳 The Go SDK for Firestore is meant to be used in a trusted environment, such as your development ma
推送器存在无法使用angularjs和golang获取成员 javascript
2016-03-29 02:46

回答 1 已采纳 NVM, solved the problem.. it's missing in the docs for Go examples to return it in jsonp with call
AngularJS UI路由器登录身份验证
2020-06-01 13:22

xfxf996的博客 I am new to AngularJS, and I am a little confused of how I can use angular-"ui-router" in the follo
使用存储在Golang自己数据库中的用户创建Google身份验证服务
2018-06-28 19:17

回答 1 已采纳 Creation a new user in the database In principle, you only really need to store the user's email
GO中的用户身份验证系统
2015-03-17 09:34

回答 1 已采纳 Short answer: no. Long answer: Ruby on Rails is a framework, Go is a language. Making a "universa
如何使用GCE Go客户端oauth2身份验证实现自动身份验证
2018-01-06 05:52

回答 1 已采纳 Solved by using code example https://cloud.google.com/compute/docs/reference/latest/instances/ge
令牌提交的身份验证失败_AngularJS和Laravel应用的基于令牌的身份验证
2020-07-18 08:51

culiu9261的博客令牌提交的身份验证失败Adding authentication to an AngularJS and Laravel application is not the most straight-forward, especially if we take the approach of creating independent front-end and backend ...
使用golang相互TLS身份验证信任特定客户端 ssl
2018-01-23 19:41

回答 1 已采纳 There is no mechanism to do this for you, but starting with go 1.8 you can specify your own callba
ASP。NET MVC用户角色基础菜单管理使用WEB API和AngularJS
2020-08-13 00:44

Eleven809的博客详细说明了asp.net MVC 5的安全性和用户角色的创建。NET标识和创建用户角色在本文中，我们将看到如何使用ASP创建和管理基于用户角色的菜单。NET MVC, WEB API和AngularJS。在这里我们将看到如何，通过管理员管理...
firebase使用_使用AngularJS和Firebase构建实时状态更新应用
2015-08-14 00:00

dingshi7798的博客 firebase使用如果您花了很多时间来使用AngularJS，那么您可能会熟悉Firebase ，它是一种实时数据存储，可以非常轻松地在任何平台上保存和同步数据。 Firebase为其平台（称为AngularFire）提供了AngularJS绑定，这使...
没有解决我的问题, 去提问

悬赏问题

¥20 给自己本科IT专业毕业的妹m找个实习工作
¥15 用友U8：向一个无法连接的网络尝试了一个套接字操作，如何解决？
¥30 我的代码按理说完成了模型的搭建、训练、验证测试等工作(标签-网络|关键词-变化检测)
¥50 mac mini外接显示器画质字体模糊
¥15 TLS1.2协议通信解密
¥40 图书信息管理系统程序编写
¥20 Qcustomplot缩小曲线形状问题
¥15 企业资源规划ERP沙盘模拟
¥15 树莓派控制机械臂传输命令报错，显示摄像头不存在
¥15 前端echarts坐标轴问题

码龄粉丝数原力等级 --

使用Go和AngularJS进行用户身份验证

1 - The user wants to sign in

2 - Request the server

3 - Handle response with AngularJS

1条回答默认最新

码龄粉丝数原力等级 --

App.js

App.js

authService.js

CSRF risk and session management

悬赏问题

使用Go和AngularJS进行用户身份验证

1 - The user wants to sign in

2 - Request the server

3 - Handle response with AngularJS

1条回答 默认 最新

App.js

App.js

authService.js

CSRF risk and session management

悬赏问题

1条回答默认最新